Default01
Oxygen Detective
First-line mobile extraction across iOS, Android and 35,000+ devices.
- Mobile
- Cloud
The stack behind
every brief.
No single tool wins on every device. We run a multi-vendor stack — Oxygen Detective and Belkasoft X by default, with Cellebrite, GrayKey, AXIOM and others kept current for the matters that need them.
- Default extraction
- Oxygen Detective
- Default analysis
- Belkasoft X
- Verification
- Cross-tool
What We Examine
The stack,
The stack,
layer by layer.
The right tool depends on the device, the OS version and what the matter is asking. Here is how the stack is structured.
Layer01
Mobile extraction
Oxygen Detective as default with Cellebrite UFED and MSAB XRY for corroboration. GrayKey for specialist locked-iOS work.
Layer02
Computer imaging
Tableau and Atola write-blockers, FTK Imager and X-Ways for forensically sound disk acquisition.
Layer03
Forensic analysis
Belkasoft X as default platform. Magnet AXIOM, EnCase and FTK kept current for verification and brief-specific workflows.
Layer04
Cloud collection
Oxygen Cloud Extractor, native M365 / Google Vault and Hancom MD-Cloud for lawful cloud-account preservation.
Layer05
AI authentication
Griffin AI for deepfake and synthetic-media detection — combined with EXIF, C2PA and manual frame review.
Layer06
Specialist
Cellebrite Inspector for Mac, BlackLight, Vehicle System Forensics and DJI flight-log tooling for non-standard sources.
Coverage
Default vs
Default vs
when to escalate.
Tooling discipline is choosing the right platform and recording why. Here is how we typically pick.
Default02
Belkasoft X
First-line analysis platform — 700+ artefact types across mobile, PC, cloud and specialist sources.
- Analysis
- Timeline
Escalation03
Cellebrite UFED
Used for corroboration on contested mobile briefs and for matters needing its locked-device pathways.
- Locked
- Corroborate
Specialist04
Griffin AI
AI authentication for contested photos, video and audio — deepfake and GAN-image detection.
- Deepfake
- Provenance
The Approach
Multi-tool
Multi-tool
by default.
Critical findings are verified across at least two tools, or by manual SQL / hex / frame inspection. The bench gets a finding, not a tool screenshot.
Every report names the tooling used, the version run and the verification path taken. If a finding rests on one tool, we say so — and explain why a second pathway was not available.
Verification
Two-tool minimum
Coverage
Mobile · PC · cloud · AI
Reporting
Tooling trail in every brief
Currency
Vendor-current licensing
The Process
Calm, methodical,
Calm, methodical,
court-grade from intake.
Step01
Triage
Match the brief, devices and OS versions to the right tooling pathway before any acquisition begins.
Step02
Acquire
Run the default tool, hash-verified, write-blocked, with chain-of-custody documented from minute one.
Step03
Verify
Critical findings re-run on a second tool or verified manually. Both paths recorded in the workpaper.
Step04
Report
Every report names the tools used, version run and verification path — court-ready and tool-agnostic in conclusion.
Frequently Asked
Frequently asked about our tooling.
Request A Consultation
Send A Brief.
Send A Brief.
We'll Take It From There.
Every enquiry is read by a licensed investigator and treated in strict confidence.
Step01
You send a brief
A short note about your matter — no detail required upfront.
Step02
We reply within one business day
From a licensed investigator, not a chatbot or call centre.
Step03
If we're the right fit, we book a call
Confidential. No obligation. Fixed-fee quote where possible.