How To Extract Cloud Data Using Oxygen Forensic Detective’s Cloud Extractor

Welcome to Oxygen Forensic Detective’s knowledge nuggets. In this video, I will show you how simple it is to extract cloud data using Detective’s Cloud Extractor. If you weren’t already aware, Oxygen Forensic Detective has a lot more to it than just extracting and parsing cell phones. Our Cloud Extractor is included, meaning if you own a license for Detective, you have Cloud Extractor.

There are two ways to enter into the Cloud Extractor. One is after you extract a device and you view the accounts and passwords section at the top of the screen, you will find the Cloud Extractor. If you access through here, all accounts with usernames, passwords, and tokens will automatically populate into the Extractor. The other location of your Cloud Extractor is on your home screen, under ‘extract’. 

Let’s say that you have a witness or complainant that walks into your office and gives you consent to offer up their account information and data to help your case, but they don’t want to give up their cell phone. Do you take pictures or screenshots of their application information inside of the device and ask them to send it to you, or ask them to download their information directly and send it to you? The easy answer here is use the Cloud Extractor. If they’re giving you their account information and their password, we can enter that information into the extractor.

Here we can see we have several ways to retrieve information. In the previous scenario where you already have the account credentials, you could simply start a new extraction, enter the credentials, and begin the download process, which we’ll do in a second. 


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


The next option is to import credentials package. This package is generated by Detective or Key Scout and imported here. 

Your third option down is to use an iCloud token from a Windows PC, and here is where you can download Key Scout, which is an on the go tool that captures tokens and passwords from a computer and creates the package mentioned above. This is also included with your Detective license and here you can [extract] WhatsApp backup files from an SD card or an Android device. Now let’s start our new extraction.

Let’s give our case a name and begin. Now let’s add our credentials to each application we need to extract from a cloud. Let’s say we have permission to extract Facebook, Twitter, and all accounts associated with Google. Let’s enter our Facebook credentials, our Twitter – add credentials – and all Google accounts, so we’ll go to the Google services and select all.

Now we’re not sure which services are currently being used, but we have permission to gain access to any of them. So here I’m going to try to access all of them and apply here we can see what services we’re looking at, the credentials and the successes or failures.

Let’s try a new password that they gave us that it could be. There we go. 

All right, click your next button. Here we can see what categories have been exported and we can put a date range on it if we need to. 

Now the downloading process begins. 

Now that the downloads have completed, let’s click next. From this point, we can actually open this information in Detective and view it parsed and here we are inside of our cloud backup. All of our information is here and you can see all applications, any data came from, for more information on Oxygen Dorensic Detective, and for training opportunities, please contact us.

Leave a Comment