WhatsApp data extraction via OxyAgent

When physical extraction is not supported for Android devices, investigators can use OxyAgent to run a logical extraction to collect a plethora of valuable data. Our OxyAgent is typically used to acquire basic artifacts, like contacts, calls, calendars, and messages. With our updated OxyAgent, logical extractions using Oxygen Forensic Detective 12.6 will now include valuable WhatsApp data. Investigators can now collect WhatsApp and WhatsApp Business chats, contacts, and account information using OxyAgent installed on an Android device. Let’s have a look at how this can be done. 

How can I extract WhatsApp or WhatsApp Business data using OxyAgent?

WhatsApp data extraction is available in Manual Mode. The extraction will be saved in the internal memory or on removable media, which then can be imported into the main product for further analysis.  Using an OTG cable with a flash drive is a great way to store the extracted data and immediate import into Oxygen Forensic® Detective.

1. Select the Extract Third Party Applications Data option from the OxyAgent home screen.

2. Enable the additional options in the device settings and follow the instructions shown on the device screen.

3. This screen will allow investigators to navigate to another folder or drive to store the extracted data.

4. Next, select which app to extract data from: WhatsApp or WhatsApp Business.

5. Select which data types and also within what timeframe are to be extracted. To select the data type of interest and fine tune the extraction settings, adjust the sliders to set the timeframe and click the checkbox to set the extraction of group participants at chat export.

6. That’s it! As soon as the extraction is complete, another extraction can be started. Uninstall the OxyAgent app or exit. 

7. Import the OxyAgent extraction into Oxygen Forensic Detective to conveniently view the extracted WhatsApp data.

Please note: Due to WhatsApp system restrictions, OxyAgent can extract the following from each chat:

  • Up to 10,000 recent messages with attachments
  • Up to 40,000 recent messages without attachments