Mobile-Forensics

Forensic Focus’ December 3 round-up flagged two updates worth immediate lab attention: Oxygen Forensic Detective v18.1 and Atola TaskForce 2025.11. Both change how we plan Android collections and triage storage with fewer clicks and less context switching (round-up).

Overview

• Oxygen Forensic Detective v18.1 adds Android “chain extractions” so you can sequence multiple methods (e.g., Physical → Full File System → Android Agent → ADB Backup) in one flow with automatic fallback handling, plus new iOS Agent screenshot capture and desktop artifacts (v18.1 notes).
• Earlier in the v18 series, Oxygen introduced “multi-source extraction via Android Agent,” letting you combine multiple logical categories and third-party apps into a single Agent run for one consolidated output (v18 highlights).
• Atola TaskForce firmware 2025.11 brings system-wide ZFS support (diagnostics, imaging, partition browsing) and LDAP integration for centralized authentication; it also adds QOL items like pinned folders and report/network tweaks (Atola blog, Forensic Focus coverage).

Acquisition and Extraction (platform-specific)

Android with Oxygen Detective v18.1

1. Plan a chained Android run

• In Device Extractor, set the chain order so time-heavier but richer methods run first, with automatic fallback to lighter ones (e.g., Physical → FFS → Android Agent → ADB Backup) (v18.1 notes).
• Document the chosen order in the case record before you start (keeps later variance explainable).

2. Leverage Agent multi-source in the chain

• When the run reaches Android Agent, pre-select logical categories (calls, contacts, calendars, etc.) and multiple third-party apps to produce one combined extraction folder/file, minimizing repetitive passes over the handset (v18 highlights).

3. Respect method prerequisites

• Full File System (FFS) extraction in current Detective builds supports many Android 9-14 devices with SPL prior to July 2024 via a general Android vuln; verify the device’s SPL before triggering FFS to avoid dead ends (FFS method notes).
• Android Agent is intended for unlocked devices and focuses on logical/manual collection; it does not access internal memory apps/files like FFS does-set expectations and use Agent where appropriate (Android Agent guide).

4. Optional iOS screenshot capture

• If your scene includes iOS, v18.1 can record screenshots during extraction (iOS 12+) to quickly preserve on-screen context with proper logging (v18.1 notes).

Storage imaging with Atola TaskForce 2025.11

1. Image ZFS cleanly

• TaskForce now recognizes and works end-to-end with ZFS: diagnostics (File systems stage), partition browsing, and imaging-useful for servers/NAS/Linux estates common in enterprise cases (Atola blog).
• RAID autodetection now attempts reassembly when ZFS partitions are present; this shortens triage when metadata is missing or the layout is unknown (Atola blog).

2. Centralize user auth

• Enable the new LDAP option to authenticate users against AD/LDAP; TaskForce stores no passwords locally when LDAP is in use. Keep local accounts available as a contingency (Atola blog).

3. Quality-of-life tweaks

• Pin frequently used network targets/folders in the UI to speed repetitive imaging destinations (Atola blog).
• Expect improved parallel imaging performance estimates and report loading-useful during busy lab days (Forensic Focus coverage).

Artifact Locations and Paths

• Android Agent exports typical logical sets-calls, messages, contacts, calendars, Wi-Fi APs, Bluetooth pairs, basic file structure, and select third-party apps-into one consolidated extraction when you use the multi-source option. Treat this as a targeted logical capture, not an internal-app dump (Android Agent guide, v18 highlights).
• On storage, ZFS volumes will enumerate in TaskForce’s File systems stage alongside NTFS, ext*, XFS, Btrfs, APFS/HFS+, FAT, and ZFS; validate the enumerated topology before committing to a full image or a logical carve (Atola blog).

Analysis and Correlation

• Merge sources in Oxygen: after collection, merge FFS, physical, cloud, SIM, and OxyAgent/Android-Agent extractions into a single dataset to keep timelines/social graphs coherent (merge feature).
• Automate post-processing: Oxygen’s CLI can batch-import extractions, analyze images, and export reports-helpful for overnight queues after long scene days (CLI automation).
• For ZFS/RAID jobs, snapshot your Atola case state and export reports immediately after autodetection; re-attempts can change arrays as members drop in/out. Atola’s 2025.11 improves report handling and error logs for share connections, which helps with later reproduction (Atola blog).

Validation and Pitfalls

• Don’t over-promise Agent scope: Android Agent logical/manual extraction won’t touch internal app data; if you need app sandboxes or keychains, prioritize FFS/physical where legally and technically possible (Android Agent guide).
• Check SPL early: if SPL ≥ July 2024, your FFS path may be blocked-adjust the chain to avoid wasting time (e.g., pivot sooner to Agent or ADB backup) (FFS method notes).
• LDAP is great-test lockout behavior: validate how TaskForce handles directory outages, password expiry, and group changes before you flip the switch lab-wide (Atola blog).
• As always, keep the paperwork tight. Evidence management talks regularly remind us that documentation is what makes the data admissible-“no documentation, no evidence” still applies (round-up reference to talk).

Reporting Notes (chain of custody, reproducibility)

• Oxygen: record the exact chain order, method outcomes, version/build, and any Agent multi-source selections in the notes; v18.1 also tweaks evidence tagging/notes, which can clarify your audit trail (v18.1 notes).
• Atola: export diagnostics and imaging reports immediately after ZFS enumeration/reassembly; the 2025.11 update improved report loading and logging, making it easier to reconcile target paths and share errors later (Atola blog).

Tools

• Oxygen Forensic Detective v18.1: chain extractions, iOS Agent screenshots, additional artifacts (v18.1 notes). Multi-source Android Agent from v18 still applies for consolidated logicals (v18 highlights). Core method references: FFS coverage window (FFS method notes), Android Agent scope (Android Agent guide).
• Atola TaskForce/TaskForce 2 2025.11: ZFS, LDAP, pinned folders, and assorted fixes/perf gains (Atola blog, Forensic Focus coverage). Hardware/platform overview and automation options are on the product page if you’re integrating at scale (TaskForce 2 page).

Takeaways

• Update your SOPs this week to: (1) use Oxygen’s chained Android flows with Agent multi-source to cut repeats, and (2) enable Atola ZFS handling + LDAP in the lab for smoother storage triage and access control. Test on known-good devices/images before first live use (v18.1 notes, Atola blog).

Google published the Android Security Bulletin for December 2025 with patch levels 2025-12-01 and 2025-12-05. The most severe issue is a critical Framework vulnerability that enables remote denial of service; Google also notes two CVEs under limited, targeted exploitation. Source code patches land in AOSP within 48 hours of publication, then vendors integrate and ship updates. Verify exposure by checking each device’s reported patch level. (Android bulletin, Dec 1, 2025; Google Support: check patch level)

WhatsApp is rolling out passkey-encrypted chat backups for iOS and Android, letting users protect backup restores with Face ID/Touch ID, Android biometrics, or the device screen lock instead of a password or 64-digit key (BleepingComputer; The Verge). End-to-end encrypted (E2EE) backups themselves aren’t new-WhatsApp shipped them in October 2021 with a password or 64-digit key option and an HSM-backed Backup Key Vault design (Meta Engineering)-but the gate to restore is now a platform passkey instead of something you type. Enable path remains: Settings → Chats → Chat backup → End-to-end encrypted backup (BleepingComputer).

You often investigate incidents where a DJI aircraft is involved-flyaways, near-misses, restricted-area incursions, or simply reconstructing pilot actions. The DJI Fly app (dji.go.v5) is the default ground-control app for most recent DJI consumer drones, and it quietly records rich telemetry you can extract, preserve, and analyze for DFIR.

This guide shows you how it works, where to find the artifacts, and how to process them with current tools-on Android, iOS, and DJI RC-class smart controllers. You’ll also learn the common traps (Android scoped storage, missing DAT files, cropped logs, and cloud policy changes in the U.S.) and practical workflows to avoid data loss.

End-to-end encryption (E2EE) protects message content in transit, but mobile devices still maintain local state to function. On a physical or full file-system acquisition, you can frequently recover accounts, device identifiers, contact and group identifiers, message timing, call history, media references, and even local key material or key handles. Your goal in DFIR is to turn these device-resident artifacts into defensible timelines of who communicated with whom, when, and how often.

MSAB’s Q3 2025 release introduces BruteStorm Surge, a GPU-accelerated brute-force add-on for XRY Pro that targets long/complex passcodes, alongside major suite updates: XAMN 8.3 adds cross-app conversation threading and support for Cash App warrant returns; UNIFY 25.9 can ingest Cellebrite UFDR and GrayKey extractions; and XEC 7.15 brings role-based access control (RBAC). These capabilities are confirmed in MSAB’s official update and the initial news brief. See MSAB’s release post and feature breakdown (MSAB Q3 2025; Forensic Focus news).