A divorce attorney called me last year with a situation I hadn’t seen before. Their client suspected a spouse was hiding assets routed through multiple apps — a crypto wallet app, a Venmo account, and some activity on Telegram that their client had seen briefly before the spouse changed passwords.

The spouse’s iPhone was locked. No backup credentials were available. Standard logical extraction gave us almost nothing.

We had one shot: cloud extraction.

That case is what really put Oxygen Forensic Detective on my regular-use list. Not because it was magic — it wasn’t — but because its cloud extraction capabilities gave us more paths to the data than anything else I was running at the time. Here’s the full picture after 18 months of use in civil forensic practice.

What Oxygen Forensic Detective Is

Oxygen Forensic Detective is a unified mobile forensics and cloud extraction platform developed by Oxygen Forensics, Inc. It’s not new — the platform has been around since the early 2010s — but it’s evolved significantly in the cloud era.

The platform covers:

It competes in the mid-tier of the forensic tool market — more capable than consumer-grade tools like iMazing, less expensive and in some areas less powerful than Cellebrite UFED Premium. For civil practitioners, that mid-tier is often exactly where the value is.

Cloud Extraction Capabilities: The Core Differentiator

This is the reason most civil practitioners should be paying attention to Oxygen Forensic Detective in 2026.

When physical device access is limited — locked device, device destroyed, device in opposing party’s possession — cloud extraction becomes your primary path to evidence. Oxygen Forensic Detective’s cloud module covers a wider range of services than most competitors at this price point.

What it extracts from cloud services (with valid credentials or tokens):

Apple iCloud: iCloud backups, iCloud Drive files, Photos library, Contacts, Notes, Calendar events, iMessages (if iCloud sync is enabled), and health data. In the divorce case I mentioned, iCloud health data — specifically step counts and location visits — became key corroborating evidence for a timeline dispute.

Google Account: Gmail, Google Drive, Google Photos, Contacts, Calendar, Chrome history, Google Location History, and Google Takeout data. Google Location History, in particular, is frequently underused in civil matters. It can place someone at a location with surprising precision.

Samsung Cloud, Huawei Cloud, and other OEM cloud services: Variable support, but broader than most tools. Samsung Cloud extraction via credentials is particularly useful for Galaxy device investigations where physical extraction has limitations.

Third-party app cloud backends: This is where Oxygen gets interesting for civil work. The platform can extract data from WhatsApp cloud backups (Google Drive and iCloud), Viber, and several other messaging apps that sync to cloud storage. This doesn’t require device access — it requires the account credentials or authentication tokens.

Practical limitation: Cloud extraction requires credentials, tokens, or legal process responses. If you have neither, cloud extraction won’t help you. For civil matters, this often means you’re working with a cooperative client who can provide their own credentials, or you’re waiting on subpoena responses from service providers.

Social Media Parsing: What It Actually Recovers

Oxygen Forensic Detective includes dedicated parsing for social media artifacts, both from local device storage and from cloud-connected sources.

From device extraction, the tool parses local databases for:

The quality of social media artifact recovery depends heavily on what the app stores locally versus what it only keeps server-side. Most messaging apps are moving toward server-side storage with minimal local caching, which means the window for device-side recovery keeps shrinking.

Where Oxygen Forensic Detective performs well is in parsing the artifacts that are locally present and presenting them in a readable format. Threading is preserved in most cases. Media attachments are linked to their conversation context.

For investigators working family law, employment, or harassment matters where social media communication is central evidence, the parsing quality here is genuinely useful.

Drone Forensics Support

This is a feature I didn’t expect to use when I first licensed Oxygen Forensic Detective, and now it comes up more often than I’d predict.

Drone usage in insurance fraud, property disputes, and surveillance-related litigation has increased significantly. When a drone is involved in a matter — either as evidence of surveillance or as a vehicle used to document something — the drone’s internal storage and companion app data become relevant.

Oxygen Forensic Detective supports forensic extraction and analysis from several DJI drone models, which cover the large majority of consumer and prosumer drone usage. Extractable data includes:

In a recent property dispute, flight logs from a DJI Mavic 3 extracted through Oxygen Forensic Detective established that the drone had been flown over the disputed parcel on specific dates — directly contradicting the opposing party’s claims. That data was case-dispositive.

If you work matters where drones might be relevant, Oxygen Forensic Detective is currently the most accessible tool for this kind of extraction.

JetEngine Analytics

JetEngine is Oxygen’s built-in analytics module — think of it as automated pattern recognition applied to extracted data.

What it does in practice:

Contact network mapping: JetEngine builds a visual graph of communications — who the subject contacted, how frequently, and through which channels. For investigations where you’re trying to identify associates or establish a relationship pattern, this visualization can surface connections that manual review would miss.

Timeline automation: JetEngine automatically generates a merged timeline from all artifact sources — SMS, email, app activity, location data, call logs — and flags statistical anomalies. Spikes in communication activity, unusual location patterns, contacts appearing suddenly after periods of no interaction.

Keyword hit correlation: Run a keyword list, and JetEngine correlates hits across artifact types. A name that appears in SMS conversations, email, and location data around the same time period gets flagged for examiner review.

In practice, JetEngine is most valuable on complex matters with large data volumes. For a straightforward two-phone extraction with a clear evidentiary target, you probably won’t use it. For a multi-device, multi-source investigation with 500,000+ artifacts, it’s a significant time saver.

Pricing Tier Comparison

Oxygen Forensic Detective uses a tiered licensing model that’s more accessible than Cellebrite and roughly comparable to Magnet AXIOM Examine.

Oxygen Forensic Detective (Full):
Approximately $2,500–$3,500/year for a single examiner license. Includes mobile extraction, cloud module, social media parsing, drone forensics, and JetEngine analytics. This is the version most civil practitioners should evaluate.

Oxygen Forensic Extractor:
A lower-cost option at roughly $500–$800/year that focuses on extraction without the full analytics module. Useful for practitioners who primarily need to pull data and analyze it in another platform.

Enterprise/Lab Licensing:
Volume pricing available for labs running multiple examiner seats. Oxygen is generally more willing than Cellebrite to negotiate pricing for small agencies and solo practitioners — worth a direct conversation with their sales team.

Unlike Cellebrite, Oxygen Forensic Detective’s pricing is substantially more visible. You can request a quote without going through an extended enterprise sales process, and their online presence is more transparent about what each tier includes.

Renewal and updates: Annual licensing includes platform updates. Given how frequently cloud service APIs change and new device support is added, keeping current is non-negotiable.

Where It Falls Short

No tool review is honest without talking about the gaps.

Advanced locked device extraction is where Oxygen Forensic Detective can’t compete with Cellebrite UFED Premium. For locked iOS devices on current-generation hardware, Oxygen’s physical extraction capabilities are limited. The tool is strongest when you have device access (unlocked device or available PIN/passcode) or cloud credentials.

Processing speed on large extractions is slower than Cellebrite’s pipeline. For multi-device investigations with 10+ devices, the throughput difference becomes noticeable. This isn’t a dealbreaker for civil practice (where turnaround timelines are usually measured in days, not hours), but it’s worth knowing.

Court acceptance: In jurisdictions where opposing counsel will challenge your methodology, Cellebrite’s broader market presence and established case law citations give it an advantage. Oxygen Forensic Detective is a legitimate, defensible tool — but you may have to do more work educating the court about it. Having your methodology documentation ready is more important with less-recognized tools.

Customer support is adequate but not deep. Response times are reasonable, but the knowledge base is thinner than Cellebrite’s. The user community is smaller, which means peer-sourced troubleshooting takes more digging.

Practical Workflow in Civil Practice

Here’s how Oxygen Forensic Detective fits into a real civil investigation workflow:

Step 1 — Device in hand, device unlocked or PIN known:
Run physical or file system extraction. For iPhones pre-A12, this gives you everything. For newer devices with PIN available, file system extraction is typically achievable.

Step 2 — Device locked or unavailable:
Pivot to cloud extraction. Work with your client to obtain relevant credentials for iCloud, Google, or other services. If this is a cooperative matter (your client’s own device), this is straightforward. If the device belongs to the opposing party, you’re working through legal process.

Step 3 — Run JetEngine on results:
For matters with large data volumes, let JetEngine generate the contact network map and timeline before starting manual review. Use it to identify the high-value areas for focused examination.

Step 4 — Generate report:
Oxygen Forensic Detective’s reporting module produces PDF and Excel exports suitable for attorney review. The reports are clean and well-organized. You can select specific artifact categories to include rather than dumping everything.

Compare this workflow against the [Cellebrite UFED Premium](/cellebrite-ufed-premium-field-evaluation/) approach to see where the tools complement each other — many labs run both.

FAQ

Does Oxygen Forensic Detective work on Macs?

The platform runs on Windows only. If your lab is Mac-based, you’ll need a Windows virtual machine or dedicated Windows workstation. This is a genuine limitation for Mac-centric practitioners, and it’s something Oxygen Forensics has been asked about repeatedly without resolution as of this writing.

Can I use Oxygen Forensic Detective to extract WhatsApp messages from a locked iPhone?

For a locked iPhone where WhatsApp data is backed up to iCloud, yes — with valid Apple ID credentials, Oxygen Forensic Detective can access the iCloud backup which includes WhatsApp data if WhatsApp backup to iCloud is enabled. Without credentials or backup access, extraction from a locked device follows the same hardware limitations that apply to all tools.

How does Oxygen Forensic Detective handle deleted data recovery?

Deleted data recovery is possible for some artifact types through SQLite database carving and file system unallocated space analysis. The success rate varies significantly by device, file system type, and how much write activity has occurred since deletion. iOS APFS file systems are harder than older iOS HFS+ or Android ext4 configurations. Manage client expectations: deleted recovery is possible, not guaranteed.

Is Oxygen Forensic Detective court-accepted evidence?

The tool itself produces forensically sound output when used correctly. The key factors for court acceptance are: proper chain of custody documentation, hash verification at acquisition, and a qualified examiner who can explain the methodology. Oxygen Forensic Detective is used and accepted in civil and criminal proceedings. The examiner’s qualifications and methodology matter more than the specific tool in most evidentiary challenges.

What training is available for Oxygen Forensic Detective?

Oxygen Forensics offers their own certification program (OFC — Oxygen Forensic Certification) as well as training courses at various levels. Third-party training through forensic associations like IACIS also covers the platform. Hands-on training is strongly recommended before using the tool in a case — the cloud extraction module in particular has enough configuration complexity that untrained use can miss significant data.

Final Assessment

For civil forensic practitioners — family law, employment, insurance, commercial disputes — Oxygen Forensic Detective hits a genuinely useful price-to-capability ratio.

The cloud extraction capabilities are its standout feature. The social media parsing is solid. The drone forensics support is increasingly relevant. JetEngine is a real time saver on complex matters.

It’s not the right tool if your primary need is unlocking heavily secured devices — that’s still Cellebrite territory. But for the bread-and-butter work of civil digital forensics, Oxygen Forensic Detective does the job well at a price that makes business sense for practitioners who can’t justify a six-figure annual tool budget.

Marcus Rivera is a digital forensic consultant specializing in civil litigation support. He has provided expert witness testimony in family law, employment, and commercial matters across California and Nevada.