1

Getting started

Founded in 2000 and headquartered in Virginia, US, Oxygen Forensics has provided
cutting-edge solutions to forensic investigators since the beginning of our mobile-
connected world.

Oxygen Forensics is one of the leading global digital forensics software providers, giving
law enforcement, federal agencies, and enterprises all around the world access to critical
insights and data faster than ever before. With their time in the industry, Oxygen Forensics
has expanded our product support beyond mobile forensics to include cloud, drone,
computer, and IoT devices. Still, we continue to provide the most advanced digital forensic
data extraction and analytical tools for criminal and corporate investigations.

We appreciate you joining us in our mission to make the world safer.

2
Table of Contents
Software Installation ........................................................................................................................................... 5
Data Extraction ...................................................................................................................................................... 7
Mobile Devices ................................................................................................................................................... 7
Screen lock bypass methods ................................................................................................................. 11
Customized password attacks .............................................................................................................. 12
Backup and image import ...................................................................................................................... 15
KeyDiver ....................................................................................................................................................... 18
Clouds ................................................................................................................................................................. 21
Computer artifacts ........................................................................................................................................ 23
Live data extraction .................................................................................................................................. 24
RAM Capture ............................................................................................................................................... 29
Import of desktop extractions .............................................................................................................. 31
External drive acquisition ...................................................................................................................... 33
Drone data extraction .................................................................................................................................. 36
IoT data extraction ........................................................................................................................................ 37
Amazon Alexa ............................................................................................................................................. 37
Google Home ............................................................................................................................................... 38
Ring ................................................................................................................................................................. 39
Data analysis ........................................................................................................................................................ 42
Merge extractions .......................................................................................................................................... 44
Data Level ..................................................................................................................................................... 44
File System Level ....................................................................................................................................... 44
Built-in translator .......................................................................................................................................... 48
Timeline............................................................................................................................................................. 50
Social Graph ..................................................................................................................................................... 52
OCR ...................................................................................................................................................................... 54
Faces ................................................................................................................................................................... 56
Image Categorization ................................................................................................................................... 57
Tagging and Key Evidence ......................................................................................................................... 58

3
 Data Search ...................................................................................................................................................... 59
Statistics ............................................................................................................................................................ 60
Maps and geodata .......................................................................................................................................... 61
Obtaining Geodata..................................................................................................................................... 61
Obtaining addresses ................................................................................................................................. 63
Maps ............................................................................................................................................................... 64
SQLite Viewer .................................................................................................................................................. 66
Plist Viewer ...................................................................................................................................................... 67
Options menu ...................................................................................................................................................... 68
Data Export to reports ..................................................................................................................................... 70
Oxygen Forensic® Viewer ......................................................................................................................... 71
Contacts ................................................................................................................................................................. 72

4
 Software Installation

Download the software from the customer area. You will be emailed a link that will take
you to the customer area. In your personal customer area you can download our software,
custom recovery and bootloaders, earlier software versions, additional files and
documents, request the latest keycode, or contact our support team.

Once the software is downloaded, launch the installation process by running the
downloaded package. Wait for the installation window to open. In it, state the destination
folder, shortcuts and file extension association settings. Select the program language from
the drop-down list (English, Spanish, German, Italian, French or Chinese), read and accept
the license agreement and click Install. Wait for a few minutes for installation to finish.

5
To activate the software, start it and then enter the activation key at the opened window.
As soon as it is accepted, the program will restart. Enter your official email address to get
the second code. As soon as it is applied and verified, you can start using Oxygen Forensic®
Detective!

6
 Data Extraction

Mobile Devices

Run Oxygen Forensic®️ Device Extractor from the home screen to extract data from the
device.

Choose “Devices” if you know the exact device model or methods if you are looking for a
specific data extraction method or only know the OS. You can use the sidebar to navigate
through different sections of the program.

7
Currently, with Oxygen Forensic®️ Device Extractor you can extract data from Android, iOS,
and KaiOS devices as well as MTK Feature phones, memory and SIM cards.

To search for the specific device that is of interest and overview extraction methods
available, open the “Devices” tab. Use the search bar to easily navigate through the list.
Start entering device vendor, model, chipset, or OS there to filter the list of available
devices.

Open the “Methods” tab to overview all data extraction methods available, read about them
and choose the one that fits your needs the most.

8
Switch between tabs to open, overview and select data extraction methods available for iOS
or Android, or other extraction methods.

9
To change the appearance of the list, use icons available at the upper right corner of the
page.

After selecting a method of interest, follow the instructions on the screen to extract data
from the chosen device.

Please note that in order to extract data from an iOS device, you will need to have the latest
iTunes version downloaded. You might also have to additionally install drivers for data
extraction from Android to be successful or iCloud for the correct operation of iOS Agent.

Information about all additional requirements and links to the driver packs is displayed
along with the instructions. Some of the instructions are additionally available from the
“Tools” tab.

If you wish to change the language or edit the hashes calculated for extraction, open the
“Settings” tab.

10
Screen lock bypass methods

If you have a locked Android device, check its manufacturer and which chipset it is based
on. With Oxygen Forensic® Device Extractor you can extract physical dumps from devices
based on Kirin, MTK, Spreadtrum, Exynos, Qualcomm, and UNISOC chipsets.

Please note that the extraction process differs depending on the chosen option and model.
Make sure to follow the steps appearing on the Oxygen Forensic®️ Device Extractor screen.

11
Customized password attacks

Device screen locks and encryption are some of the most significant challenges law
enforcement face in acquiring data for investigations. With the built-in brute-force module,
available at no additional charge, you can easily find passcodes to unlock devices and
decrypt evidence. Additionally, starting with Oxygen Forensic® Detective v.14.0, you can
also create password dictionaries and customize password attacks.

Creating custom dictionaries

To create and manage custom dictionaries for brute-force attacks, open Password
Dictionary Builder.

This tool can be accessed through the Accounts and Passwords section or from the
software Options menu. Our Password Dictionary Builder accumulates passwords from all
the extractions that were performed within the software. Extractions are shown on the left-
side panel of the tool.

12
There are several ways to create a custom password dictionary:
1. Use the passwords from the available extractions.
2. Upload a dictionary file from a computer in a .txt format.
3. Enter passwords manually into the Password Dictionary Builder.

Once a new password list is created and named, you can select it in the Attack Manager
within the brute-force module window.

13
Creating custom attacks

Starting with Oxygen Forensic® Detective v.14.0, you can create and apply new attacks
using the options available in the Passware Kit Mobile module. To do this, click the “Add
Custom Attack” button in the Attack Manager, name the new attack, and wait for the
“Passware Kit Mobile” window to open.

In the Passware Kit Mobile window, you can create basic or grouping attacks. Once a new
attack is saved, it will be shown in the Attack Manager and can immediately be used for
password recovery in Oxygen Forensic® Detective.

14
Backup and image import

You can import the existing backups and images into Oxygen Forensic® Detective. The
supported file formats and origins are listed in the “Import” section of Oxygen Forensic®
Detective home screen. Select an option that meets your needs to import the file to Oxygen
Forensic® Detective for further investigation and analysis.

Selective data import

Starting with Oxygen Forensic® Detective v.14.2, it is possible to analyze imported data
selectively. “Selective Data Analysis” is available for images and backups of devices
operating on iOS, Android OS, and KaiOS.

Since this feature is turned off by default, you will have to enable it during the import of
iOS, Android, or KaiOS images or backups after the platform is automatically detected. To
do this, open the “Selective Data Analysis” tab within Import Wizard and drag the slider.

15
Upon enabling this feature, a table containing the list of supported apps will be displayed.
The list is divided into two parts – System Applications and User Applications.

Please note that all supported applications will be displayed in the list, even though they
may not be installed on the device itself. This is done to save time, because in order to
detect the apps that are present on the device, we would have to extract and pre-analyze
the file structure of the device.

16
Each category may be expanded by clicking on its header. The number of selected
applications and an overall number of applications is also displayed there (X of Y
applications selected). To find a specific app that is of interest, use the search bar above the
grid. Use arrows to switch between search results. You may select one or several apps to
analyze.

As soon as all apps of interest are selected, click “Import”. The files will be parsed and a
new extraction containing data only from the apps selected will be added to the list.

17
KeyDiver

Oxygen Forensic® KeyDiver is a decryption tool used for computer partitions, files, and
applications and is available at no extra charge.

The module is designed to find passwords to decrypt:

• partitions protected with BitLocker
• partitions protected with FileVault 2
• encrypted ZIP files
• encrypted Apple Notes
• passcode-locked Telegram Desktop app

With Oxygen Forensic® KeyDiver, you can:

• create hash-cracking attacks in a format supported by the Hashcat tool using
various dictionaries and masks
• run sequential attacks until the password is successfully found
• export the obtained password to decrypt the original data

The module is based on the Hashcat tool, which is known as one of the best open-source
solutions that supports hundreds of hash types. You can use hashes obtained from the
third-party sources or use the attack settings file (.json) obtained from Oxygen Forensic®️
Detective.

Two attack types are available after entering the hash in the input field:
• A mask attack tries to guess the target password by systematically testing all the
possible combinations of specified characters that match a specific pattern. For
example, it can be “All digits, 4 to 8 characters long,” and then all the combinations
of digits from 4 to 8 characters will be generated and tested.
• A dictionary attack uses a dictionary file that contains a pre-selected list of
passwords arranged one per line. Each password from the file is tested sequentially.

The last step before running an attack is to determine what hardware will be used for the
attack, and the maximum allowable temperature and load on it. You can select one of the
four efficiency modes, set the temperature threshold to stop the attack, and choose one or
more video cards.

Efficiency determines how much the GPU is involved in the attack. Maximum efficiency
provides the best hash rate and maximizes hardware utilization, but it can also lead to
significantly higher operating temperatures and high power consumption.

18
Oxygen Forensic® KeyDiver monitors the GPU temperature. To run an attack, select at
least one GPU. If multiple GPUs are selected, they will be used simultaneously, significantly
boosting the attack speed. If the GPUs are incompatible, a corresponding notification will
be displayed.

Once both the attack settings and at least one GPU are selected, click the “Start” button to
run the attack.

In the current module version, only one attack can have the “In progress” status. You can
add the current or new attack to the queue and they will be processed automatically. The
next attack will start as soon as the previous one finishes.

Once the attack starts, you can monitor the details of its progress in a separate window.
The “Attack manager” window allows you to view all ongoing, finished, paused, and queued
attacks, manage them, and sort them by various parameters.
Attacks can be managed straight from the list via the context menu, which can be opened
by clicking the three dots on the right side of each attack line.

19
If the password was not guessed successfully, the suggested next step could be to launch a
new attack on the same hash but with adjusted settings, such as using another dictionary.
Oxygen Forensic® KeyDiver enables you to utilize any existing attack as a template for a
new attack.

In the case of a successful attack, the password will be displayed in the corresponding field.
It can then be copied by clicking the corresponding icon in the “Password” field. It is also
possible to save the password on the current device in .txt format (using the “Save” button)
or export the attack results in .json format (using the “Export” button).

20
 Clouds

With Oxygen Forensic® Cloud Extractor you can extract data from over 100 different cloud
services! The list of supported cloud services is constantly growing with each release, so
make sure to update your license with each update.

The easiest way to extract the cloud services data is to import the credentials that were
already acquired by Oxygen Forensic® Detective or KeyScout. Import the saved oxygen
credentials package from Oxygen Forensic® Cloud Extractor home screen or from the
Accounts and Passwords section of an extraction of interest. This way, all the information
about the extraction and acquired tokens and passwords will be imported into Oxygen
Forensic® Cloud Extractor. If you know user credentials or have a token from a service that
was not listed automatically, you can select the service manually and authorize in it
manually as well.

Alternatively, you can start a new extraction from Oxygen Forensic® Cloud Extractor that
is not connected to any devices or cases within Oxygen Forensic® Detective. In this case,
you will be asked to provide some data about the account owner, case and extraction.

21
Then, you will be taken to the list of supported services, which can be filtered by type. You
can also search for a specific service by using the magnifier icon in the upper right corner.

Select one or several services you want to extract data from, and then log into the account
with credentials or tokens.

Please note that authorization types, proxy and 2FA support differ depending on the
service itself and the software version you are using. If you need detailed information
about an exact cloud service support, please contact our support team:
support@oxygenforensics.com

The data extraction will start at the successful completion of authorization. You can view
the data extracted from cloud services in Oxygen Forensic® Detective.

22
 Computer artifacts

Oxygen Forensic® KeyScout is a portable utility available at no additional charge within

Oxygen Forensic® Detective software. You can find the KeyScout utility on the Oxygen
Forensic® Detective home screen.

Oxygen Forensic® KeyScout collects a wide range of data, including user accounts and
credentials, system data, data from pre-installed and user-installed apps, secret storages
(Keychain, Windows Vault, and VeraCrypt containers), system artifacts, bookmarks, autofill
forms data, email clients, messengers, web browsers, WiFi hotspots and their passwords,
iTunes, Huawei HiSuite, Samsung Smart Switch backups, etc.

With the help of Oxygen Forensic® KeyScout all of this data can be extracted from
Windows, macOS or GNU/Linux-operated PCs and logical images in AD1, ZIP, 7Z, RAR and
other formats.

23
Live data extraction

Using Oxygen Forensic® KeyScout, you have the ability to extract and search data from a
PC that is under investigation, this is if it is operated on Windows, macOS or Linux.

To start the extraction, open KeyScout from the Oxygen Forensic® Detective home screen,
copy the executable to a removable drive and then run it on the subject’s Windows, macOS
or Linux computer.

To select which drives and partitions to analyze, open the “Drives and partitions” tab. In
this section, you can manually select the relevant partitions and exclude from search the
partitions of no interest.

24
Open the “Settings” tab to update the search settings.

You can fine-tune the search and data extraction using search profiles. The following search
profiles are available by default:
• Applications, system artifacts, passwords and tokens by default paths;
• All files, applications, system artifacts, passwords, tokens and RAM data;
• Applications, system artifacts, passwords and tokens by all paths;
• Only RAM data;
• All files by all paths;
• All documents and images from user directories.

Click on an arrow next to profile’s name to view detailed information about it.

Please note that only one profile could be selected.

Any search profile could be edited or saved to disk. To do this, click on three dots next to
the arrow and select the relevant option. Custom profiles could also be deleted from the list
by clicking on the same icon.

To edit a profile, click on the icon with three dots next to the profile’s name and select
“edit”. A new window will open, from which it is possible to set time zone, volume size, set
roots included and excluded from the search, passwords, files, applications, system
artifacts, select what data is to be extracted from the memory, as well as additional files for
RAM data extraction.

25
Several editing windows can be opened simultaneously, allowing to set several search
profiles, copying and pasting relevant data if needed.

Options within “Applications”, “System artifacts”, and “Memory” tabs can be filtered by
groups and platforms, allowing the more precise selection of data that is to be extracted.
We have also enabled filtering by text, enabling faster detection of relevant and sought-
after settings.

26
Click “Save” to save the edits. The updated profile will be saved as a custom search profile.
If you do not name the new profile yourself, its name will consist of a number and the name
of the original profile.

It is also possible to create a custom search profile by clicking on “+Create profile” above
the grid. The same window will open. To import a search profile, select “Load profile”
option above the list of available search profiles, select a .yaml file and click “Open.”

Custom search profiles are saved automatically and will be listed among default search
profiles at every launch.

To initiate data extraction, select a search profile and then “Start search.”

Please note that that the list of services and apps, data from which can be extracted, as well
as the data types, depend on the PC OS, privileges granted and the software version. For
more detailed information regarding the specific application or system file extraction,
please contact our support team.

27
As soon as data is extracted, you can overview the detected data, grouped under the
“Found” section. Click on any category icon to open the corresponding search results. Click
“reset filters” to overview the full scope of extracted data. Navigate to the “Logs” tab to
overview all extraction logs.

You can save the extraction to a folder or open it in Oxygen Forensic® Detective.

28
RAM Capture

RAM (Random Access Memory) is used to temporarily store working data or code on an
active computer. RAM is a snapshot of a live running system and can be captured before the
system is shut down. While capturing RAM, you must bear in mind that it will lead to a
change in the state of the system.

These changes can include:

• Overwrite of memory for application processing.
• KeyScout will appear in Most Recently used.

RAM analysis will give great insight into the running system processes, including processes
used by malware. Overall, the contents of RAM may include the following artifacts:
• Evidence of malware intrusion
• Loaded DLLs
• Loaded device drivers
• Open registry keys
• Command history
• Network connections
• Passwords to encrypted volumes and app accounts
• Encryption keys
• Decrypted files and keys
• IP addresses
• Chats, emails and internet history

Oxygen Forensic® KeyScout has the smallest possible footprint and requires no
installation. It’s important to note that maintaining a small footprint without installation
helps obtain the most amount of RAM for analysis of the Windows 10 environment.

To capture RAM:
1. Locate Oxygen Forensic® KeyScout on the Home screen of Oxygen Forensic®
Detective and copy it to a USB drive.
2. Start Oxygen Forensic® KeyScout on a subject’s computer.
3. RAM dump can only be created with elevated privileges, such as Admin rights, so
before proceeding, press the Elevate button on the KeyScout Home screen.
4. Once Admin rights are granted, press the “Capture RAM” button to start capturing
data. It should be noted, the medium that will hold the data must be of sufficient
size.

29
5. The utility will then prompt a screen to select the folder in which the dump will be
saved.
6. Once a folder is chosen, RAM capture will start and the progress will be shown in the
Memory tab.
7. The memory (RAM) dump will be created in Raw format that can later be imported
and analyzed in Oxygen Forensic® Detective.

30
Import of desktop extractions

You can import the existing desktop images in Oxygen Forensic® Detective. To do that,
open the Import section of Oxygen Forensic®️ Detective home screen and select “Desktop
data.”

In the opened window, select a file that is to be imported to Oxygen Forensic® Detective
for further investigation and analysis.

The following file formats are supported:

• .e01
• .ex01
• .raw
• .dd
• .bin
• .img
• .001
• .000
• .0000
• .0001
• .dmg

31
 • .iso
• .vdi
• .vhd
• .vmdk
• .l01
• .lx01
• .ad1
• .zip
• .7z
• .rar
• .tar
• .vmx
• .vbox
• AFF4 physical and logical images
• Time Machine macOS backup
• LVM2 logical volume (Linux)
• Encrypted VeraCrypt, FileVault, or BitLocker volumes.

In the opened window you can edit search settings, selecting the search profile that is to be
used during the extraction. As soon as the imported file is parsed, it will be available for
analysis in Oxygen Forensic® Detective. Another way to import a file is directly from
Oxygen Forensic®️ KeyScout. Go to “Image” and then click “Open” to select a file that is to
be analyzed. You can also import the file of interest using the “drag and drop” feature.

If a VMX or a VBOX file is chosen for import, KeyScout loads all disks connected to the
virtual machine automatically and adds information to the extraction. Click on the
“Advanced options” button to review all partitions included in the image. You can manually
uncheck the options that are irrelevant to the investigation. Click “Next” to proceed.

32
External drive acquisition

External hard disk drive is often used as storage for photos, video or other files that may be
useful for investigation process. To acquire an external drive, locate the corresponding
option in the Extract section of Oxygen Forensic® Detective home screen and click on it.

Alternatively, you can open the “Drive” tab of Oxygen Forensic®️ KeyScout and select a
drive or partition of interest from the drop-down list.

Please note that the external drive analysis is available if privileges are escalated. If not, a
corresponding message will appear, asking you to elevate privileges.

You may choose one drive or several partitions for analysis from the drop-down list or by
clicking on “Advanced options.”

33
 • If an external drive is chosen, its name will be displayed in the dropdown menu
along with brief information about it (name, type (removable/fixed), partitions, file
systems, size, and serial number).
• If a partition is chosen, its name, type, kind, file systems, and size will be displayed.
• If several partitions are chosen, ‘Multiple partitions selected’ will be displayed as
well as brief information about them, such as their names, file system, and total size.

Extraction progress

Upon starting the search in Oxygen Forensic® KeyScout, you can overview its progress at
all stages. All the tasks that are performed during data extraction process are displayed
separately. Next to completed tasks there are icons notifying of their status: “Completed,”
“Error,” “Canceled by user.”

For your convenience, the search through each root path is divided into separate steps. The
process of searching through the root paths with a voluminous content, such as the C:/
drive, can take a long time, so every few seconds the second line will display information
about the last analyzed folder. The number of root paths from which the search starts is
displayed in advance.

Extraction results

As soon as the extraction is complete, its results can be reviewed from the same window.
Open “Extraction results” on the left sidebar to overview the detected data grouped by the
following folders:

• Applications and artifacts;

• Passwords and tokens;
• Files;
• Encrypted data.

Data that could not be decrypted during the search process, can be decrypted at this stage.
Enter the password. If it matches, the data status will change from “Encrypted” to
“Decrypted.”

34
If needed, some data types can also be removed from the search results. To remove them,
untick their checkboxes on each tab of search results within every category. Click “Save” to
save the edits.

Data can be saved to files of the following formats:

• OCPK files that contain databases archives;
• ODBLIST files that contain manifest with the list of backups;
• ZIP-archive containing iTunes, Samsung SmartSwitch, or Huawei Hisuite backups;
• Log-file to which logs of the data extraction process are saved. This file must be sent
to the support team in case of an error;
• Z01 file included in a ZIP-archive of ODB, iTunes, Samsung SmartSwitch, or Huawei
HiSuite extractions.

To import an extraction into Oxygen Forensic® Detective:

• Select “Oxygen Forensic®️ desktop backup” or “Backup Import” on Oxygen
Forensic® Detective home screen;
• Or drag the file of interest into Oxygen Forensic® Detective using the drag and drop
feature.

35
 Drone data extraction

There are several ways of extracting and analyzing drone data using Oxygen Forensic®
Detective.

You can:
• Import
○ DJI, Parrot, or iFlight drone logs;
○ DJI GO or Parrot flight logs;
○ DJI or Parrot drone images;
○ DJI Assistant backup
• Extract data from
○ Spark, Mavic Pro DJI drones;
○ their controller
• Using Oxygen Forensic® Cloud Extractor, access data stored in
○ SkyPixel cloud (credentials, token, proxy);
○ DJI Cloud (credentials, token, proxy);
○ MyParrot Cloud (credentials, token, proxy)

Please note: in order to extract the cloud data, you will be asked to enter user credentials or
tokens. The following can be imported from the Accounts and Passwords section of Oxygen
Forensic® Detective if the user device from which all these apps have been accessed has
been analyzed.

We recommend using maps module built-into Oxygen Forensic® Detective to overview

and track drone flight routes. All the detailed information about the drone state and flight
will be available from there. Save the snapshots of active maps using the toolbar to include
them in the report. The taken snapshots will be available in the Snapshots section.

36
 IoT data extraction

With Oxygen Forensic® Detective you can gain access to the data obtained by the various
virtual digital assistants which occasionally record conversations by error, and always
document and store all voice commands.

Amazon Alexa

When an Alexa user utters the wake word to perform a skill a recording of the query is sent
to the user’s Amazon cloud account. The user specific request is processed and a response
is returned to the device. You, armed with Oxygen Forensic® Cloud Extractor, can extract
Amazon Alexa data to include these valuable recordings of that actual utterance by the
user.

Obtain access to the Amazon Alexa account from Oxygen Forensic® Cloud Extractor using
either user’s credentials or user token. The token can be extracted from either the mobile
device(s) or PC(s) Alexa is currently paired to. The Amazon Alexa token can be found in the
Cloud Account section in Oxygen Forensic® Detective after the mobile device has been
acquired. If using a PC to locate the Amazon Alexa, simply run our Oxygen Forensic®
KeyScout utility. Using our powerful KeyScout utility a user’s token can be recovered if the
user has logged into their Amazon Alexa account in their PC’s web browser. It should be
noted that using a token will allow you to bypass 2-factor authentication that had been set
within the Amazon Alexa account.

Once the cloud extraction has completed, import the collected evidence to Oxygen
Forensic® Detective. The valuable data extracted can contain a wealth of information to
include: account and device details, contacts, user activity, incoming and outgoing
messages, calendars, notifications, user created lists, created/installed skills, preferences,
and more. One amazing feature in the software is the ability to extract the stored voice
commands given to Alexa by the user, being able to hear their actual voice.

37
Google Home

Armed with Oxygen Forensic® Detective, you can extract data from Google Home from
both mobile devices and the associated cloud service.

Cloud extraction
Oxygen Forensic® Cloud Extractor allows access to a user’s Google Home account by
entering either the login/password or a Google master token. Our robust software is also
capable of finding Google credentials both in a mobile devices’ image and on an associated
PC. Finding Google credentials extracted from a mobile device is easy; simply navigate to
the Cloud Accounts. Also, using our KeyScout built-in utility you can collect the token
information from the associated PC if the user had used the PC to log into their account.

Once armed with credentials, use the Oxygen Forensic® Cloud Extractor to access the
Google Home account. Like in our many other supported cloud services, the token will
allow you to bypass 2-factor authentication if enabled.

If your investigated user utilizes a username and password for login authentication simply
be prepared to verify the identity by one of the available methods: SMS, Google
Authenticator, backup codes, prompt or USB token.

Google cloud provides The Google Home data includes, but is not limited to: account and
device details, voice commands, and verbose information about users. Again, like Alexa,
you can listen to all the voice recordings created by the Google home users directly in
Oxygen Forensic® Detective.

Mobile device extraction

Many users of a Google Home device use the Google Home to set up, manage, and control a
Google Home device. Oxygen Forensic® Detective supports the parsing and decoding of the
Google Home app data from both Apple iOS and Android devices.

Google Home data can only be extracted from iOS devices using one of the “full logical”
methods. Android devices must have root access or physical access to recover the database
file for Google Home. You can use one of our physical collection methods to get access to
the data.

38
Extracted information from the mobile app, once obtained, will include: account and device
details, cache, cookies, nearby devices, and other valuable user data. It should be
understood that the mobile app for Google is an active application and the app contains far
less data than what is stored in the user’s associated cloud account. We recommend
extracting data from user's cloud account if you want to recover the user’s complete stored
history.

Ring

Oxygen Forensic® Detective includes support for Ring services by Ring, LLC. You can use
Oxygen Forensic® Detective to extract data from Ring apps on PCs and mobile phones, as
well as from the Ring cloud.

Ring services include devices developed for home security and ‘smart home’
synchronization via a companion mobile application. The service is delivered by Ring LLC,
an Amazon-affiliated company, that develops products for home safety including motion
sensor cameras and video doorbells. Collected data is stored on a cloud server and
members may access it anytime using the Ring app.

39
Computer Artifacts

The Ring PC app is available for Windows and macOS only. You can use Oxygen Forensic®
KeyScout to extract data from both operating system versions. Run this app on the target
PC to acquire information about authorized devices, the device owner, camera snapshots,
and doorbell logs.

Mobile device extraction

Audio, video, account information, events, logs, cookies, and cache with snapshots, as well
as locations of Ring devices and information about them can be extracted from both
Android and iOS Ring apps.

40
Cloud extraction

Since Ring data is stored on a cloud server, we recommend using Oxygen Forensic® Cloud
Extractor to collect and analyze its data, some of which might not have been yet
synchronized with the device under investigation.

Login credentials or a token are required for cloud authorization. Both can be imported
from the Accounts and Passwords section of the device home screen in Oxygen Forensic®
Detective if the Ring app was used on the analyzed device. If 2-factor authentication is
enabled in Ring, Oxygen Forensic® Cloud Extractor allows passing it using an SMS code
sent to the associated phone number or a confirmation email sent to the associated email
address. Once logged in, you can proceed to extract account data, events, videos, as well as
a list of Ring devices.

41
 Data analysis
Once data from all the sources and devices of interest is extracted and imported into
Oxygen Forensic® Detective, comes the time to analyze it! And that’s where our software
comes forward, offering multiple robust features.

The extraction home screen consists of general information about the data source at the
top, followed by panel with Statistics widgets, and information about extraction, owner and
the device, as well as a field for adding notes. Scroll down to overview the general sections,
in which data from the device is sorted by its type. The categories in this section depend on
the data types present within extraction. The exceptions are Reports and Snapshots – those
two get filled as you browse through data, take snapshots of Social Graph or Maps, create
reports.

The general sections are followed by the Analytics panel. Analytical sections available from
the extraction home screen, are:

Faces Facial recognition. Run it to determine faces present in the extraction

media.
Key Evidence This section gets filled as you get through evidence, marking the
important bits. In it, all data marked as Key Evidence, data with tags
and notes is displayed. Also data categorized by our Image
Categorization tool is shown here.
OCR Optical Character Recognition. Run it to automatically transcribe text
from images.
Search Use it to search data. Use keywords and multiple filters to enhance your
experience.
Social Graph Open it to view all social interactions on a graph, investigate the
connections, as well as read their messages.
Statistics Use this section to overview the extraction data, as well as your own
notes.
Timeline Open Timeline to view all extraction data sorted in chronological order.
Use multiple filters to limit the timeframe or data sources.

At the bottom of the extraction home screen there is an alphabetically sorted list of
applications data from which is present on the device.

42
The case home screen consists of general information about the case, list of extractions
with their brief description, Contacts and Files as the general sections and some analytical
sections at the bottom of the screen.

Analytical sections available from the case home screen, are:

Key Evidence This section gets filled as you get through evidence, marking the
important bits. In it, all data marked as Key Evidence, data with tags
and notes is displayed.
Search Use it to search data. Use keywords and multiple filters to enhance your
experience.
Social Graph Open it to view all social interactions within the case on a graph,
investigate the connections, determine third parties of interest, as well
as read their messages.
Timeline Open Timeline to view all case data sorted in chronological order. Use
multiple filters to limit the timeframe or data sources.

43
 Merge extractions

A “Merge Extraction” option is intended to save you time by eliminating the need to
manually compile data. When enabled, this feature will automatically merge the extractions
acquired using different extraction methods.

Our “Merge Extraction” feature supports various different extraction methods of the same
device. For example, you can acquire data extracted from physical dumps, SD cards, and
cloud services, and merge them at the data level or file system level.

Data Level

By default, extractions are merged at a data level. In this case, each file system is analyzed
separately and their data is added to the merged extraction. We recommend using this
method when merging extractions of different devices and platforms, such as when
merging an Android extraction with its cloud data.

File System Level

When merging at a file system level, a merged file system is first built and then analyzed.

We recommend picking this option when merging partial extractions of the same device,
such as when merging an Android physical dump with a physical extraction of its external
SD card. In this case, you will be asked to drag the extraction icon to another extraction in
order to add the files.

44
The merging process step-by-step:

1. To start, select the extractions of interest from the list on the left. As soon as all the
desired extractions are selected, right-click on one of them and select “Merge
extractions” from the drop-down list.

2. A new window will open. There, you will be able to overview the extractions to
merge, configure extraction settings, and name the merged extraction.

3. Click “Create a merged extraction” as soon as everything is set. A newly merged

extraction will be added to Oxygen Forensic® Detective and become available from
the list on the left. No changes will be made to the source extractions.

Step 1 of the merging process

45
Step 2 of the merging process

The restrictions:
• While extraction of an SD card can be merged with any other extraction, an Android
extraction could only be merged with another Android extraction. The same
restriction applies to extractions from iOS devices.
• A merged extraction cannot be merged with any other extraction.
• An already merged extraction cannot be unmerged. However, the source extraction
remains unchanged in the list, even after the merge is complete.

46
A merged extraction in Oxygen Forensic® Detective

47
Built-in translator

Oxygen Forensic® Detective has a built-in translator that can easily translate data at no
additional charge. To use it, visit the Customer Area to download the add-on first, thus
enabling the translation. It can be opened by clicking a link within the “Translations”
section of the “Options” menu.

Once the add-on is successfully downloaded and installed, restart the software and set the
destination language within the “Translations” section of the “Options” menu.

The supported languages are:

• Arabic
• Bengali
• Belorussian
• Chinese Simplified
• Chinese Traditional
• Dutch
• English
• French
• German
• Hindi
• Italian
• Persian
• Polish
• Portuguese
• Russian
• Spanish
• Turkish
• Ukranian
• Vietnamese

Any text entry within the extraction can be translated into the selected language inside the
grid. By selecting the corresponding option on the toolbar, you can translate all, several, or
just one of them.

48
Another way to prompt a translation is to right-click on the entry of interest and select the
corresponding option from the drop-down menu.

Once the translation is complete, the text on the grid is displayed in the destination
language. To view the original text, hover the mouse over the translation icon next to the
entry of interest. It is also possible to view the original text from the details panel.

49
 Timeline

Timeline is an aggregated section of Oxygen Forensic® Detective where all extracted data
is displayed in chronological order. Timelines can be created for a device or case and
usually contains valuable insights about calls, web activity, web connections, photos,
videos, calendar events, chats within apps, and more.

Using the filter panel on the left sidebar, the entries in Timeline can be filtered by accounts,
groups, contacts they are associated with as well as their sources. To narrow down the
scope of available data, expand a drop-down list and uncheck accounts, groups, contacts or
sources of no interest. To reset filters and view all available data again, use the
corresponding button on the toolbar above the grid. Another way to filter the grid is by
switching between tabs above it. You can either view all records, messages, calls,
geolocation data, web activity, or files.

When searching for a specific word or phrase, use the “Find text” fields above and below
the grid. The detected matches will be displayed in grid and highlighted as soon as the
search is over.

Entries in grid can also be filtered by their timestamps. To do this, adjust the time filter
from the bottom panel. Select whether records will be grouped by year, month, day, hour,
minute, or second and set the time range either by using the calendar at the top of the panel
or by manually shifting the highlighted area.

50
One more way to filter the grid is by using smart filters. You can expand the list of available
smart filters by clicking on the corresponding button on the toolbar above the grid. Select
the option that meets your needs and filter the grid accordingly.

Select the event of interest to view its metadata on the right panel. From there, you can add
tags and notes to entries or mark them as key evidence. There, you can also view photos or
videos and listen to audios. Existing duplicates of the selected entry will be displayed
within the “Duplicates” panel below the grid and can be reviewed from there.

Entries in the Timeline can be exported by clicking on the “Export” button above the grid.
The list of available export options opens by clicking on an arrow next to export. The
default export setting is highlighted in bold.

Any data with geolocations can be opened on Maps. To view checked locations on Maps, hit
the “Maps” button above the grid.

Please note that all records are checked by default. To hide irrelevant records, deselect
them. Learn more about using Maps and obtaining addresses from geo coordinates from
the “Maps” section of this document.

In addition, the Activity matrix and Activity chart located in the bottom panel help to detect
when the device was most used.

51
 Social Graph

Social Graph offers the most convenient approach to working with social data, analyzing
social connections, chats and calls. You can build Social Graph for one extraction or the
entire case. Select a case with several devices to build the Social Graph for all case
extractions.

From this section you can view:

• Any contact’s direct communications – double-click their icon displayed on the

graph.
• Common communications of several extractions by double-clicking the contact’s
icon in the graph
• Common contacts of the selected accounts – select the contacts of interest with a
frame or hold Ctrl, and a button appears on the detail’s sidebar
• Contact’s entire communication history by choosing View/Communications option
on the toolbar.
• Interactions the primary contact had with themselves. If there are any self-
communications the contact will have a circle with the number of communications.
Click on this number to view communications.
• The shortest paths between selected contacts. The number of intermediaries is set
to 5 by default, but this can be changed. Select the 2 contacts of interest with a frame
or hold Ctrl, and a button appears on the details sidebar.

52
If you see many accounts of the same device owner on the Graph, go to the Contacts
section, manually select all these accounts there and press Merge button on the toolbar.
After this you will see the merged account in the Social Graph as well. If you need to hide a
contact from the Social Graph, press the Delete button or right click a contact and select
Hide option in the menu. You can always reset filters by pressing Reset filters button on the
toolbar.

Save a snapshot of a Social Graph in SVG file format by clicking Make snapshot button and
export into a Relativity file by clicking Export button. The advantage of a vector graphic
format (SVG) over a raster format is that the image quality remains almost the same when
zoomed in.

You can also save the current state of the case graph, with user-configured filters, location
of elements, and graph tabs by clicking the Save button on the toolbar. So, if the section is
closed or the program restarts, the created Social Graph will remain.

53
 OCR

Optical Character Recognition automatically identifies typed, handwritten, or printed text

located within an image and converts it into machine-encoded text. Whether it’s from a
scanned document, a photo of a document, a screenshot of a conversation, or an image with
subtitles, we can convert it.

Using the built-in, automated OCR module, you can easily conduct searches for words
located in images. This is done by converting images containing text to allow for
recognizable searchable characters. To run OCR, in the extraction home screen, scroll down
to the Analytics section and open the OCR module.

Next, select the set of text to be analyzed from the upper menu. Alternatively, click on the
OCR button to run OCR.

As soon as text recognition is complete, select the image of interest from the list to see the
image preview in the left sidebar and to read the recognized text from the lower panel.
Detailed information regarding the chosen file is displayed in the right sidebar.

54
The recognized text information can also be viewed from the main grid.

Additionally, you can state the OCR settings, changing the minimum image size, adjusting
the import settings, or adding supported languages. Our OCR module permits the
conversion and analysis of up to 12 languages, including Arabic, Chinese, German, Italian,
Japanese, and Spanish.

55
 Faces

Go to the Faces section to detect faces on images within the extraction and group them.

You can choose to run Facial Recognition at backup import. To do this, open Settings, go to
Advanced Analytics, and activate Facial recognition at import. If there was no facial
recognition at import, open the extraction home screen and go to Faces section within
Analytics. On the screen, you will see a message stating that facial recognition was not
performed and the Facial Recognition button. Click on it to start image analysis.

After the image analysis is complete, the Faces section will be divided into three parts. The
left sidebar contains filters that you can use to sort the analyzed photos. Images can be
filtered by their source as well as sex, race, age, and accessories of the person in the photo.

The central section contains photos on which the faces were recognized. Those are located
in the People --> Identified faces tab. After selecting a person in the list, you can see the
people identified in the image and estimate the number of identical and similar photos in
the corresponding tabs (Similar Images and Familiar with).

On the right sidebar, there is a Details panel containing detailed information about the
selected picture. You can also add a tag or comment to each picture or mark it as Key
Evidence.

To export the analysis results, click the “Export” button above the grid.

56
 Image Categorization

Image categorization is capable of recognizing photos and videos containing identified

information from one of eighteen categories. The currently supported categories are:
pornography, nudity, extremism, graphic violence, drugs, chats, vehicles, maps, medical,
meme, offensive gesture, schematic, QR codes, barcodes, alcohol, tattoos, aircrafts,
weapons, gambling, and child abuse. This powerful addition is also able to detect
documents, currency, IDs and credit cards. It is based on a neural network that scans the
visual composition of an image to approximate the consistency of enough data that
matches a particular supported category.

Running image categorization significantly improves the speed of sorting and analyzing
visual data on subject’s device. Artificial Intelligence used in our image categorization helps
to speed the process of identification when working with images. This, of course, is not a
replacement for an investigators oversight. All identified images should be verified and
validated.

This feature can be utilized both when importing device data or on an already imported
backup or extraction. In both cases, you can select categories you would like to search for
and also fine-tune the positive “hit” settings by setting identification thresholds in
Options/Advanced analytics menu in Oxygen Forensic® Detective. There are four possible
threshold settings: low, medium (default), high, and max. The maximum threshold
decreases the false positives and detection rate.

After running the image categorization in Oxygen Forensic® Detective, the number of
matching images for each supported category is automatically tagged and identified in both
the Key Evidence and Files sections. You can also review the tagged data from the
“Categorized images” tab, manually excluding the false positives and marking the
important data as Key Evidence.

Please note that if you choose to cancel the image categorization, no tags will be assigned
and no results will be saved.

57
 Tagging and Key Evidence

When working with data, mark the important bits of it as Key Evidence by pressing on a
star in the grid next to the entry of interest or from the Details sidebar. For more detailed
marking of the data, use Tags. Although Oxygen Forensic® Detective offers a number of
predefined tags, you can also create and set your own tags and export entries to data
reports by simply selecting the relevant tags.

You can sort Timeline or any other section to view only tagged data or entries marked as
Key Evidence. To view all entries identified as relevant to a case, go to the Key Evidence
section. There, all data marked with Key Evidence or with the tags or notes will be
displayed, making data analysis easier and saving valuable time. You can bookmark
important evidence in a single device, or several devices, and export it later to one data
report. You can use tabs above the grid to view only entries marked as Key Evidence,
tagged entries, or ones with notes.

58
 Data Search

If you are looking for a specific bit of information, be it some word, a certain sentence, one
of the keywords, a credit card number, or all email addresses mentioned, go to the Data
Search.

You can search across a single device, all devices in a case, or all devices in a database.
Access texts, phone numbers, email addresses, geo-coordinates, IP addresses, MAC
addresses, credit card numbers, and file hashes including Project VIC. A Regular Expression
library is available for custom search functions, and you also can create a set of keywords
for a data search.

There are 3 ways how a search can be done: in parsed data, in files, and in file content such
as SQLite databases. You can also search by hex or face sets using the corresponding tabs
above the grid.

When searching by face, you will be asked to import an image containing the face of
interest. You will also have the option to import a facial set when looking for several faces.
In this case, you will have to set the similarity threshold. The similar faces will be detected
and displayed.

59
 Statistics

The statistic section widget is located on the extraction home screen. It presents an
overview of the entire extraction and its data helping quickly identify potential sections of
interest. It consists of several widgets, all of which are neatly displayed on the screen. The
widgets are divided into two categories–data on the device and investigator interaction.

The automatically-built widgets, presenting data within the extraction, are: Activity Chart,
Activity Matrix, First and Last Contacted, Data Types, Top 10 Applications, Contacts, and
Groups.

The second group of widgets, or investigator interactions widgets, display your

interactions with the evidence: assigning tags, marking data as Key Evidence, adding and
editing notes, running hash set searches, as well as using Project VIC tags.

Any of the widgets can be hidden and then displayed again depending on your desired
layout. If any widget is hidden, the corresponding icon is displayed in the left panel,
highlighting the hidden block.

60
 Maps and geodata

Obtaining Geodata

Oxygen Forensic® Detective has the ability to extract geodata from various sources, such
as applications, clouds, media files, MAC addresses of WiFi points, and drones.

Applications and clouds

Oftentimes, a great deal of geodata is shared by users themselves. They send locations in
messengers, add geotags to their posts on social media, record workouts, order food, and
use rideshare apps. They even use maps and navigation apps to get around, whether on
foot or in a car. Oxygen Forensic® Detective is the industry leader when it comes to parsing
data from apps. Data extracted from apps will include shared and saved geolocations.

App data can be backed up onto the cloud. Data generated on a different device can be
synchronized to the very same cloud. Thus, we recommend using the built-in Oxygen
Forensic® Cloud Extractor to acquire as much data as possible, extracting cloud data as
well.

Media files
Photos and videos taken by a user often have geotags. Oxygen Forensic® Detective not only
extracts files themselves but also information about them, such as geodata.

WiFi points
At one point or another, most devices will connect to a WiFi network. Geocoordinates of
WiFi points can also be obtained by Oxygen Forensic® Detective. Third-party services like
Latent Wireless and WiGLE are used for acquiring geocoordinates of WiFi access points by
their MAC addresses (SSID). However, you will need to register to the service and enter the
authentication key or token in the geodata settings prior to getting the coordinates of WiFi
points.

After the key or token is verified, you can get geocoordinates of WiFi points from the
“Wireless Connections” section. To do that, select networks of interest and hit the
“Geocoordinates” button in the toolbar. Geocoordinates will be acquired using the default
service. To get geocoordinates of WiFi networks from all services or one that was not set as
default, use the downward arrow next to the button or right-click on the WiFi point of
interest. Next, select the desired option from the dropdown list.

61
Drones
You can import DJI drone logs, DJI GO flight logs, DJI Assistant backups, DJI drone images,
Parrot drone logs, and Parrot drone images into Oxygen Forensic® Detective to parse
drone data.

Alternatively, having access to the device that was used to control the drone will allow you
to acquire data from apps that were used for that purpose. Additionally, DJI Cloud,
MyParrot Cloud, and SkyPixel are supported by our Oxygen Forensic® Cloud Extractor,
allowing you to analyze data from different devices that were synchronized with the same
account.

62
Obtaining addresses

Having the ability to obtain addresses from geocoordinates is important when piecing
together an investigation. You can receive addresses utilizing either OpenStreetMap or
Mapbox directly in Oxygen Forensic® Detective.

• OpenStreetMap
OpenStreetMap is a free service that serves as a geographical database of the world.
This tool allows users to place geocoordinates anywhere, while Mapbox requires an
authentication token to be entered in the Options menu of Oxygen Forensic®
Detective.

• Mapbox
Mapbox is a location data platform that powers the maps and location services used
in many popular apps. Mapbox requires an authentication token to be entered in the
Options menu of Oxygen Forensic® Detective.

Please note that a free account of Mapbox allows users to receive a limited number of
addresses.

You can configure both OpenStreetMap and Mapbox services and select the default service
in the Options menu of Oxygen Forensic® Detective. The feature of getting addresses is
available in all the sections that may contain geocoordinates – “Files”, “Wireless
Connections”, and “Applications.” An internet connection is required. Press the GeoData
button and select either to get an address from a particular geocoordinate or all of them.
Received addresses will be shown both in the grid and on the sidebar of the section.

63
Maps

All the data with geo coordinates can be opened in Maps. To open this module, select Maps
from the upper toolbar in the section of interest, be it Timeline, Calendar, user Notes, Calls,
Files, Messages, OS Artifacts, WebKit data, Wireless connections, a specific application or
the Applications section in general. When opened from a specific section, the Maps module
will be automatically filtered showing data from this section.

You can take filtering a few steps further by setting the timeframe or a certain hour using
the upper panel. Exclude places, route lines, or common locations (all of them are shown by
default) by clicking on the Settings icon on the left part of the map or by filtering data
sources on the left sidebar. Zoom the map in and out to overview the shown data. Click on
the entry of interest to view the information about it in the Details panel on the lower left
sidebar.

64
You can also build a map for a case, viewing all geotags from all involved devices at once.
To do that, select a case, open its Timeline, and then open Maps from the toolbar. The
sources of available geolocations, including the devices’ names, will be listed on the left.

Using maps, you can:

• Recreate routes and play them at a normal or accelerated speed, tracing the
movements of the device
• Search for common locations and review them using the third tab at the bottom of
the map by selecting distance and time and then clicking “Identify locations”
• Select an area on the map, within which geocoordinates will be displayed using the
square button on the left. To do this, highlight the area of interest using points and
then click the filter button. The geopoints outside the area will become semi-
transparent, allowing you to focus on data within the area of interest.
• Alter time zones for one or multiple devices right within the section.
• Merge the selected layers to overview all points and routes at once.

You can save the changes upon closing the map in order not to lose them. You can also
make Snapshots of the Maps data which will be added to the Snapshots section and could
be included in the reports or can be exported as a file. Additionally, you can import other
files containing geodata to a map in order to detect matching locations.

65
 SQLite Viewer
Use our SQLite Viewer to work with SQLite databases. You can open it from the upper right
corner of the extraction home screen or by clicking on the database file you wish to see in
the Files section.

When opening a SQLite file table in a separate thread, the contents of column cells are
checked. When the cell content type is found, an icon corresponding to its type is added
before the value. A value can be opened in File Viewer on a tab corresponding to the value
type (for example, the Media tab for images, audio, and video files), in a third-party
program, or saved to a file.

You can convert values into readable format with built-in converter. You can also partially
convert the values by double-clicking on a cell or pressing the F2 button with the focus on
the desired cell that puts the cursor in the text selection mode inside the cell. The selected
fragment is immediately displayed in the value converter panel with all available
conversion options.

66
In content selection mode, you can use hotkeys, such as:
• Shift+Right-selects the character following the cursor.
• Shift+End-selects all characters from the cursor to the end of the value
• Shift+Home-all characters up to the cursor, and so on.

To exit the selection mode, select any other cell by left-clicking on it or by pressing the Esc
button.

You can export SQLite tables data as well as completed SQLite queries by clicking the
Export button on the toolbar. Button hint is “Export current table to file”.

If you are viewing or working with one of the tables at the moment, the standard report
saving form opens by clicking the Export button, where the name and location of the report
file, the format of the exported data, and other report file general settings can be set. Upon
clicking on Export, the rows of the current table marked with the export checkbox are
saved to a file. The hidden rows and columns are ignored.

In the SQL query editor, the “Export " button is inactive until the SQL query is completed.
When executing an SQL query, if there is a non-zero query result, the button becomes
active and the rows selected by the checkbox can be exported to the report. The Export
button is inactive in the nested tabs of tables, such as DDL, Triggers, Columns, Foreign keys,
etc.

Plist Viewer
Use our Plist Viewer to work with plist files. You can import the plist file you wish to view
and analyzeby clicking on the upper right corner of the extraction home screen and
selecting Plist Viewer from the list. It is a convenient way to analyze .plist files from Apple
devices. These files contain information about WiFi access points, speed dials, the last
cellular operator, Apple Store settings, Bluetooth settings, global applications settings, etc.

67
 Options menu
To fine-tune your investigative experience with Oxygen Forensic® Detective, use the
Options menu. Call it from the upper right corner of the home screen.

The Options menu consists of several tabs: General, Search, Import, Advanced analytics,
Contacts, Geo settings, Proxy settings, Project VIC, Updates, and Translations.

From the General tab, you can state or edit the path to the extractions storage, a folder to
which temporary files will be saved, and the program language. Please note that in order to
apply changed settings, you will need to restart the program.

From the Search tab, you can fine-tune the search of phone numbers, selecting one or
several countries from the list using checkboxes, stating leniency and phone number
length. The default lenience setting is the Strict grouping, which means that a set of digits
must look like a phone number.

68
Other options are:
• Possible - any set of digits is considered to be a phone number;
• Valid - a set of digits should resemble a phone number;
• Exact grouping - a set of digits must match the phone number format.

A variety of settings regarding the imported files is located within the Import tab. From
there, state the hash calculation for backup files, recovery of deleted files, applications data
at import, unpacking of nested archives, their nesting level, archive types to process, file
types to ignore, the presence of archived files timestamps, and drone sample rate.

Go to the Advanced analytics tab to fine-tune your OCR, Image categorization, and Facial
recognition experience. All the relevant settings, including whether to run all those
analytical features at import, OCR languages and image categorization types to detect, their
thresholds as well as minimum image size will be accessible from there.

Take control of contacts merging from the Contacts tab. From there, two merge settings
modes are available: simple and advanced. The main difference between them is that the
advanced mode offers more detailed settings for contact merges within devices and cases.
In simple mode, contacts and accounts merge settings are regulated automatically,
depending on the chosen settings within the interface. From the Contacts tab, you can also
choose labels and values to ignore, state the merge rule as well as phone number length.

Next, in the Geo Settings tab, you can insert the Latent Wireless authentication key needed
to receive coordinates via MAC addresses.

Go to Proxy tab to enable or disable proxy and set it.

Project VIC settings are located within the Project VIC tab. From there, you can select the
current region as well as categories, which thumbnails will be displayed in interface or
report.

In the Updates tab, you can find information about the currently used software version, as
well as newest updates, a shortcut to the customers area, automatic update settings,
licensing information, and the opportunity to change the product key.

Open Translations tab to overview the list of installed languages and set the translation
language.

69
 Data Export to reports

You can export the evidence to XLSX, XLS, PDF, XML, HTML, JSON, RTF , MSG, VCF, or PST
file or in Relativity format. Call the Export window from the extraction home screen by
clicking on the third button under the device image. Click on the latter icon to export data
in Relativity format. You can also open the Export window from the toolbar of the section
of interest. In this case, only data within this section will be included in the report by
default.

Export window then opens. From there, select the data to export, folder to which data will
be exported, name the report, state the file type, and click “Export” to proceed.

To fine-tune export settings, switch between tabs on the left. The adjusted set of settings
can be saved as a template for the further use.

70
 Oxygen Forensic® Viewer

Oxygen Forensic® Viewer is a free portable application available to registered users of

Oxygen Forensic® Detective. You can share a free copy of the Viewer with the colleagues
and other authorized personnel whose task it is to view extracted evidence. Any type of
evidence saved in Oxygen Forensic® Detective to the .ofbx backup can be opened in
Oxygen Forensic® Viewer – mobile device, cloud, drone, PC, or IoT data.

Upon uploading the .ofbx backup made in Oxygen Forensic® Detective, the user of Oxygen
Forensic® Viewer can do the following:
• View all the evidence acquired from any of the supported digital sources;
• Examine data from apps;
• View deleted records recovered in Oxygen Forensic® Detective;
• Sort and filter data in every section;
• Search evidence in parsed data and in file content;
• Mark data as Key Evidence or add tags;
• Export the evidence: all of it or only the important bits in PDF, XML, RTF, XLSX,
HTML, and JSON Project VIC formats.

To use it or share it with the colleagues,

1. Visit your customer area to download Oxygen Forensic® Viewer. There are two
versions – one for a 32-bit system and one for a 64-bit.
2. Save it onto any portable media or even a private cloud;
3. There is no need to install or activate it. Use it yourself or share it with your
colleagues.

71
 Contacts

support@oxygenforensics.com

+1 (703) 888-2327

Thank you for choosing Oxygen Forensic® Detective!

Please contact our support team in case of any difficulties, further questions or requests.

72