How to do it…

1. In the Oxygen Forensic program, click on the Connect device button that is located on the toolbar. It will start Oxygen Forensic Extractor.

Main window of Oxygen Forensic Extractor

1. Click on Device Acquisition. The program will automatically search for the connected device. If the program detects it, then its properties will be shown in the program window. If the device was not detected, you can use the Manual device connection and Automatic connection setting options in order to try to connect the examined device manually.

The Oxygen Forensic Extractor window with information about a connected device

1. Click on the Next button. In the next window, you need to fill in the details of the case, such as Device alias, Case number, Evidence number, Place, Incident number, Inspector, Device owner, Owner email, and so on.

1. Do not tick the Parse applications databases and collect data for analytical sections ... and Search and recover deleted data ... options as these actions will take additional time.

 The Oxygen Forensic Extractor window with the case information and extraction options

1. Click on the Next button. In the next window, you will be asked to select the data extraction mode.

1. In Default mode, the program will attempt to perform the following actions sequentially:
   1. Gaining access to the root of the device. If the root access is gained, the program will go to step 2. Otherwise, it will go to step 3.
   2. Making a physical dump. If this step is successfully completed, then the program will finish its work. Otherwise, the program will go to step 3.
   3. Backup creation. If this step is successfully completed, then the program will finish its work. Otherwise, the program will go to step 4.
   4. Logical extraction from the device. Step 4 is available only for the devices running Android 4.0 or higher.

The Oxygen Forensic Extractor window with the options of modes of Android device data extraction

1. In Advanced mode, the program prompts you to select the data extraction method. Tick the selected method and click on the Next button. Here, we tick Physical dump and Allow rooting and then click on the Next button.

1. The program will prompt you to check the entered data once again by displaying it in the window. If all the data is correct, click on the Extract button. The process of creating the physical dump will start.
2. When the extraction is finished, the created case can be opened in the Oxygen Forensic program.

1. If you click on section Device Information in the case of having opened via Oxygen Forensic, then you will be able to find information about the created physical dump in the Device Extended Information section of the opened window. The mmcblk0 file is the physical dump of the Android device. The mmcblk1 file is the image of the memory card installed on this Android device.

A fragment of the window section Device Information

1. If you double-click on a file name (mmcblk0 or mmcblk1), then Explorer opens the folder with this file.