DETECTIVE Oxygen Forensic - Release notes - Oxygen Forensics

Page created by Gloria Fletcher

IT & Technique

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

DETECTIVE Oxygen Forensic - Release notes - Oxygen Forensics

Oxygen Forensic®
            DETECTIVE

Release notes
Verison 14.1 October 2021

We are delighted to introduce an update of our flagship product, Oxygen
Forensic® Detective! Version 14.1 enhances extraction capabilities in all the
main modules – mobile, cloud, and computer artifacts, as well as improves data
analysis with the implementation of a new feature.

Key features regarding this release will be explored in detail in our corporate
blog. For the full list of changes, please refer to the “WhatsNew” file in the
software Options menu.

  Mobile Forensics

Screen Lock Bypass for LG Devices
In Oxygen Forensic® Detective v.14.1, investigators can now create a physical
dump, extract hardware keys, and decrypt evidence from locked LG devices
based on Qualcomm chipsets. This method requires a device to be put in LAF
(LG Advanced Flash) mode. The supported devices must run Android OS 6 or 7
and be based on one of the following chipsets: MSM8917, MSM8937, MSM8940,
MSM8953. This method covers LG Q6 (LG-M700), LG Stylus 2 Plus (LG-SM550),
LG Stylo 3 Plus (LG-MP450), and any other model available in the Supported
devices list.

Enhanced Screen Lock Bypass for MTK Devices
We’ve also enhanced our support for screen-locked Android devices running
on Mediatek chipsets. Now, devices with the enabled DAA authentication are
supported. Oxygen Forensic® Detective disables the DAA and allows investigators

            Oxygen Forensics   www.oxygen-forensic.com   support@oxygen-forensic.com

to extract hardware keys and decrypt data. Supported devices include Nokia 5.1
Plus, Motorola One Action, Xiaomi Readmi Note 8 Pro, and more. This functionality
is available within the MTK Android Dump method.

Wickr Me Extraction via OxyAgent
Oxygen Forensic® Detective v.14.1 allows fast collection of Wickr Me data from
any unlocked Android device using OxyAgent. OxyAgent can be installed on a
device via USB, Wi-Fi, or OTG device. The evidence set includes the information
about the account, contacts, private and group chats with attachments, and
calls. Wickr Me chats are stored for up to 6 days on the device. After expiration,
chats cannot be acquired via OxyAgent. To extract expired chats, use the physical
methods available in Oxygen Forensic® Detective.

Full File System Extraction
We’ve added a new exploit to our “Android full file system” method. This exploit
covers many unlocked Android devices based on various chipsets. Supported
devices must have GPU Mali-G31, Mali-G51, Mali-G52, Mali-G71, Mali-G72,
Mali-G76, Mali-G77, Mali-G78 (Bifrost, Valhall), the Linux kernel of 2.6.0-5.4
versions and run Android OS 7 – 11. The SPL (Security Patch Level) must be
no older than May 2021. This exploit does not support Samsung and Huawei
devices due to the additional layers of their security.

            Oxygen Forensics   www.oxygen-forensic.com   support@oxygen-forensic.com

Extended Checkm8 Support
There is a known issue that on iPhone 7, iPhone 7 Plus, iPhone 8, iPhone 8
Plus, and iPhone X running iOS 14.x you must first turn off the passcode before
performing data extraction via checkm8 vulnerability. In Oxygen Forensic®
Detective v.14.1 if the passcode is unknown, you can extract limited amount of
data from iPhone 7 and iPhone 7 Plus running iOS 14.0-14.8.1 in BFU mode. For
a full file system extraction, you still need to turn off the passcode.

App Support
In version 14.1, we lay focus on our new secure app parsing. Now, investigators
can extract and decrypt evidence from iMe Messenger & Crypto Wallet, Brave
Private Browser, Private Photo Vault Pro, ProtonMail and WhatsApp backups
(crypt12). Moreover, Oxygen Forensic® Detective v.14.1 introduces support for
MX TakaTak and Reddit social networks. The total number of supported app
versions exceed 25,200!

          Cloud

MEGA data extraction
MEGA is a widely used cloud storage and file hosting service that uses end-to-end
encryption. Investigators can now extract evidence from this service using Oxygen
Forensic® Cloud Extractor. Authorization in the service can be done using login
credentials or token from Apple iOS and Android devices. If 2FA is enabled, a
code will be required. Evidence sets may include information about the account,
contacts, files, private chats, and links.

            Oxygen Forensics   www.oxygen-forensic.com   support@oxygen-forensic.com

Extraction of Grindr Google Backups
In the previous version we added support for Grindr iCloud backups. Now Grindr
backups can also be extracted from Google. Investigators can gain access to
Grindr chats authorized in Google Drive using the corresponding login and
password.

Telegram Extraction Enhancements
In the new release, we’ve implemented two of our most frequently requested
improvements to the Telegram cloud. First, investigators can now extract
comments left in channel messages. This data often contains valuable pieces of
evidence.

Second, we’ve added the option to select which specific Telegram chats to extract
before data extraction. This will allow investigators to save time by only extracting
the data and evidence they need for the investigation.

  Computer artifacts

Parsing of New Computer Images
A great number of new computer image formats can be now ingested and parsed
in Oxygen Forensic® Detective:
  • Images of virtual machines of VDI, VHD, and VMDK formats;
  • Logical images of 7z, rar, tar formats;
  • DMG and ISO images.
We’ve also introduced support for FAT, EXT2/3/4, HFS/HFS+ file systems of E01,
RAW/DD, VDI, VHD, and VMDK images. To import all these images, select the
relevant options under the “Desktop extractions” option on the software Home
screen.

             Oxygen Forensics   www.oxygen-forensic.com   support@oxygen-forensic.com

Artifact and OS Support
The updated Oxygen Forensic® KeyScout fully supports Windows OS 11 and its
artifacts. Additionally, we’ve added parsing of separate .eml files and updated
support for Telegram and Thunderbird apps.

    Data analysis

Image Categorization of Tattoos and Aircrafts
We’ve updated our Image Categorization tool to now include the categorization
of tattoos and aircrafts. Images containing tattoos and aircrafts will have
a corresponding label both in the Files and Key Evidence sections, once
extracted data is analyzed. Overall, 18 categories are now supported for image
categorization.

Furthermore, we’ve improved the image categorization algorithm. Investigators
will be able to categorize images several times faster. Image Categorization of
Weapons and Drugs categories have been significantly improved.

            Oxygen Forensics   www.oxygen-forensic.com   support@oxygen-forensic.com

OCR Enhancements
Images can be now preprocessed for better optical character recognition. We’ve
added adaptive threshold processing. Small pictures, particularly thumbnails, can
now be upscaled. Note that the enabled preprocessing will increase recognition
time by 20-30%.

Resolved Issues
• Not all WhatsApp messages were parsed from a Huawei Kirin Dump.
• Occurred while extracting Telegram data via OxyAgent.
• Error “Too many requests” appearing during Telegram cloud data extraction.
• Amount of files displayed in a merged extraction were lower than in separate
  extractions.
• PDF report did not contain a custom image header.

            Oxygen Forensics   www.oxygen-forensic.com   support@oxygen-forensic.com

You can also read