Oxygen Forensics’ Lee Reiber on Keeping Pace in Digital Forensics

Christa: Increasingly mobile forensics isn’t just about devices. As the field diversifies to include cloud storage encryption and the internet of things, digital forensics evolution is only as good as the tools that can keep up. Today on the Forensic Focus podcast, we’re joined by Lee Reiber, chief operating officer at Oxygen Forensics, here to talk with us about many of those changes and more. I’m your host, Christa Miller, and welcome Lee.

Lee: Hello. Good to see you again, as always.

Christa: Yeah. So it’s been a few years since we last interviewed you, and even a year since you and I talked on your podcast. Tell us what’s changed for you since you came on board as COO, and what are you proudest of in particular?

Lee: Yeah, it’s been crazy. Time flies, I guess, when you’re having fun. I’ve been doing it for awhile on the mobile forensics side of it. And then also into computer forensics, but honestly, the growth that we have had in just the six years that I’ve been with Oxygen has been tremendous. And I think that what I’m really most proud of right now is we’ve become such a — kind of more, I wanted to make it family-type as a team. So we all fail. We all fail, we succeed, everything is together.

And so growing from just a few people to expanding our office to about 10,000 square feet just in Alexandria from just a little closet, just to make sure that one, we have the room, we have the people and continue to make them happy, because obviously, happy employees — especially during a lot of the things that have been going on for the last couple of years — is a good thing. Helps them be productive, allow them — and I think the growth at Oxygen has come from allowing people to grow themselves, not telling them what to do, but helping them to build the company as, again, a family.

Christa: So — give us some examples of how you’re doing that, because I think that’s something that a lot of listeners could really learn from in terms of not just as, if they’re managers, how to help their employees out, and then also as employees, what to look for if they’re looking for work.

Lee: Yeah. Yeah. And I think the important part, again, is making sure that someone feels as if they’re contributing, giving them the ability to come up with ideas, whether it’s their second day, their first day. I try to, when I explain to people that are, that are coming in or what I’m looking for in an employee, it’s really someone who can think for themselves, come up with some great ideas.

And then on the management side, making sure that manager understands that they’re not the chief. They’re not that, “This is what you need to do.” It’s more a collective thought process because when you allow people to feel as if they’re a part of the process, they should be.

And so in doing that, I want to make sure that I have those managers and the employees that want to do that, want to grow, want to see all of a sudden, “Hey, wow, this marketing idea that I came up with is now, I see it out in the world.” Or here’s this employee, or even our support guys say, “Hey, you know what? We get a lot of people with these requests. I really think that this would be really cool to have within the application.” And then all of a sudden it comes out.

It’s not just the funnel where they’re just doing their day to day job, but they’re actually innovating for the company, whether they be in marketing, support or on with the management.

Christa: So, yeah, I noticed that, reading through Oxygen’s six month checkup post a few months ago. That was something that stuck out, is just the amount that was listed in there. Do you think that it’s fair to say that all of that is the result of giving people that latitude?

Lee: Yeah, I think so. You know that things change so, so often, whether it be on the computer side, the mobile side, the cloud side — kind of keeping up with the Joneses. But I do think that really, we take a lot of the — even what our customers are looking for, what we see, and really trying to focus on how we’re always making the world a safer place by giving people tools that they can go in and immediately see the results of that.

So we put out no less than 12 major releases and other 12 minor releases. We’re talking in the twenties. Our training department does not like that just because they have to keep up with the materials.

But it really has to do with providing that service to our customers and giving them — and I’m super proud about that because examples that we have had of a customer who says, “Man, I have this case, this case involves X, Y, and Z. There’s really nothing other than, I go in and have to dive in and manually grab ahold of this, can you help me solve this problem when I need it?” And we’ve turned things around in two days and given them a build that allows them to do their job and obviously solve those types of crimes.

Christa: Yeah. So in that time, really within the last few years, and then even this year, in the timeframe of that six-month checkup post, what is the biggest change that you’ve seen in the industry? And concurrently, what do you regard as the company’s biggest accomplishment this year?

Lee: I use the full ecosystem because we would have — I think that the issue is really, I I’ve seen it throughout my career, is the modular approach, where say I’m a [inaudible] investigator and I’m doing forensics. Or I go to a scene and I have, say, a mobile device, and I have, say, a computer, or I have to deal with a cloud service, them being there and going, “Oh, crap, I’m not able to support that because I have to go back to the lab, or I have to go and get it. I don’t have that ability.”

So really what I wanted to do, was really focus on the full ecosystem so that someone would be on scene, they’re able to go in and process and extract a mobile device, be able to go in to a computer, extract the computer artifacts from that, be able to then take that information, extract information from the cloud service, all within the application — and really trying to bring that and the ability to not just silo things and say, well, so no, you have to go in and you have to have that. I want to have everything and all the tools available to someone when they’re there and they need it, instead of someone [saying] “Oh, you know what, I’m only going to be able to use this part of the puzzle. I can’t get that whole collective view of the information.”

Christa: So would you say that that’s one of the biggest challenges for customers right now is just that, being able to get what they’re looking for when they need it?

Lee: Well, I think that’s not necessarily the customer, I mean, the whole — if you look at the digital landscape, the information that might be on a cloud service versus on a mobile device versus, say, on a computer, it might be some of the same data, the way that everything talks to each other.

But you have different, there’s a lot of different artifacts from the same applications that you might have on a cloud service on the mobile device, the same one, and so being able to get that entire picture — that, to me, is one of our biggest innovations because now they’re able to go in and even merge all that information together, find the differences within, say, that cloud backup versus that mobile device or on a computer.

And it has always been a challenge, because it was “Okay, well, I’ve got to wait until the computer — till I get some of those artifacts back from the investigator who’s doing those. And now I have to go and wait for someone who’s doing the mobile devices, and then I’ve been asked to put them together.” And so now, I think, coming down to the time aspect of that, being able to have that actionable intelligence is key.

Christa: That’s a challenge though, to me. You’re mentioning cloud-based data. A lot of cloud-based data is located in other countries at this point. And so it seems like there’s that tension between getting the information when they need it, versus those broader legal challenges. How does Oxygen in particular, and tool vendors, counsel their customers on how to use their tools within those restrictions?

Lee: Yeah. Use your powers for good, right? So, that’s very, very important to understand. And we talk about that within our training, and helping [trainees] understand because that’s always — and it’s always a gray area, but what’s interesting, I’ve been talking about it for years, is that, especially law enforcement obtaining a search warrant for a mobile device.

Okay, that’s fantastic. I understand that. But also, why aren’t we explaining or educating the prosecutors, the judges, that that information is transactional, right? That the data that’s on this mobile device is stored somewhere on another computer. It can be stored in multiple places, right. Microsoft — you can have it in Singapore, you can have it in Seattle, and your data is in different areas.

And so I think it comes down to the education lines of really, who owns that data. And every terms and conditions, if you look at every application, it specifically states the data is owned by the user. So if they own that data, even if it’s on a cloud service, if they have that information, they have a mobile device, why aren’t we trying to obtain the legal document, the search warrant, with the mobile device, as well as that transactional data in the cloud, simultaneously?

So I think it really is an education. Well, it comes down to, no one wants to be that person that is listed within case law — bad case law. And so I think it really comes down to that, but it all is about educating those people who are making the decisions. It would be, the prosecutor’s going to explain that to the judge, the judge who has to understand the additional issues that you have.

You’re not going to say, “Hey, I’m going to send this, I have to send this memorandum of understanding, I’m going to try to get all this, anything with someone in Latvia.” Yeah. You’re never going to hear from them. So, you know, understanding that information and how it is active to that mobile device that you might have, or that you might not have. It’s just part of the data and really who owns it.

Christa: Yeah. It’s I’ve been talking on a different project to some prosecutors who reflect it’s really about the relationships that they have, because they really do rely on their forensic examiners as their expert witnesses to help them understand, but in turn, they also need be able to understand, to guide the digital forensics examiners and the investigators on what they need to be doing, again, within the confines of law that really isn’t catching up.

Lee: Yeah. A hundred percent agree. And again, as part of our training courses — because we do have, and we do talk about cloud, and how important that is to an investigation — so again, you have to understand, what are the legal grounds? How do we go about that? And again, it all comes down to helping to educate not just the examiner who’s in the class, but really to go in and bring in prosecutors or judges.

Christa: So I’m going to jump over. On that note of technology that’s rapidly advancing past whatever the law covers, or adapting the law to fit, Oxygen Forensics introduced Ring doorbell data acquisition this year. And I wanted to hear from you more about IoT, internet of things, the topic you’ve covered, certainly extensively at conferences. Data volumes, and the backlogs are already massive. So how will or won’t IoT add to this and how do tools like Oxygen Forensic Detective helped them manage?

Lee: Yeah. It already has obviously added to, not just the backlog of data, but I think is the investigation, if people start thinking — and just a side story, so when we started supporting Ring, it was great. I’m like, “Hey, yeah, so I think it’s really important that we do this.” And the developers said, “Hey, we already have a roadmap and it’s fantastic.” So to get the data, we have one at the office that’s at our door. And so it’s funny, if you look at some of our marketing materials, you actually see some of our employees that are just walking in on that.

So it’s good to have, but to go to the IoT and that information, Alexa, or Amazon, just now has that robot, and it’s kind of freaky because obviously it’s a camera that just rolls around your house. You can turn on the mic, do anything else, but everyone knows that say Google Home or even Alexa, and all of those are always actively listening. I mean, they’re always on, because they’re waiting to hear the wake word. And so if they’re always on, it’s an open mic.

I think the bigger issue than the forensics side of it is actually the infiltration into your home networks. If you remember back in the day, everybody still covers their webcams. You see people that have that because of the access that we had, but on a forensic side of it, it’s extremely important to understand. If I’m going to go in and — say, for law enforcement side of it — if I’m going to go into a house and I’m looking for things that might help me solve the crime, the first thing I’m gonna look at is cameras. Where are the cameras, did they have a Ring doorbell? Did they have a Ring spotlight? Any of these — Arlo — did they have these cameras set up?

Because if they have them, I mean, that’s fantastic. That’s great information. Did they have Alexas? Did they have all of this information? Were they wearing a watch? Because the wearables, everything that’s there, even if you don’t have a mobile device, even if you don’t have the video camera running, you have all of these other pieces of the pie.

And that’s what I was talking about. The collective examination. Because if you take, say, if you have a mobile device and you have a wearable and you have this Ring camera, you can place that person — even if you’re not able to see them — you can place them outside. You might see a shadow, but the wearable or their mobile device, their location information puts them there.

But does it increase the workload? Yes. It increases the workload if you want to do it correctly. I’m always on kind of a soapbox of, you have to do it correctly. You don’t just, “Here you go, push it,” and it’s down and here’s all the data, because there’s a lot of information that people don’t utilize because it might be too much work.

So at Oxygen, what we really try to do is we allow to bring all this information in, whether it be IoT devices, whether it be cloud services, mobile devices, computers, you can bring all of this inside of it. And what we do is, utilizing timelines, utilizing social graph — which now shows those common contacts between all multiple devices — location information, you can vary it down to when the time occurred or when multiple times, or should say the events occurred, so that you can really take all of — I mean, terabytes of data, take it down to megabytes of data that you’re now looking at, because that’s really what you’re pinpointing in to.

So we understand that there’s so many devices out there that contain so much information and it becomes overwhelming. So what we want to do with our tools is really allow the investigator to pinpoint that time that they’re looking at, by utilizing all of the filters that we include within our software.

Christa: Yeah. I guess that’s what I was wondering. Cause I know that the concept of proportionality is a little more of a thing, I think, in the UK and EU justice systems than it is in the US. I think in the US it’s a little more focused on e-discovery. And I wondered if those lessons learned from those other jurisdictions had kind of made its way into the Oxygen products to the extent that it was helping investigators that may not be as focused on proportionality as a matter of course.

Lee: Yeah. Yeah, we really do. We take that and we allow it to really come down to — because understanding is it’s still, too, only 1% of scope. What’s in scope is the scope of the warrant. I’m not able to do this, say HIPAA, that you have all these different items. And we take that into consideration, not just the amount of data, but obviously the data that you’re able to look at. So it’d be able to take and really filter that information, and we could even go in and filter out that and export that data. So that whoever’s going to be viewing that information has only access to what you’ve given to them. So again, that’s important as well.

Christa: So I wanted to ask also specifically about another feature that that I know that Oxygen Forensic Detective has, which is facial recognition. I know that that’s controversial on a number of levels for law enforcement. What is the feedback that you’re getting from your users about this feature and their needs for it?

Lee: Yeah, it’s really good. And so I refer to it really as categorization, because we have image categorization and we have facial categorization. And what it really allows you to do is, again, whittle down all that information. I’m able to go in and if there’s — an investigation is usually looking for someone who has done something. And so that someone, if you’re able to take that someone, and you have an image of that someone, you’re able to now categorize that and find all of the images that this someone is involved in.

So that, again, it takes down that time instead of just going through and looking and trying to, “Okay, I think that that’s okay, that’s mine.” We’re not here.

The reason why I don’t use “recognition” a lot is because you have to go to classes to really say, yes, that is this person, here’s the eyes, you have all that. What we like to do and what we use or what that tool is utilized for, again, is to whittle down that investigation, to identify the images, and then also say: “Wow, this guy” — or the person that we are doing the investigation — “Wow. I didn’t know that they knew this person. They’re in the picture together.” So now you can go in and further your investigation.

Again, it’s just an investigative tool that allows you to go in and, and continue, or even follow up on additional information. And so it’s not so much as any — and this is how I explain to people who say, whoa, you have to step back — Well, okay. So do you have an Android? Yeah, I have an Android. Okay. Do you use Google Photos? Oh yeah, I use Google Photos. Isn’t that fun? How it puts all of your contacts together and it has all the pictures in it, you know? Or do you have Facebook? Oh yeah. Boy, it identifies all these people.

So if you’re — and that’s not even for investigative purposes, that’s just, hey, ease of use and people are fine with that — but if law enforcement is, or this is within a tool, people [are] like, “Well, I don’t, you know what, you’re using this to identify people and you’re going to identify the wrong person.” No. You have to go, and there’s a lot of classes that people have to go to if they’re going to go in and take — “I have thousands of pictures, and here, I’m going to upload this picture, and you tell me who this is.” That’s not what our software is really. It’s, again, it’s a collective analysis and to categorize those images.

Christa: So it’s creating the lead. It’s not leading to the charge necessarily.

Lee: Exactly. And I think that, again, bad cases — at least, a bad case law where the one that really kind of obviously blew it up was like, “Hey, I uploaded this into this huge database and this is the person.” And then they just go and arrest this person based upon that information. And obviously that’s that’s not going to be how our tools [inaudible].

Christa: So we’re coming to the close of the the end of the year here. What should we expect from Oxygen forensics coming in 2022? Just kind of following on all of these different accomplishments and new features?

Lee: Yeah, yeah, yeah. So right now we have a huge promotion going on there, but we have slated at least another two major releases of Oxygen Forensic Detective with some fantastic support for iOS. Obviously they keep changing and bringing things out and a lot of people are scared about [version] 15, no need.

So working on that, really trying to up our game on computer artifacts. I don’t like to call what we do “computer forensics.” There’s great companies that do computer forensics, but we do targeted extractions with our KeyScout that allows us to enter in the information that we’re looking for, whether it’s a third-party app — Telegram, Skype, any type of communication that you might have on there — as well as passwords. Anything that we can get off the computer, again, to make sure that we do a collective analysis.

And we’re really, really ramping and we had some crazy release just in 14.0, 14.1 is going to have even more with the computer artifacts, as well as bringing in a lot of our password attacks. So we’re taking the passwords, we’re able to get into a lot of locked containers on a mobile device, even on computer storage, as well as bringing in a lot of bypasses for the Android devices.

So still there’s, every time we put these things out, again, training is upset because there’s so much they have to change, but I’m amazed at the hard work, especially our dev team puts into putting out the product, and come at the beginning of the year as a teaser, there’s some crazy things that we’re bringing. So, super excited.

Christa: Looking forward to seeing more about that.

Lee: Yeah.

Christa: All right. Well, Lee, thank you again for joining us on the Forensic Focus podcast.

Lee: Oh, it’s my pleasure as always.

Christa: All right. Thanks also to our listeners. You’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. If there are topics you’d like us to cover, or you’d like to suggest someone for us to interview, please let us know.

Leave a Comment