Oxygen Forensic® Detective is an all-in-one digital forensic software platform designed to extract, decode, and analyze data from mobile devices, computers, cloud services, and applications. Built by Oxygen Forensics, Inc., a leading global provider of digital forensic solutions based in Alexandria, Virginia, this software serves law enforcement agencies, corporate security teams, legal professionals, and private investigators worldwide. With the ability to extract data from over 30,000 device types and parse nearly 1,000 mobile applications, Oxygen Forensic® Detective has established itself as a critical tool in modern digital investigations.
1. Overview and Product Philosophy
Oxygen Forensic® Detective is purpose-built for investigators who need to navigate the growing complexity of digital evidence. As smartphones, cloud accounts, encrypted messaging apps, and connected devices generate increasingly vast amounts of data, forensic tools must evolve rapidly to keep pace.
The software operates on a perpetual licensing model, meaning a single license includes all modules, features, and tools with no hidden add-on costs. This approach stands in contrast to many competitors who charge separately for features like cloud extraction, malware detection, or advanced analytics. Each license typically includes 12 months of updates, after which maintenance can be renewed.
Platform Compatibility:
- Operating System: Windows-based forensic workstation
- Supported Evidence Sources: Mobile devices (iOS, Android, feature phones), computers (Windows, macOS, Linux), cloud services (100+), drones, and IoT devices
2. Core Capabilities: Extraction
2.1 Mobile Device Extraction
Oxygen Forensic® Detective supports data extraction from more than 30,000 mobile device models across multiple operating systems and chipsets.
Android Support:
The software provides multiple extraction methods for Android devices:
- Physical Image Extraction: Creates a complete bit-for-bit copy of device storage
- Full File System Extraction: Recovers file system data including deleted content
- Android Agent Extraction: A lightweight agent that can be installed to collect specific app data and data categories
- ADB Backup Extraction: Uses Android Debug Bridge for logical backups
- Chain Method: A sequential process that automatically applies multiple extraction methods (Physical → Full File System → Android Agent → ADB Backup) in a single session to maximize data recovery
Recent updates have expanded support to include:
- Unisoc-based devices: Chipsets including SC9863, SC9832E, SC7731E (2020 onward), and T606
- Qualcomm-based devices: Support for extracting encryption keys and decrypting user data
- Feature phones: Devices based on Unisoc T117 and T107 chipsets (Alcatel 3080G, Gigaset GLX8, MyPhone C1 LTE, Nokia 225 4G, Panasonic KX-TU550, and others)
- Android OS 15: Support for the latest Android version
iOS Support:
- iOS Agent: Extracts publicly available data from iOS devices running iOS 12 and newer
- Logical Backup Extraction: Seamlessly extracts backups from current iOS devices
- Screenshot Capture: Ability to capture screenshots directly from iOS devices via iOS Agent with screen recording permissions
- WhatsApp Chat Extraction: Manual selection and extraction of exported WhatsApp and WhatsApp Business chats, with or without media files (iOS 15.1+)
2.2 Cloud Data Extraction
Oxygen Forensic® Detective introduced the industry’s first cloud extraction tool for forensic purposes in 2014 and continues to support over 100 cloud services. Cloud extraction is particularly valuable because data stored in the cloud often persists even when deleted from physical devices, and cloud backups (such as WhatsApp backups on iCloud Drive) may contain evidence not present on the phone itself.
Supported Cloud Services Include:
- Google Services: Google Authenticator (extract secret keys using login/password or token), Google Timeline data via Google Takeout
- Apple Services: iCloud Drive backups including Line chat backups, DMG backups of iPhone devices
- Communication Platforms: Slack account data
- Social Media: Facebook Warrant returns, Facebook data imports
- Mobile Backups: Samsung Smart Switch (version 37 and later)
- Call Data Records: AT&T (XLSX/CSV) and Verizon call data records
2.3 Computer Forensics (KeyScout)
KeyScout is the portable acquisition utility built into Oxygen Forensic® Detective for extracting data from computers.
KeyScout Capabilities:
- File Carving: Recovers JPEG, PDF, TXT, ZIP, and many other file types from unallocated space of NTFS partitions
- Signature-Based Search: Searches for files by file signature including ZIP-based containers, DOC, XLS, PDF, and JPEG files
- Malware Scanning: Scans disk images and physical drives for malware using industry-standard heuristics
- Virtual Machine Recognition: Identifies virtual machines on target desktop devices
- Artifact Collection: Extracts system and user artifacts from Windows, macOS, and Linux computers
Supported Computer Artifacts Include:
- Windows: Program Compatibility Assistant data, Windows Hello account decryption
- macOS: Voice Memos data, App Store data, Recent Interactions
- Linux: atop utility event logs, auditd log data
- Cross-Platform Applications: Ledger Live, Obsidian, Zoom Workplace, TeamViewer, Revolt Chat, Stoat Chat
2.4 Drone Forensics
Oxygen Forensic® Detective supports extraction from drones, including encrypted flight logs from DJI Avata drones. Drone data can be critical for investigations involving surveillance, contraband delivery, or accident reconstruction.
3. Core Capabilities: Passcode Recovery (KeyDiver)
KeyDiver is Oxygen Forensic® Detective’s dedicated passcode recovery module for encrypted partitions, files, and applications.
KeyDiver Capabilities:
- CPU-Based Brute Forcing: Passcode attacks utilizing processing power
- PDF Decryption: Recovers passwords for encrypted Adobe Acrobat PDF files
- Password Manager Attacks: Brute forces 1Password account passwords using known hashes
- Samsung Smart Switch Backup Decryption: Brute forces passwords for encrypted backups
- Android FDE/FBE Support: Brute forces passwords on Android Full Disk Encryption and File-Based Encryption images with multiple GPU support
- Dictionary Management: Automatically saves found passwords to a dictionary of previously brute-forced passwords; supports importing/exporting dictionaries
- Temperature Monitoring: Automatically pauses attacks when user-defined critical GPU temperatures are reached
4. Core Capabilities: Data Import and Consolidation
One of Oxygen Forensic® Detective’s most powerful features is its ability to import and consolidate evidence from virtually any source into a unified interface.
Import Sources:
- Competing Forensic Tools: UFED Advanced Logical extractions of iOS devices, GrayKey extractions (including binary keychain format and extended timestamps)
- Backup Formats: Samsung Smart Switch (v37+), Huawei HiSuite, Honor HiSuite v.14.0, unencrypted DMG iPhone backups
- Memory Card Dumps: AD1 format, E01 images (including encrypted SD cards formatted as Android Adoptable Storage)
- Exported Chats: WhatsApp chats, Telegram Desktop chats
- Call Data Records: AT&T (XLSX/CSV), Verizon call data records
- Warrant Returns: Facebook Warrant returns
- External CSV/TXT Files: Supplementary data import to enrich existing cases
As one investigator notes: “I can ingest other tools into Oxygen and unpack and parse it out. I will be able to read things from an analytic perspective that I can’t see in competitor tools… I use it as my primary parsing and analytic tool, regardless of where the extraction was done or who did the extraction”.
5. Core Capabilities: Data Analysis
5.1 Application Parsing
Oxygen Forensic® Detective parses data from nearly 1,000 mobile applications, including popular and encrypted messaging platforms.
Supported Applications Include:
- Messaging: WhatsApp, Signal, Telegram, Snapchat, Discord
- Browsers: Opera, Samsung Browser, plus major browsers for web version analysis
- Cryptocurrency: Wallet and transaction data, mnemonic phrase (seed phrase) searches using BIP39 and SLIP39 dictionaries
- Unsupported Apps: The software can parse data from unsupported applications by applying parent application parsing rules, eliminating the need for manual database analysis
5.2 Advanced Analytics Tools
Oxygen Forensic® Detective includes a comprehensive suite of built-in analysis tools at no additional cost:
| Tool | Function |
|---|---|
| Timeline | Reconstructs chronological activity across all data sources, correlating messages and movements |
| Social Graph | Visualizes relationships and connections between individuals across communications |
| Facial Categorization | Automatically detects, categorizes, and matches faces across image collections; enables building searchable face databases |
| Image Categorization | Automatically classifies and sorts large volumes of images, filtering out irrelevant content |
| Optical Character Recognition (OCR) | Converts text from images, screenshots, and scans into searchable data |
| Speech-to-Text | Extrapolates speech from audio and video files into searchable text |
| Translation | Supports 45+ languages offline; integrates with speech-to-text and OCR; new languages added (Burmese, Kannada, Khmer, Malayalam, Marathi, Mongolian, Odia, Somali, Tagalog) |
| Geolocations | Centralized section for all location-related data with map previews, address retrieval, and OpenCellID cellular tower database integration |
| Cryptocurrency Section | Parses cryptocurrency addresses, transactions, wallets, and mnemonic phrases from all sources |
| Malware Detection | Uses industry-standard heuristics to identify malware across data sources |
| Search | Device- or case-level searching by keywords, faces, hash values, and cryptocurrency addresses |
5.3 Deleted Data Recovery
The software is particularly effective at recovering deleted messages, especially from SQLite databases. As one forensic specialist reports: “When it comes to SQLite database parsing, Oxygen is helpful with recovering deleted messages”.
5.4 Real-World Case Example: Telegram Decryption
In a criminal investigation involving credit card fraud, suspects used Telegram believing its encryption would protect them. Using Oxygen Forensic® Detective, investigators were able to:
- Access the suspect’s phone
- Decrypt Telegram despite two-factor authentication being enabled
- Extract all communications and images shared between the criminals
The extracted evidence became the conclusive proof in the case.
6. Reporting and Presentation
Oxygen Forensic® Detective includes customizable, court-ready reporting capabilities. Investigators can:
- Create branded report templates with granular filtering options
- Save reports in multiple formats for different audiences (legal teams, clients, courtrooms)
- Protect privileged data with password protection – automatically hidden in final reports until correct password is entered
- Export to OFBR format (Oxygen Forensic Backup) for sharing with Oxygen Forensic® Detective Viewer, allowing third parties to view case data without a full license
7. Security and Data Protection
7.1 Malware Detection
Oxygen Forensic® Detective includes built-in malware scanning capabilities at no additional cost. Investigators can scan extracted files and email databases for threats using updated malware databases. As one user noted: “Having that malware scan built in there with an updated database is just a critical baseline tool”.
7.2 Data Access Controls
The software allows investigators to password-protect privileged data within case files. This ensures that sensitive evidence can be kept confidential from certain team members due to legal or procedural constraints while remaining accessible to authorized personnel.
8. Training and Support
Oxygen Forensics has earned a 98% satisfaction rating for technical support. The company provides:
8.1 Training Courses (All-Access Pass)
The All-Access Pass (AAP) is an annual subscription providing unlimited access to all available training courses:
| Course | Duration |
|---|---|
| Oxygen Forensic® Boot Camp (OFBC) | 3 days |
| Oxygen Forensic® Advanced Analysis (OFAA) | 3 days |
| Oxygen Forensic® Extraction in a Box (XiB) | 3 days |
| Oxygen Forensic® Drone Analysis (OFDA) | 1 day |
| Oxygen Forensic® Cloud Extraction (OFCE) | 1 day |
| Oxygen Forensic® Detective Viewer (OFDV) | 1 day |
| Oxygen Forensic® Agent Triage (OFAT) | 1 day |
| Oxygen Forensic® Analytic Investigations (OFAI) | 1 day |
| Oxygen Forensic® KeyScout Collection (OFKC) | 1 day |
| Oxygen Forensic® Data Presentation (OFDP) | 1 day |
8.2 Ongoing Education
The company produces regular webinars and training content available through their Learning Management System (LMS) to all customers. As one investigator describes: “There’s this focus on everybody continuing to get better… There’s always that thirst to learn and grow”.
9. Licensing Model
Oxygen Forensic® Detective operates on a perpetual license model. Key advantages include:
- One license, all features: No add-on costs for cloud extraction, malware detection, analytics, or reporting
- Predictable costs: Transparent pricing without surprise fees
- Value retention: As competitors increase prices, Oxygen’s model becomes comparatively more valuable
The software is sold primarily to law enforcement, government agencies, and authorized forensic service providers. Pricing and purchasing options vary by region and customer type.
10. Version Updates
Oxygen Forensic® Detective is continuously updated. Recent major versions include:
- Version 18 (2024-2025): Introduced multi-source extraction via Android Agent, multi-language search, macOS 26 support, parsing of unsupported apps via parent app rules
- Version 18.1: Added screenshot capture via iOS Agent, chain extractions, Slack account data import, automation updates
- Version 18.2: Enhanced WhatsApp extraction, new Geolocations section, malware scan in KeyScout, file-to-app linking, Key Evidence enhancements
- 2025 Year-End Updates: Added Unisoc chipset support, Android OS 15 support, expanded file carving, cryptocurrency address search, OpenCellID integration
Application parsing packages can be updated independently of the main software, allowing users to receive parsing improvements without waiting for a full release.
