In 2025, Oxygen Forensic Detective continued expanding beyond classic mobile extractions into a broader multi-source platform (mobile, cloud, and computer) with stronger acquisition success, more artifact coverage, and improved workflows for large cases. The year’s updates emphasized better access to encrypted devices, expanded app/cloud support, improved automation, and new analytical focus areas (including cryptocurrency and emerging AI/chat artifacts).

The following sections highlight notable feature areas that were expanded or improved during 2025 releases (including v17.2, v17.3.1, v18.0, and v18.1).

1) Mobile Forensics: Deeper Access and Broader Device Coverage – Expanded Android and iOS capabilities

  • Expanded support for newer Android versions and extraction methods (including continued improvements to Android Agent workflows).
  • Improved decryption and acquisition support for modern Android devices and chipsets (including Qualcomm-focused improvements reported in 2025 release cycles).
  • Added/expanded capture options to improve documentation and evidentiary context (for example, real-time iOS screenshot capture during extraction in some 2025 releases).

Chain Extraction (workflow improvement) – A major operational improvement introduced in the 2025 cycle was “Chain Extraction,” designed to increase acquisition success rates by letting examiners chain multiple methods in one guided workflow.

  • Combines multiple acquisition approaches (for example: Physical → Full File System → Agent → Backup) in one run.
  • Supports automatic fallback to alternate methods if the preferred method fails or is not supported.
  • Helps reduce rework and time lost repeating setup steps across multiple acquisition attempts.

2) Cloud, App, and Data Source Expansion – Oxygen continued to expand cloud and application parsing in 2025, reflecting the reality that many investigations depend on cloud accounts and app-centric evidence.

  • Broader support for messaging and collaboration platforms (examples commonly highlighted by Oxygen in 2025 communications include Slack/Discord/Teams-related artifacts and exports).
  • Improved support for importing account exports and archives (e.g., Slack export ZIP workflows).
  • Ongoing parsing package updates to keep pace with fast-changing apps, schemas, and OS updates.
  • Expanded browser and web artifact parsing (coverage typically grows each release as Chromium-based and vendor-specific browsers evolve).

3) Computer Forensics: Artifact Growth and Deleted Data Recovery – New/expanded artifact support – Across 2025 releases, Oxygen continued adding new computer artifacts and expanding existing parsers to cover more applications, logs, and user activity traces.

  • Password manager artifacts (examples mentioned in 2025 coverage include Bitwarden and NordPass).
  • Remote access / administration artifacts (examples highlighted include TeamViewer-related data).
  • Linux and system log enhancements (including Linux audit/log sources that matter for incident response and insider investigations).
  • Crypto wallet and crypto-app artifacts (examples mentioned include MetaMask and Ledger Live in 2025 materials).

Improved data recovery and carving – 2025 updates also emphasized stronger recovery of deleted data and better handling of unallocated space analysis.

  • Improved file carving from unallocated space for common file types (e.g., ZIP, PDF, Office formats, and images).
  • Better handling of partial or fragmented recovered content to aid triage and lead generation.

4) Cryptocurrency and Financial Investigations – A notable focus area in 2025 was stronger support for cryptocurrency-related evidence, reflecting the growing prevalence of crypto in fraud, theft, narcotics, and organized crime cases.

  • Introduction/expansion of a dedicated cryptocurrency evidence area in later 2025 releases.
  • More centralized views of wallets, transactions, seed phrases/mnemonics, and related traces.
  • Improved correlation of crypto artifacts across multiple extractions and data sources within a case.

5) Automation and Workflow Improvements – Oxygen continued to invest in operational improvements for labs that need repeatable workflows and higher throughput.

  • Command-line/automation enhancements supporting batch processing, repeatable tasks, and integration with lab procedures.
  • Improved multi-extraction import options to accelerate work on multi-device cases.
  • More consistent parsing updates and case handling designed to reduce manual steps and improve examiner efficiency.

6) Password Recovery and Decryption Workflow Enhancements – 2025 updates also improved password recovery and access workflows—important for encrypted containers, protected archives, and locked sources.

  • More centralized dictionary/wordlist handling to standardize attacks across cases.
  • Improved saving and reuse of recovered credentials across workflows.
  • Bulk export and improved visibility of attack results for documentation and reporting.

7) AI, Chat, and Modern Artifact Support – As AI usage and modern chat platforms become common evidence sources, Oxygen expanded support for newer artifacts and app ecosystems.

  • Expanded parsing for modern communications and collaboration tools as they evolve.
  • Added or improved handling for AI/chat-related artifacts (including ChatGPT app artifacts referenced in 2025 commentary and community coverage).
  • Search and analytics improvements aimed at handling large volumes of chat content and multi-language investigations.

8) Data Management and Reporting Improvements – Several improvements in 2025 targeted case organization, evidence handling, and reporting—especially for large investigations.

  • Better organization of Key Evidence, Notes, and Tagged Evidence to speed review and presentation.
  • Improved tagging, filtering, and analyst workflows to support faster triage and structured analysis.
  • Security features and case management refinements (including options such as password protection for case backups in some releases).
  • Reporting/export improvements to better package evidence for investigators, prosecutors, and court.

Overall 2025 Trends (What Changed Most)

  • Broader data access: more devices, apps, cloud sources, and artifact coverage.
  • Higher acquisition success: improved extraction methods and guided workflows (including Chain Extraction).
  • More advanced analytics: crypto evidence focus and continued expansion into modern communications and AI-related traces.
  • Scale and automation: improved batch/CLI workflows and features aimed at high-throughput labs.
  • Multi-source investigations: better support for combining mobile, cloud, and computer evidence into one case narrative.

H-11 Digital Forensics Perspective

From a practical lab standpoint, Oxygen’s 2025 updates align with three realities seen across agencies and enterprise teams:

  • Investigations are multi-source by default (mobile + cloud + computer), so toolchains must consolidate evidence quickly.
  • Encryption and access challenges are increasing, requiring better acquisition success and stronger password/decryption workflows.
  • Backlogs and time pressure demand automation and repeatability so examiners focus on analysis rather than processing steps.

Oxygen Forensic Detective’s 2025 updates strengthened the platform as a multi-source investigation tool—improving acquisition success, expanding artifact coverage across devices and apps, adding stronger crypto-focused capabilities, and enhancing automation and workflow efficiency.