oxygen forensic®

detective

features

Detective Features
product_advanced_physical_methods

advanced Physical methods

Physical collection while bypassing device security.

product_aggregated_contacts

aggregated contacts

Uncover and reveal names, usernames, emails, and more in different sources on the device.

product_android_jet_imager2

android jet imager

Create full physical dumps from Android devices  25% faster than regular methods.

advanced_physical_methods1

Oxygen Forensic® software offers an advanced physical extraction for LG, Motorola, Samsung, MTK, and SPD devices.  The method enables lock screen bypass and requires no root rights.

aggregated_contacts

Aggregated Contacts section displays contacts obtained from various sources: standard phonebook, calls log, messages and application databases. Contacts with the same fields are merged into one meta-contact. Aggregated Data can be used at both the case level and device level of the examination.

android_jet_imager

Due to the partnership with the MITRE Corporation Oxygen Forensic®  Detective software offers the fastest physical extraction method for Android devices. Thanks to the Jet-Imager module, Android devices are acquired up to 25% faster than previous methods . For example, a 16GB device can be extracted in 5-7 minutes, a 32Gb device in 8-10 minutes. The module has country export restrictions. Please contact our sales department for more information.

product_applications

applications

Extract, decrypt and examine user data from today's most popular apps.

product_backups_and_images_support

backup and image import

Import and parse various backups and images made from today's devices like iOS, Android, and more as well as import from other forensic tools like Cellebrite and MSAB.

product_cdr_analysis

cdr analysis

Process and analyze call data records obtained from wireless providers. Visualize geo coordinates on the map and identify links between callers

applications

The applications section displays user data that has been extracted and parsed from popular Social  Networks, Messengers, Web Browsers, Navigation, Productivity, Travel, Finance, Fitness, and Multimedia apps. Investigators can view app account details, contacts, messages, calls, logs, cache, and other relevant data. Even encrypted apps are decrypted and displayed in this area!

backups_and_images_import

Oxygen Forensic® software imports and parses dozens of various device backups and images created in official device software, third-party programs or other forensic tools. Investigators can import iTunes, ADB, and Nokia backups, JTAG/ISP,CHIP-Off and Nandroid images,  XRY ,UFED, and full file-system images to name a few.

cdr_analysis

The built-in Oxygen Forensic® CDR Expert allows importing and analyzing of CDR files received from mobile service providers regardless of the difference in their column formats and file layouts. The program conveniently guides the investigator through the process of call data records file importing and any field mapping that is required to convert the file into a unified format. CDR Expert then visualizes direct and indirect links between callers on a graph.

product_cloud_data1

cloud data

Gain access to cloud services like: WhatsApp, Telegram, iCloud, Google, Samsung, Microsoft, Facebook, Instagram, Twitter and many other social media cloud services.

c92f9cf5cd618adbcf874a1a5aca9f49

data reports

Customize and generate data reports in many formats like PDF, XLS, RTF, XML and HTML.

50883457d1977cba810c7824c37224aa

data scout

Retrieve live subscriber information associated with the phone number including address, phone carrier, and other available data

cloud_data

The built-in Oxygen Forensic® Cloud Extractor acquires data from the most popular cloud services to include: WhatsApp, Telegram, iCloud, Google, Microsoft, Huawei, Samsung, E-Mail (IMAP) Servers and more.  Also, various social media services are supported to include but not limited to: Facebook, Twitter, Instagram, and many more. Investigators can use usernames and password combinations or tokens extracted from the mobile device to gain access to a cloud storage even when two-factor authentication is enabled on select services.

049936706d3f1e6c6bbb21d03ed5ec17

Oxygen Forensic® software enables the export of data from any section to many popular file formats including: PDF, RTF, XLS, XLSX, XML, and HTML. A report can be created to include a single device, several devices, several sections or even selected records. Reports are highly customizable to display only the data required, for any type of case. Our XML reports can be integrated into many popular analytic software platforms with our built in XML export specification documentation.

81a3f2c6fdb8e6ee07795dc3c4b8c232

Data Scout retrieves subscriber data from many extracted phone numbers. It interacts with the online lookup services of Whooster to gather intelligence information of collected phone numbers from mobile device extractions. The Data Scout feature currently uses the Whooster service and a subscription must be purchased with Whooster prior to enabling the Data Scout feature. Once the investigator's service credentials are received, they can be entered into the Oxygen Forensic® Detective interface to activate the feature.

The service covers the US territory and Canada and is available to US law enforcement only.

176ff100b2a66aa75574774508000b29

data search

Powerful global search over a single device, multiple devices or entire case. 

b597cdfcc1d6fcf3a68dccfffa354b5d

deleted data

Automatically recover deleted records and files: contacts, calls, messages, notes, photos, videos, SQLite databases and other vital evidence

dd6bc4cd2b90577dddc4770309e9401d

device information

view the detailed information about the device and its owner

808d78ed092eabfa83dbff88ede99691

Oxygen Forensic® software has a powerful built-in interface for data search. Searching can be conducted on all devices, at the case level and at the device level. Investigators can search data according to the information entered in the input field, by keyword lists, hashes, using regular expressions or choosing any other available method. Search is launched as a separate process so investigators are free to work with the software during the search process.  

The search process can search within files to uncover data that has not been parsed, often uncovering valuable data within SQlite databases, log files, and property lists.

d706f93607bf57e57ca652b247f30d3a

Oxygen Forensic® software recovers a wide range of deleted evidence: contacts, messages, calls, notes, user data from applications from SQLite databases, It is also capable of recovering photos, videos, databases and files from physical images of Android and Windows Phone devices. All recovered evidence is marked with a special trash bin icon for easy identification.

8a51f9cfbe339aa861aafe3cd825bd10

The device information section gives you the general information about the acquired device. It shows various attributes, like the device specifics (e.g., make, model), SIM and network information, phone numbers and case details. Investigators can also find summary information of all the device owner’s accounts with login and password information for various apps and services.

4056121f68b95e9f7b6bab67e3dc62b6

drone data

Extract and analyze drone data from physical dumps, drone logs and mobile applications.

2ac8baa1a8a082699f74c3689a768c11

encrypted backups and images import

Find passwords to encrypted backups and images by using various attacks and optimize the attacks to deliver unrivaled results in record speeds.

5d6429b4b63bf8e27ef2a1b0ea072a29

event log

View dialed, answered and failed calls including deleted ones. Apply filters to show calls only for a specific period of time

a021cb044ea34d9da1a357c978c3f078

Oxygen Forensic® Detective can import drone physical dumps and parse GPS locations showing valuable route data in our built-in Timeline section and the built-in Oxygen Forensic® Maps. The software also allows the investigator to import drone log .dat files directly into Oxygen Forensic® Maps to visualize locations and track a drone route, as well as physically extract the internal memory on select DJI drones.  Also available, data parsing from many drone applications, like DJI Go, for iOS and Android devices.

70a3629fef7502158fb3dad71ed31c57

Oxygen Forensic® software enables decryption of iOS and Android backups and images. The built-in Passware mobile kit module helps to find passwords with latest algorithms and technologies including distributed processing and GPU acceleration with ATI and NVIDIA boards. The available attacks include brute-force, dictionary, Xieve, etc. and are highly optimized to deliver the result in the shortest amount of time.

cfa6527b218460bb989a98aa71b899d6

The event Log section provides access to phone and FaceTime calls as well as messages and packet data. Investigators can apply time filters to view calls only for a particular period. The section allows to export all or selected data to PDF, RTF, XLS, XML and HTML reports.

9ef4a33619193ff773e615f7b70984cc

file browser

Access a devices photos, audio and video files, databases and other acquired evidence at the file-system level. View any file in a raw, hex mode, native view.

fcc3be3aa3bbbbedd1a0751ad1a83589

geo data

Extract and view geo coordinates from various sources: applications data, photo and video EXIF headers, history of Wi-Fi connections, etc

024fb35bccf8d26af3e2dfcf067b8c8c

key evidence

Mark important entries as key evidence in any program section and view them later in a single list

c4bff16eab0045932d564e988dc1c307

The File Browser section grants access to user’s photos, videos, documents and device databases. Built-in Text, Hex, Multimedia, SQLite and Plist viewers allow investigators to examine files and their metadata. Rich filtering and powerful search help to focus only on the required evidence.

07718079f3b7561fbc52560f5dbd8c36

Oxygen Forensic® software collects geo data from various sources: photo and video EXIF headers, web connections information and applications databases. Geo coordinates can be extracted both from mobile devices and cloud services. The full list of geo points can be found on Geo Timeline tab in Timeline section. Oxygen Forensic® Maps can be also  opened from this section to view the coordinates overlaid on a rich map view.

b25fa18d1874b2a75a736572e2a8c5b3

The Key Evidence section displays records bookmarked in other sections by the investigator as important. The function of the section is to put the entries identified as evidence relevant to a case in the same place, making data analysis easier. Investigators can bookmark important evidence in one or several devices and export it later to one data report.

6fdab61704269d3a7469bd2f871c8e06

keyword search

Create and use keyword lists to quickly find the relevant data during or after data extraction

58d714517dad392ec9f7469c548a23bb

link analysis

Explore social connections between the device owner and his contacts or between several devices by analyzing calls, messages and app communication activities

6166348f154b4f9b8e38fe696aba6b19

live data extraction

Extract data from mobile devices based on iOS, Android, Windows Phone, Windows Mobile, Blackberry, Bada OS or feature phones. Additionally, acquire device media and SIM cards

9bcabf2fdd6ae8ca5e0770a681c4626a

Oxygen Forensic® software allows creating and using keyword lists to quickly find relevant case facts in a single search function. Investigators can enter keywords or import them from a .txt file before data extraction to receive the results once the extraction process has completed.

f269e6f689a680aa8f84a89f7b1a1f17

Oxygen Forensic® software provides several tools to explore social connections between the device owner and  contacts or between several devices by analyzing calls, messages and app communication activities. Investigators can use either a Graph or Diagram to view and identify social links, find common contacts and analyze communication statistics.

ee8e44b33dc15d729aa71cbf70d4789c

Oxygen Forensic® software offers both logical and physical methods of device acquisition via a regular USB cable. The program supports thousands of devices running iOS, Android, Windows Phone, Windows Mobile, Blackberry, Bada, Symbian OS or having no OS at all (feature phones). Support for Chinese MTK and Spreadtrum chipsets is also available. Additionally, you can extract and recover data from media and SIM cards via specialized readers.

73fbcfc0e512640147c4d08da29b0a53

locations visualization

Open geo coordinates on the built-in Maps, visualize user’s movements, determine his frequently visited places and find out if several people were at the same time at the same place

edadff590a6cac826c46502944d4d175

messages

Gain access to SMS, MMS, Email and iMessage communications and read them either in Table or Chats view

c53b06dcbb478f989c9b972a7fd456af

organizer

Extract and recover user’s calendars, notes and tasks. Decode iOS encrypted notes

16c3279c51cd3e16097ef6a1383ae482

The built-in Oxygen Forensic® Maps module is available both in online and offline modes. Oxygen Forensic Maps allows investigators to quickly identify a user’s frequently visited places, visualize routes within a specified period and pinpoint common locations of several device users. 

dd0888c1bd67a4835bcd3f71002873a3

The messages section gives investigators access to SMS, MMS, iMessage and E-mail messages (with the attachments) in the device. Investigators can read conversations either in Table or a visual Chats view. The export button allows can be used send all or selected messages with attachments to data reports directly from this section.

8ea306d4b6552cc839b921d540cbefcc

The Organizer section displays the detailed information about calendar events, notes and tasks. The program can decrypt notes created and encrypted in Apple devices running iOS 9.x and 10.x. Data reports can also be customized and generated in any of supported file formats directly from this section.

7f0201cc0c5bbbaa3d4a6de6f324bae3

passwords

Decrypt passwords and authentication tokens to user accounts in Social Networks, Messengers and Email apps. Reveal passwords that were used to connect to Wi-Fi networks

002e06c2c667c79658aaedefe905c4f1

phonebook

View all phonebook information including names, phone numbers, email addresses, notes, birthdays, creation and modification dates

51a8d928001a2fadb64c7d171ec06ab7

plist viewer

Open and examine. plist files found in iOS device extractions. Use Converter panel to convert values into a readable format

32b13dd9d5925478c122a6ebe43fdbe7

The Passwords section displays logins, passwords and tokens extracted iOS, Android and Windows Phone devices. The program decrypts credentials from the iOS keychain, finds them in application databases and web forms. Investigators can find passwords to various application accounts as well as passwords used to connect to WiFi networks.

2968bd65fc94fff48195b116fe3c3ae4

The Phonebook section presents the complete information about the device's contacts - phone and SIM card contacts, their standard and customer fields, speed dials and birthdays, creation and last modification dates. The section also offers rich sorting and filtering capabilities and allows investigators to generate data reports with all or selected contacts.

f3eb2219da4f2992ef27ff94ab4eb9bb

The built-in Oxygen Forensic® Plist Viewer offers advanced analyzing of Plist files: investigators can open plain XML and binary XML files, view entries according to their type (string, data, numbers etc.), convert values, open external files for analysis, export .plist file data in XML format for further analysis by external tools.

a05f63f4a59b97de27d8e326282b6ca2

sqlite viewer

Examine SQLite databases, recover deleted data, convert values, build SQL queries, perform search and export selected entries to reports

334f93153e74ca5265b273023a3513ea

screen lock disabler

Get access to the critical data by disabling screen lock on LG Android devices with one click

91ccb934817d2402635f38322a8435c6

spyware

Discover spyware that might be running on mobile devices and analyze its logs and configuration files

3a5937335ef0127a469a5821b8f96357

The built-in Oxygen Forensic SQLite Viewer is a powerful tool for examining SQLite files and their contents. With this tool, investigators can open any SQLite database, recover deleted records, convert values to a readable format, build visual SQL queries and save them for further use, run search and finally export selected entries to customization data reports.

35da857d80f7d8566ffc374f330a161a

The Screen Lock Disabler allows the investigator to disable user lock code on supported LG devices based on Android OS and gain access to critical data. The procedure takes several minutes and requires no special cables or tools. Simply install the LG United Mobile Driver, insert a regular USB and let the software disable the lock.

aa21375c2dd3b768d9de3842bc8b3bf3

Oxygen Forensic® software can detect spyware apps installed on Android and Apple devices, discover and process their logs and configuration files. Spyware log files may include application configuration data, the list of running services, application username, sometimes accompanied with a unique code allowing to detect the app, Cell ID used at the time of data transmission, and GPS logs accompanied with Geo-coordinates and a timestamp.

6a1e797200cede9d4851d53180bcb4cc

timeline

View all events in a chronological order: chats, calls, voicemails, photos and videos history, wi-fi connections, geo files and web cache

4f443474209e9b49291931902b801792

web connections

Find out when and where the device owner used Internet access and gather information about frequent locations of iOS users

698485d40d7d60f04648526f2cc472c3

webkit data

Parse user’s emails from webmail interface and content of visited webpages. Gain access to email messages, web search history, locations and other data stored in WebKit databases

b9b2ba781f180cc374d9f01fdfd6af1c

The Timeline section summarizes all events in chronological order: calendar events, messages, calls, web cache, web connections, voicemails, photos and videos history, etc. The section offers investigators a number of powerful filters and convenient data presentation modes that allow them to concentrate on the analysis of the pertinent data only. Timeline also contains an Activity Matrix, often called a Heat Map, that displays heavy usage by a single user or multiple users.

d2b6690692d6278550c4001936b0e7fb

The Web Connections section presents the history of Web connections (Wi-Fi, GPRS, LTE) in one list and shows the place where the Internet was used. Information about every Wi-Fi hotspot is found in this section and includes the SSID, MAC address, time of the first and last connections. The program also displays the list of frequent locations extracted from iOS devices.

d0cfd14c75cd8ef401ab3f397ab4d9ab

The WebKit Data section shows a user’s emails from webmail interface and content of visited web pages. You can gain access to email messages, web search history, locations and other data stored in WebKit databases throughout a device. This section is an additional source of app user data for investigators and is often overlooked by commercial tools.