MIUI and HyperOS — where Second Space changes the case

MIUI's Second Space feature creates a separate user profile on the device with its own lock screen, its own app instances, and its own data. A user can switch to Second Space from the main lock screen or from a settings toggle. Everything done there (messages, photos, browser history, installed apps) lives in a user directory that is not the primary user's.

From a forensic standpoint, this is a full parallel environment on the same phone. If an extraction tool only dumps the primary user's storage, the Second Space data stays invisible. The examiner can write a report that looks complete and miss the environment where the actual evidence lived.

Second Space is not a hidden partition. It's a standard Android multi-user implementation with MIUI's UX layered on top. A full file system extraction picks it up if the tool knows to enumerate all user IDs under /data/user/ and /data/media/. A logical extraction won't.

Add to this:

• Dual Apps — MIUI's first-party app cloning feature. Creates a second instance of an app (WhatsApp, Telegram, Instagram) with its own data directory. Useful for users running two accounts, critical for examiners who need to find both.

  
  

• App Lock — MIUI's access-control overlay that gates specific apps behind a separate PIN or biometric. It doesn't re-encrypt the app's data at rest on most builds, so the filesystem dump usually still contains the app's files. Decoding tools that honour the access layer will skip locked apps unless the examiner overrides the check.

  
  

• Mi Cloud sync — an aggressive default that silently mirrors photos, contacts, notes, and call logs to Xiaomi's servers. The local artifact trail (sync logs, cached thumbnails, metadata) often tells you what was synced and when, even when the cloud copy itself is out of reach.

  
  

HyperOS, which replaced MIUI on most current Xiaomi devices from late 2023 onward, inherits Second Space and Dual Apps and adds its own variants. Older MIUI builds are still widely in the field because Xiaomi's update cadence on budget devices is uneven.

ColorOS — App Cloner, Private Safe, and aggressive power management

ColorOS ships on Oppo, Realme, and on OnePlus devices from OxygenOS 12 onward, where the skin runs on a shared ColorOS codebase. The brand-level merger OnePlus announced in 2021 was scrapped in Feb 2022, but the code convergence happened anyway. Three features worth knowing by name.

App Cloner is ColorOS's equivalent of Dual Apps. Same pattern: a second instance of a chat or social app with its own data. Same implication for extractions. If the tool doesn't enumerate cloned instances, you lose a conversation set.

Private Safe is a protected folder inside the Files app that holds photos, documents, and audio files behind a separate passcode, independent of the device lock. On an unlocked device in AFU state, a tool with full file system access can sometimes capture the protected content blob. Reading it still requires the Private Safe passcode, which the user is not obligated to share.

Aggressive power management is not a data-at-rest feature, but it matters during live triage. ColorOS's battery optimization kills background processes aggressively, which means certain app caches, notification queues, and location logs get flushed faster than on stock Android. If the device sits in an evidence bag for a week before extraction, some of the runtime artifacts that would have been present on day one are gone.

OxygenOS — the moving target

OnePlus devices from 2021 and earlier run a cleaner OxygenOS that behaved much closer to stock Android. Devices from 2022 onward run OxygenOS builds sitting on top of a ColorOS base. The user-facing skin looks like OxygenOS; the underlying filesystem, system services, and cloud integrations are increasingly ColorOS.

Two OnePlus devices in the same evidence queue — same model family, different years — can behave differently under the same extraction method. The examiner who calibrated on a OnePlus 9 may find the OnePlus 11 has an extra set of ColorOS system apps and a different backup mechanism.

So don't assume "OnePlus" is a single device profile. Match by model number and firmware build, not by brand.

What actually changes on the bench

Two things shift.

Evidence discovery takes longer. On a stock Android device, an examiner can rely on well-documented paths. On an Indian OEM skin, the same examiner has to check for cloned app instances, separate user spaces, vendor-specific cloud sync, and OEM-managed private folders before declaring the extraction complete. "I pulled WhatsApp" is not the same statement on a Samsung as it is on a Xiaomi with Dual Apps.

Tool coverage also becomes a pass/fail variable. Forensic tools maintain device profiles — a database of supported models with their specific extraction methods. A tool whose profiles skew toward Samsung, Apple, and Google will miss on an Oppo A-series or a Realme Narzo. A tool that actively tracks Indian OEM releases will hit. The difference isn't quality of output on supported devices. It's whether the device gets touched at all. This is one of the reasons the FSL backlog in India is as much a tooling question as a staffing one.

How Secfore Extractor handles the skin problem

Secfore's Extractor was built around the Indian device fleet from day one. That means active support for MIUI, HyperOS, ColorOS, OxygenOS, Funtouch, OriginOS, and the skins running on Tecno, Infinix, and Itel handsets that dominate the sub-₹15,000 segment. Full file system extraction enumerates all user profiles (surfacing Second Space data), detects cloned app instances, and preserves the original filesystem structure so examiners can navigate OEM-specific paths in Visualizer without the tool quietly flattening the data.

New OEM firmware builds get added on a two-to-four-week cadence. That matters in India, where a state FSL might receive a new Realme model within weeks of launch and can't afford to wait six months for international tool vendors to catch up.

None of this makes Indian OEM forensics easy. It makes it possible on the current timeline, instead of the one where every third device in the queue gets flagged "unsupported, escalate."

The skin is where the evidence lives. Work the skin first.