Keith Lockhart, Director Of Training, Oxygen Forensics

Keith, since we interviewed you last June, what's new? What has been your biggest accomplishment as Oxygen Forensics' Director of Training over the past year?

It’s funny, at home we do “highs and lows” and while that’s usually a dinner time conversation with the kids, when I sit back and run the idea against my first year at Oxygen it is literally a rocket launch!

I’m a teacher by nature so I use analogies. It was a crazy rocket launch into space with a lot of unknown. Now, we have finally settled into an orbit of the Oxygen Training planet with massive new visibility into everything that is Oxygen Training.

There have been many accomplishments and milestones, but here are a few that bubble to the top:1. Building a team. We have many balls in the air but we’ve had some outstanding jugglers come on board with Amanda Mahan and Jessica Stevens – #theseO2ladiesrock
2. Training growth. A month or so ago, we had our first time period with training going on in four countries simultaneously. We are growing by leaps and bounds!
3. Our adaptability. The company-wide team efforts behind standing up our remote training capability have been a continuous accomplishment list toward the remote training milestone. (Very timely)

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

We see Oxygen highlighting a "completely rebuilt online training curriculum" on its website for the coming year. Can you tell us any more about what that will entail, when, and why?

Well, to be fair to the curriculum… ALL of it has been / is being rebuilt to support the version 12 world of our software, Oxygen Forensic® Detective. Kind of like the rocket analogy – upgrading from version 11 to 12 was a rocket launch experience… a nearly all new interface and operations. We’ve now settled in to the iterative release world where all the training courses can catch up.

Our flagship Boot Camp course is proving to be the de-facto knowledge well for Detective, while at the same time preparing students to challenge the all-new certification process using v12 to work through data to provide the answers.

Relative to the “completely rebuilt online training curriculum”, online-based content will begin reappearing as we roll into Q2 of the year. Online content is by no means the replacement for actual training, but can be the best resource material available when you forget something from class six months ago. Expect to see content start reappearing, but now … as seen through the eyes of v12!

Oxygen currently offers seven instructor-led courses ranging from one to five days and covering a wide range of topics: mobile forensics, IoT, cloud, and drone forensics, among others. Will you be adding any new topics to the curriculum this year?

We’ve made some really positive steps forward in content above beyond JUST Detective training or JUST mobile forensics, but more of how to provide the most comprehensive, 360-degree view of an investigation by leveraging all of the Oxygen Forensic® Detective technologies. We specialize in taking device extraction data, clould-based data, computer artifacts and peripheral devices (drones / SIM cards / SD cards) to paint the best picture possible.

In short, I’m confident we’ll see more use-case based curriculum. It is the natural evolution of learning how the tool works… learning how to work “with” the tool.

What kind of feedback are you hearing from students about the training, and how are you incorporating it into your new and existing course offerings?

We evaluate every course for content relativity, instructor deliverability, etc … one of our more common comments is “I had no idea ‘the tool’ could do that!!” I’m paraphrasing as students come up with many names for the product, but are always amazed at the functionalities and capabilities of Oxygen Forensic® Detective. I am a big proponent of the “tool box” mentality. It’s great when customers can use and add more tools to their tool box!

What are the biggest challenges students have brought up in class over the past year? How is Oxygen addressing those specifically through its tools and training?

There are three constant challenges I want to discuss as this answer.

1. Budget. Many times, students can’t get money for travel or training. We address this problem with our remote training platform – no travel money needed.
2. Backlog. Many individuals and labs are behind the curve of so much data to process. Through technology and education we help get the right work in the correct hands – this is a huge backlog crusher.
3. Parity. The technology of our industry is always looking to be the better mousetrap. We proactively monitor our customer needs and routinely update our technology and training deliverables accordingly.

A good example of this is the recent industry acceptance of the checkra1n exploit. Oxygen Forensic® Detective was right in the mix with 12.2, and the OFD Boot Camp simultaneously integrated checkra1n education and lab work in the Oxygen Forensic® Boot Camp course.

What has been the most significant thing you learned over the past year at Oxygen?

“Same, but different.”

We exist in a niche industry – mobile-forensics. An industry that is susceptible to many of the same challenges of its digital-forensics predecessor. Who was using the phone at the time of the crime? How do we properly obtain device data? How do we protect the integrity of that data? How do we innovate? Just about the time you think you have something figured out, the learning curve jumps up at you again…

It’s nothing specific about Oxygen Forensics that drives my answer, but the overall methodology and focus with which the company approaches our industry challenges.

Same challenges… but different (and better) approaches.

What do you like best about working for Oxygen?

Is it fair to repeat everything to this point?

Finally, tell us a little more about yourself personally. What do you enjoy doing in your spare time?

It’s a short list ???? The weather is warming, soon I’ll be able to cut the grass!

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...