All In One: Merging Extractions in Oxygen Forensic® Detective

Have you ever acquired data from the same device using different methods and then faced the need to merge those extractions in order to view and analyze them properly? It is rare that an investigator will find all the data they need to make a case using one extraction method. Oftentimes, it requires various extraction methods to gain a comprehensive view of a case. 

Luckily, our latest update, Oxygen Forensic® Detective v.14.0, presents a “Merge Extraction” option, intended to save investigators time by eliminating the need to manually compile data. When enabled, this feature will automatically merge the extractions acquired using different extraction methods.

Let’s take a closer look into this latest feature. 

How does it work?

Our “Merge Extraction” feature supports various different extraction methods of the same device. For example, investigators can acquire data extracted from physical dumps, SD cards, and cloud services, and merge them at the data level or file system level.

Data Level Extractions

By default, extractions are merged at a data level. In this case, each file system is analyzed separately and their data is added to the merged extraction. We recommend using this method when merging extractions of different devices and platforms, such as when merging an Android extraction with its cloud data.

File System Level Extractions

When merging at a file system level, a merged file system is first built and then analyzed. We recommend picking this option when merging partial extractions of the same device, such as when merging an Android physical dump with a physical extraction of its external SD card. In this case, investigators will be asked to drag the extraction icon to another extraction in order to add the files.

How can I merge?

Merging extractions is simple in Oxygen Forensic® Detective. Let’s break it down, step-by-step.

1. To start, select the extractions of interest from the list on the left. As soon as all the desired extractions are selected, right-click on one of them and select “Merge extractions” from the drop-down list.

2. A new window will open. There, investigators will be able to overview the extractions to merge, configure extraction settings, and name the merged extraction.

3. Click “Create a merged extraction” as soon as everything is set. A newly merged extraction will be added to Oxygen Forensic® Detective and become available from the list on the left. No changes will be made to the source extractions.

What are the restrictions?

  • While extraction of an SD card can be merged with any other extraction,  an Android extraction could only be merged with another Android extraction. The same restriction applies to extractions from iOS devices.
  • A merged extraction cannot be merged with any other extraction.
  • An already merged extraction cannot be unmerged. However, the source extraction remains unchanged in the list, even after the merge is complete.

Manually compiling extractions takes time. We are confident this feature will save our users a significant amount of time and work during their investigations. To try this feature, or another included in our latest update, download Oxygen Forensic® Detective v.14.0 or request a demo here.

Leave a Reply

Your email address will not be published. Required fields are marked *