Oxygen Forensic® Detective is an all-in-one forensic software platform built to extract, decode, and analyze data from multiple digital sources: mobile and IoT devices, device backups, UICC and media cards, drones, and cloud services. Oxygen Forensic® Detective can also find and extract a vast range of artifacts, system files as well as credentials from Windows, macOS, and Linux machines.
The cutting edge and innovative technologies deployed in Oxygen Forensic® Detective include, but are not limited to, bypassing screen locks, locating passwords to encrypted backups, extracting and parsing data from secure applications and uncovering deleted data.
Furthermore, multiple extractions can be investigated in a single interface to gain a complete picture of the data. By using the integrated industry-leading analytical tools to find social connections, build timelines, and categorize images, law enforcement, corporate investigators and other authorized personnel can help make this world a safer place.
Oxygen Forensic® Detective is distributed in a USB dongle and is valid for a single user.
accounts and passwords
Decrypt passwords and authentication tokens to user accounts in Social Networks, Messengers and Email apps. Reveal passwords that were used to connect to Wi-Fi networks
advanced physical methods
Physical collection while bypassing device security.
Extract, decrypt and examine user data from today's most popular apps.
Oxygen Forensic® software provides advanced physical extraction for LG, Motorola, Samsung, MTK, Kirin, Spreadtrum and Qualcomm Android devices. This method enables lock screen bypass and requires no root rights. Moreover, the software offers the ability to gain root rights and conduct a full physical extraction of Android devices with installed Android OS 7, 8, 9 and 10.
The applications section displays user data that has been extracted and parsed from popular Social Networks, Messengers, Web Browsers, Navigation, Productivity, Travel, Finance, Fitness, Drone and Multimedia apps. Investigators can view app account details, contacts, messages, calls, logs, cache, and other relevant data. Even encrypted apps are decrypted and displayed in this area!
backup and image import
Import and parse various backups and images made from today's devices like iOS, Android, and more as well as import from other forensic tools like Cellebrite and MSAB.
View dialed, answered and failed calls including deleted ones. Apply filters to show calls only for a specific period of time
Process and analyze call data records obtained from wireless providers. Visualize geo coordinates on the map and identify links between callers
Oxygen Forensic® software imports and parses dozens of various device backups and images created in official device software, third-party programs or other forensic tools. Investigators can import iTunes, Android ADB backups, JTAG/ISP,CHIP-Off images, .dar archives, XRY and UFED extractions, Warrant Returns and many other files.
The built-in Oxygen Forensic® CDR Expert allows importing and analyzing of CDR files received from mobile service providers regardless of the difference in their column formats and file layouts. The program conveniently guides the investigator through the process of call data records file importing and any field mapping that is required to convert the file into a unified format. CDR Expert then visualizes direct and indirect links between callers on a graph.
Gain access to cloud services like: WhatsApp, Telegram, iCloud, Google, Samsung, Microsoft, Facebook, Instagram, Twitter and many other social media cloud services.
Uncover and reveal names, usernames, emails, and more in different sources on the device.
Customize and generate data reports in many formats like PDF, XLS, RTF, XML and HTML.
The built-in Oxygen Forensic® Cloud Extractor acquires data from the most popular cloud services to include: WhatsApp, iCloud, Google, Microsoft, Mi Cloud, Huawei, Samsung, E-Mail (IMAP) Servers and more. Also, various social media services are supported to include but not limited to: Facebook, Twitter, Instagram, and many more. Investigators can use usernames and password combinations or tokens extracted from the mobile device or PC to gain access to a cloud storage even when two-factor authentication is enabled on selected services.
Oxygen Forensic® Detective enables the export of data from any section to many popular file formats including: PDF, XLSX, XML, HTML, JSON Project VIC. A report can be created to include a single device, several devices, several sections or even selected records. Reports are highly customizable to display only the data required, for any type of case. Our XML reports can be integrated into many popular analytic software platforms with our built in XML export specification documentation. Export to Relativity software is also available.
Powerful global search over a single device, multiple devices or entire case.
view the detailed information about the device and its owner
Extract and analyze drone data from physical dumps, drone logs and mobile applications.
Oxygen Forensic® software has a powerful built-in interface for data search. Searching can be conducted on all devices, at the case level and at the device level. Investigators can search data according to the information entered in the input field, by keyword lists, hashes, using regular expressions or choosing any other available method. Search is launched as a separate process so investigators are free to work with the software during the search process.
The search process can search within files to uncover data that has not been parsed, often uncovering valuable data within SQlite databases, log files, and property lists.
The device information section gives you the general information about the acquired device. It shows various attributes, like the device specifics (e.g., make, model), SIM and network information, phone numbers and case details. Investigators can also find summary information of all the device owner’s accounts. Moreover, the Statistics tab shows the detailed statistics about extraction: Top 10 applications with the greatest number of communications, Top 10 groups, Top 10 contacts, Last contacted, Key Evidence with tags and notes.
Oxygen Forensic® Detective can perform physical extraction of drones and parse GPS locations showing valuable route data in our built-in Timeline section and the built-in Oxygen Forensic® Maps. The software also allows the investigator to import drone log .dat files directly into Oxygen Forensic® Maps to visualize locations and track a drone route, as well as physically extract the internal memory on select DJI drones. Also available, data parsing from many drone applications, like DJI Go, Flight It Pro for iOS and Android devices. And finally, the software allows to extract data from drone cloud services, like DJI cloud, SkyPixel and Parrot.
encrypted backups and images import
Find passwords to encrypted backups and images by using various attacks and optimize the attacks to deliver unrivaled results in record speeds.
Access a devices photos, audio and video files, databases and other acquired evidence at the file-system level. View any file in a raw, hex mode, native view.
Extract and view geo coordinates from various sources: applications data, photo and video EXIF headers, history of Wi-Fi connections, etc
Oxygen Forensic® software enables decryption of iOS and Android backups and images. The built-in Passware mobile kit module helps to find passwords with latest algorithms and technologies including distributed processing and GPU acceleration with ATI and NVIDIA boards. The available attacks include brute-force, dictionary, Xieve, etc. and are highly optimized to deliver the result in the shortest amount of time.
The Files section grants access to user’s photos, videos, documents and device databases. Built-in Text, Hex, Multimedia, SQLite and Plist viewers allow investigators to examine files and their metadata. Rich filtering and powerful search help to focus only on the required evidence. The section can be built for several devices in the same case.
Oxygen Forensic® software collects geo data from various sources: photo and video EXIF headers, web connections information and applications databases. Geo coordinates can be extracted both from mobile devices and cloud services. The full list of geo points can be found on Geo Timeline tab in Timeline section. Oxygen Forensic® Maps can be also opened from this section to view the coordinates overlaid on a rich map view.
detect significant images including pornography, extremism, drugs, guns, etc with the built-in image categorization engine
iot device support
Extract and analyze data from IoT devices
Mark important entries as key evidence in any program section and view them later in a single list
The Key Evidence section displays records bookmarked in other sections by the investigator as important. The function of the section is to put the entries identified as evidence relevant to a case in the same place, making data analysis easier. Investigators can bookmark important evidence in one or several devices and export it later to one data report.
Oxygen Forensic® Detective supports the two most popular digital assistants - Amazon Alexa and Google Home. You can access Amazon Alexa cloud using a username and password or token. A token can be found on the device's associated computer with Oxygen Forensic® KeyScout and used in Cloud Extractor. The software acquires a complete evidence set from Amazon Alexa, including account and device details, contacts, messages, calendars, notifications, lists, activities, skills, etc. Google Home data can be extracted via Google username/password or a master token found in mobile devices. Extracted Google Home data includes account and device details, voice commands, and information about users.
Create and use keyword lists to quickly find the relevant data during or after data extraction
live data extraction
Extract data from mobile devices based on iOS, Android, Windows Phone, Windows Mobile, Blackberry, Bada OS or feature phones. Additionally, acquire device media and SIM cards
Open geo coordinates on the built-in Maps, visualize user’s movements, determine his frequently visited places and find out if several people were at the same time at the same place
Oxygen Forensic® Detective offers both logical and physical methods of device acquisition via a regular USB cable. The program supports thousands of devices running Apple iOS and Android. Support for MTK, Qualcomm, Kirin and Spreadtrum chipsets is also available. Additionally, you can extract and recover data from media and SIM cards via specialized readers.
Gain access to SMS, MMS, Email and iMessage communications and read them either in Table or Chats view
Extract and recover user’s calendars, notes and tasks. Decode iOS encrypted notes
Open and examine. plist files found in iOS device extractions. Use Converter panel to convert values into a readable format
The built-in Oxygen Forensic® Plist Viewer offers advanced analyzing of Plist files: investigators can open plain XML and binary XML files, view entries according to their type (string, data, numbers etc.), convert values, open external files for analysis, export .plist file data in XML format for further analysis by external tools.
Explore social connections between the device owner and his contacts or between several devices by analyzing calls, messages and app communication activities
Navigating the enormous amount of data efficiently has always been our development objective. To prove this point, we have introduced the Statistics section that offers an overview of the entire extraction and allows the investigator to quickly identify sections of interest.
Examine SQLite databases, recover deleted data, convert values, build SQL queries, perform search and export selected entries to reports
Oxygen Forensic® software provides several tools to explore social connections between the device owner and contacts or between several devices by analyzing calls, messages and app communication activities. Investigators can use either a Graph or Diagram to view and identify social links, find common contacts and analyze communication statistics.
The built-in Oxygen Forensic SQLite Viewer is a powerful tool for examining SQLite files and their contents. With this tool, investigators can open any SQLite database, recover deleted records, convert values to a readable format, build visual SQL queries and save them for further use, run search and finally export selected entries to customization data reports.
The Statistics section consists of several widgets, that are divided into two categories–data on the device and investigator interaction. Data on the device is displayed in the first widgets and shows the data present within the extraction in charts or tables (Activity Chart, Activity Matrix, Last Contacted, Data Types, Top 10 Applications, Contacts, or Groups). The second group of widgets, or investigator interactions widgets, display the investigator’s interactions with the evidence: assigning tags, marking data as Key Evidence, adding and editing notes, running hash set searches.
View all events in a chronological order: chats, calls, voicemails, photos and videos history, wi-fi connections, geo files and web cache
user data collection on computer
Collect credentials and passwords on computer using Oxygen Forensic® KeyScout
Parse user’s emails from webmail interface and content of visited webpages. Gain access to email messages, web search history, locations and other data stored in WebKit databases
The Timeline section summarizes all events in chronological order: calendar events, messages, calls, web cache, web connections, voicemails, photos and videos history, etc. The section offers investigators a number of powerful filters and convenient data presentation modes that allow them to concentrate on the analysis of the pertinent data only.
The WebKit Data section shows a user’s emails from webmail interface and content of visited web pages. You can gain access to email messages, web search history, locations and other data stored in WebKit databases throughout a device. This section is an additional source of app user data for investigators and is often overlooked by commercial tools.
Oxygen Forensic® KeyScout offers the ability to seek and locate system files, tokens and passwords saved on a computer as well as extract user data from in various desktop Web browsers, E-mail clients and Messengers. The utility is available from the main menu in Oxygen Forensic® Detective, installs to removable media and collects credentials currently from PCs. The collected credentials can then be imported into Oxygen Forensic® Cloud Extractor for immediate use and extracted user data should be imported as Oxygen Desktop Backup into Oxygen Forensic® Detective. The KeyScout is compatible with Windows, macOS and Linux.
Find out when and where the device owner used Internet access and gather information about frequent locations of iOS users