The following transcript was generated by AI and may contain inaccuracies.
Desi: If you enjoy listening to the Forensic Focus podcast, welcome. Si and Desi here to talk to you with Keith from Oxygen, and we’ll get into that in a second. But if you want to listen to our podcast and not watch it on YouTube or our website, you can get your podcast from anywhere you get your good podcasts from—like Spotify, Apple Music. Google has now changed, so I don’t think they have a podcast service anymore, but I use Pocket Casts, so I know you can get Forensic Focus from Pocket Casts.
If you go to our website, we’ve got links for all of those shows as well on where to subscribe. But this week we have Keith from Oxygen. We were just talking about the nice cold weather that’s rolling in for them while Australia’s got a balmy summer coming in, and he’s drinking a nice warm cup of coffee. But welcome, Keith.
Keith: Yeah, it’s two in the afternoon and to stay warm, I’m still drinking coffee.
Si: Yeah, I just have a radiator by my side, clinging to it out of desperation.
Keith: It’s kind of a time paradox because if you’re listening, you say that you’re watching the podcast already, right? If you want to come see us after you’re seeing us now, I feel like I’m stuck in a loop.
Desi: Yeah.
Si: It’s just, if you’re listening to this podcast, we also have video content. There you go—the Forensic Focus podcast. Excellent. Not that you particularly want to look at me. Desi’s good looking. Keith’s fabulous.
Desi: I just have interesting Lego backgrounds and a dog.
Si: Anyway, sorry, back to the thing that we’re actually here to do. Keith, thank you for coming back. Welcome back. Lovely to have you again from Oxygen. We have a wonderfully longstanding relationship with Oxygen.
Keith: I’ll do it because I just said I was dying to talk to you since you’d gone to the XIB course. Let me go back in history. The last time we did a podcast, I was in a room where I was just packing up some XIB kits. I don’t know why we talked about that, but I went and got one and threw it on camera. And then ironically, six or eight months later, you were able to attend that course—you did it from afar.
Si: Yeah, I did it from upstairs in Oxford. The time zone didn’t actually work out too badly. I started about two o’clock in the afternoon and finished probably about nine. The thing I need to learn to do when I’m doing remote classes like this is to give myself the opportunity not to do half a day’s work beforehand. That’s my real mistake. I start as I normally start, work half a day, and then try to do the course. I need to stop doing that.
But it was absolutely fantastic. There is a review of it on the Forensic Focus website, and at some point you’re probably going to want your kit back because I still have it. So if you’re missing a box, I’ve got it.
Keith: That’s so funny. We counted them up the other day. I thought, maybe so-and-so has one, and I didn’t even think about yours.
Si: We tried to arrange for it to come back. I think if it’s coming back from the US to a US site, you can arrange it over FedEx.
Keith: Interestingly, if I’m in North America, we can print a return label and just put it in the kit so the student can ship it home. Internationally, they can’t make return labels. So I will get a DHL label sent to you.
Si: Thank you. I’ll just slap it on. We started the process and I went onto the website and tried to put in the stuff and they said, “You are not in North America. You can’t do this.” So I put up a VPN and went there, and it still said, “Your address is not North America, so you still can’t do this.” Nice try.
Keith: Yes, exactly.
Si: I did let you know, and then it went quiet and I’d forgotten about it. But now we’re talking about it. I have the kit behind me. It’s an amazing thing because it’s a hands-on class. It’s all very well to talk about remote training if you’re talking about theory. It’s one thing to talk about remote training if you’re talking about software, because you can share a screen and do this stuff. It’s a very different concept to say, “Here’s a phone. You plug it in like this, you take the back off it, and you short these pins.”
I’ve got the tweezers out and pins on the back, and it was amazingly immersive still. It was a fantastic job. Ryan Ebersole did an amazing job of keeping me and a live class who were in the same classroom going at the same rate and pace. It was great fun, and I learned a lot.
One of the things—I do mobile phone analysis, I don’t do mobile phone extraction because I realize what a pain it is. You try to do it and it doesn’t work, doesn’t work, doesn’t work, then it does work and you don’t know what you’ve done differently. But all of a sudden you’ve got a valid capture. Then you try to do it again and it doesn’t work. I actually learned part of the reason is because some of these exploits are waiting, or randomly hitting bits of RAM for a buffer overflow that isn’t 100% guaranteed to happen. So that’s why you’re not getting that constant guaranteed take on it, which is really good to learn.
Keith: Hey, try again. Go again. Or you’ve set it for a number of retries. For sure, you are a poster conversation for that type of work—”Oh, it worked and it didn’t work, and then it worked and it didn’t work.” Once you get it, I’m out. Come back tomorrow, that’s nothing.
Si: That’s it. You don’t touch anything. Stop breathing on the way out of the room. It was really good fun. I wrote it up in the review as well. It’s fascinating because Oxygen is actually so powerful as a tool that you can do multiple extractions at the same time, so long as you’ve got a USB hub and enough cables to do it. My only criticism, and this isn’t a criticism really, is that because it’s so intensive and some of the stuff runs for some time, perhaps a way of speeding it up is to send out a USB hub with it and a few extra cables so we can run some stuff in parallel. But that’s such a small detail.
Desi: I was just going to say, Si just wants it to be exactly like a job where you’re rushed and trying to do 50 devices at once. “We need it yesterday.” This is why you need your half day off first, so you’re not going into a training course like it’s work.
Keith: The XIB used to go in a little cardboard box with four phones in it. Then Ryan one day said, “These boxes are okay, but we need to step up the game.” He made one of those, had a little engraved logo on it. He opened it up and I thought, “Oh, this is going to be fun.” Now it has eight phones in it and we’re trying to jam more in, cutting those foam pieces. That’s not for the weak at heart. But it’s certainly a cool box, and it just grows and grows.
Desi: That sounds like such a really awesome setup.
Si: It’s literally here waiting to go out.
Keith: This is full circle from when I brought one onto the screen. And now Simon probably has the same one.
Desi: This is where if people are listening to our podcast, jump on YouTube or our Forensic Focus website. You’ve got to see this. We’re about probably seven minutes in by the time some editing happens.
Si: Proper Pelican case there. I did just drop everything out because I have—oh good, dropped properly, but that’s a different conversation. There’s one, two—
Desi: These are phones that size he’s holding up.
Si: Just spread out like a handful of cards. There’s another four there. Look at that. It’s like Christmas for a geek. This is truly Christmas. My favourite one of the lot though is this flip phone. I miss flip phones. They were so cool.
Keith: Hey, an iOS device—you never know when you’re going to run into one.
Si: Yeah. I got to see a whole bunch of stuff that I hadn’t experienced before. We all do Android, we all do iOS frequently—come across them frequently. But actually some of the more arcane things were really good to get hands on with. And there’s a cable and a charger, and a couple of USB things.
Keith: SD card, tweezers. Yeah, it’s great. As the guy who packs those before they go out the door, I know it intimately.
Si: So yeah, I have that for you and you’re welcome to it back. I also have a bundle of other things. The class finished, I went to my drawer—because I don’t own an Oxygen license at the moment. I have previously, but I don’t at the moment because I don’t do phones often enough. But my trial license lasted for two weeks and the course was three days long. So of course I went off to my junk drawer and pulled out every phone I could find to see what was there. I’d forgotten I’d taken these photos. Brilliant. Recovered some stuff off something from years ago. I love it. It was really good—really great class, really enjoyed it, and I learned a lot. Brilliant fun. Thank you.
Keith: Good job. When our marketing folks were like, “Hey, do you want to do a podcast?” I said, “Who’s doing it?” Not that I would have said no, but I said, “Oh yeah, that’ll be great. Let’s do this topic.” It’s funny that we opened this conversation talking about collection, device collection, and the evolution of that. Because everything you just talked about—the trials and tribulations of locally doing it, the things you’d have available, issues you might run across—it’s a whole different world when we talk about doing it from afar. I can’t wait to have that conversation.
Si: Yeah, I mean, remote collection is an interesting one because obviously there are different aspects to remote collection. There is the corporate side of things whereby you are in control. You own every device, or at least you have the authority to go and say, “I’m going to install something on every device and collect.” There’s the other side of things which is the entirely surreptitious, slightly dodgy—we’ll just go “intelligence services” kind of stuff—whereby you don’t have access to the device. You don’t really have permission other than your court warrant. You back-load something onto it and then you recover it.
And then there’s an interesting middle ground that we’re starting to see now. We have criminal cases whereby instead of a complainant or a victim handing over their phone, they’re contacted by the police and an agent is put to them and they allow a download from their phone without having to send somebody out to the field to do it. That’s an interesting use case—that’s my understanding of where we’re at in the industry at the moment.
Keith: That’s a fantastic use case. It involves a lot of the bullet points in the conversation today, so that’s a good one to start with. I submitted some topics to talk about this, and the first one was because it’ll set the stage: what’s the buzz about this right now? I would have thought from COVID, this would have become a much more hot topic because you couldn’t travel, you couldn’t get on a plane.
Si: I’m going to interrupt you very briefly. One thing you also included in this forensic kit, this XIB that you sent me, was so much COVID wipes, hand sanitiser—
Keith: There’s a PPE kit in there with a mask and gloves and a wipe for every phone. Because this was born from COVID—the XIB kit was born from COVID. You couldn’t come into a class because this is hands-on. You need to come to a classroom. So we said, “We’ll just send the classroom to you.” We started including the PPE kits and I still do it.
Si: Carry on, sorry.
Keith: I’m glad you mentioned that. So yeah, I just thought that was the time when technology started being used for what technology could do, like we’re doing right now. Everybody went to Zoom and Teams and all that stuff—we’d been doing Skype before that, but it just took off so wildly. We just did our user conference in Florida in October, and I have to mention Rob Free because he came there and talked about remote collection. When he talks to people, they’re like, “Oh, really?” That sparked tons of conversation about this that I wasn’t expecting.
I do a thing called a Tech Bite every few weeks or so—like 15 minutes. I did it on remote stuff because it ends up being a popular topic. But the conversations that come out of that and the people in the hall going, “Oh yeah, what about this?”—I’m like, “Geez.” There are vendors moving away from this right now, and I don’t understand why. When we talk about the savings in time and money and downtime of people, and the reasons why you’d want to do this—there’s a huge gain, a lot of value add to this.
Especially in a world where, in a corporate world, devices are managed through MDM, they’re work devices, so there’s implied consent. It’s not like I’m trying to break into your phone—I’m going to collect data from it. You work here, you want to keep your job. I mean, not that bad, but of course you’re going to consent to that. I don’t need to break credentials or things like that to do it. There’s a lot of interesting use cases coming out about this. When people realise they can save the money, that’s huge motivation—and not introduce downtime into an environment.
If you look at the industry—and I’ll just play myself as an old person—I got into the forensic world in 1999. It took me a long time to swallow the pill of, “Oh no, got to collect the entire drive all the time—absolute zero to absolute infinity sectors.” Somebody else sorted it out. “Now I don’t want to miss any victims.” There are a hundred reasons why I don’t want to do that. Then one day, whether things got too big or I just didn’t have enough time, just swallow the pill and target collect things—collect things relevant to the case.
Or when eDiscovery became such a big thing: “Hey, here’s some litigation coming. Simon, don’t delete your mail from June of this year, because those are the regulations of the litigation—or the mail between you and me or whatever.” You just can’t go get everything anymore, all the time. You don’t have the space or the time or the storage or the retention, and you’ve got to collect. It’s not necessarily a triage world, but go after what you’re after. I’ve swallowed that pill myself, so it makes it a lot easier to talk through remote.
We can put an agent on a machine and all the way up to gather a full drive image if you want to. There are places—my heart aches for them—where it’s their policy that they have to get an E01 or a DD or whatever file type. But they’ve got to get the whole drive. If you really want to pull that over the network, oh my gosh, pack a lunch. But that’s what they have to do, and they’re like, “Well, it’s kind of a deal breaker for us.” I’m like, “Here’s a smaller pill.”
When you go to the ROI world and what resources are you saving—the first one’s just the time you spend doing it. Unless you’re billing by the hour—that’s fantastic. “Oh yeah, I’ll collect all those machines for you.” So let’s make our workstation footprint a 60-gig drive with Linux and keep it as small as we can possibly make it. But it’s the human hours spent doing it that’s one aspect.
Then even the human hours of, “Hey, I’ve got to leave my office here, drive to the airport, get on a plane, get delayed, fly everywhere.” Then the time to collect—you get on site and you’re like, “I’ll go pack a lunch or go golf or do whatever and come back when it’s done.” I think the other biggest time factor is downtime for people.
When I came to Oxygen in 2019, my predecessor Brian Hill—we did a great webinar on this. We didn’t have remote collection technology then, but we had an agent that you could put on a USB and stick on the phone and collect back to the USB whatever data you’re after at that point. Rather than take all these people’s phones out of the field—I think it was a farming thing with a bunch of people out in the fields and tractors. He said, “Yeah, I just sent out USBs, got them all in a meeting, showed them how to use it. They collected the data and sent the USBs back.”
Think about that. If I even tried to say, “Okay, I’m going to send you this box. I want you to put that phone in there and ship it back to me”—that’s instant revolt for most people. My daughter would jump out her window and break her leg if I said, “Hey, give me your phone because you’re in trouble.” It’s almost earth-shattering. That’ll never happen without a fist fight. If you’re trying to take somebody’s phone because there are places that are bring-your-own-device—”Use your own device. I don’t care, but I need this information from it”—the downtime, you just can’t afford it.
It’s like the old days of writing off the bank robbery because we don’t want the world to know we got robbed and we can’t afford to shut the bank down. Pick a scenario like that. The downtime of people and work lost is huge in a time capacity. Then, what’s the cost of shipping stuff? Oh my gosh. Insure stuff. It got lost—think of all the issues around that.
Or the travel—my gosh, I was travelling three weeks ago and we had the government shutdown going on here and my trip went through Chicago, and I didn’t make my connection. I’m in the airplane and I get the notification on the app, “Oh, your connection just left.” I’m like, “That’s fantastic, because I’m taxiing to the gate in my plane.” Travel by itself is a pain.
But then you can flip that coin over and talk about the availability of frequency to do this. When you talk about use cases, it’s like, “What if I’m doing computers and I want to check a baseline every night? Every night at midnight, I’m going to grab these things, and if there’s a deviation, I’ve got a problem.” Not necessarily like live incident response, but I can check against what’s supposed to be there with regularity or a super high frequency if there’s a problem going on. Because you can automate stuff like that, which is really cool. Where I could travel once a month to do something like that, I can do it five nights a week if I really need to because I can do it remotely. There are some differences between workstations and devices, but those kinds of things.
Our website has a public sector and an enterprise section. On the enterprise one, we built an ROI calculator. There are four or five sliders on it—like, how many devices a year do you do? What’s the rate you could charge per hour? How many hours does it take on average to do your device? How much travel do you budget for this? As you slide these things across, you think, “Wow, look at the money we’re spending that we might not spend by taking these factors out.” It’s astounding. It’s like Amazon when you shop with those little filter buttons and you just sit back and go, “Why haven’t I done this? Why aren’t we doing this?”—if the situation’s relevant.
Si: I completely understand. A few years back, one of the jobs I made the most money on—I had to fly from the UK into Zimbabwe, into Harare. You can’t fly direct from the UK to Zimbabwe, so I had to go via South Africa.
Keith: Joburg to do it. Right, through Joburg.
Si: Into Harare. I was in the air for more time than I was on the ground because I was just imaging a single laptop—did a laptop, got on a plane, and came home again to look at it. If I could have done a remote collection on that—admittedly it would have taken about a week in terms of the collection because the network is terrible—but it would have been a lot easier than actually doing the rest of that journey.
Keith: Then you don’t have to explain to accounting why your hotel bill was three million dollars. The food you bought was a thousand dollars for a loaf of bread. That’s a trip to be sure. But that’s exactly a great use case—ROI savings. The key there: you were in the air longer than it took to do the actual collection.
Desi: It’s amazing.
Keith: Was that a phone or a computer?
Si: That was a computer—a laptop.
Keith: Okay.
Si: I imaged it in my—I took it out of the office, went into my hotel room, it sat overnight, imaged over 12 hours, and basically I packed up and got on the plane the next day.
Keith: Then you’re getting it out. So let’s take the computer idea and put an agent on it—or a client, or whatever you want to call it—an applet that can do your bidding. You get it connected, and it’s really cool. Speaking from my experience with my tools, I can interrogate the machine. I can just get a file list of the machine—show me everything that’s on there—and maybe do a couple of searches for something proprietary and realise if I have to go through the hassle. It’s kind of a triage move. Or I can literally mount the file system and start navigating through like a Windows Explorer environment. Maybe I know exactly what I want and I’m just going to navigate right to that location, grab that folder, put it into a container and bring it back without doing the whole thing—having swallowed the targeted collection pill.
Si: It’s fascinating because I started my career as a Unix systems administrator. Unix, unlike Windows—remote access to a machine was normal. I would log into machines remotely, wander around them, mount their file systems remotely, just as part of the normal administrative process. The other thing you mentioned that triggered me—we used to have a tool called Tripwire. It just took an index of hashes of key files, and then once a day, or whatever your schedule was, you’d run a comparison against the hash of the file as it is now versus the hash that you’ve got stored somewhere. Do that basic check of, has somebody corrupted my files? If a virus has installed itself, then the hash has changed.
The concepts have been around in the industry for—I’m getting on a bit—30 years plus for remote administration, and Tripwire is not exactly a new tool. The fact that the Windows world is finally catching up—and I mean Macs are Unix now anyway, so it’s not so bad—and that we can now do it remotely to Android, which is Linux, and iOS, which is Unix. I think perhaps we’re just coming round to the fact that everybody prefers Unix.
Keith: It’s interesting—from a workstation perspective, we do Windows, Mac, and Linux from a targeted collection component, and there are a list of applications relative to each operating system. But look, even beyond that—that’s targeted—but if the play calls for it, you can grab memory and pull that back across the wire. I mean, it’s not like—to the extent of, “What processes are running in this? Separate these out for me so I can maybe identify something bad.” And again, all the way to the fact that if you’ve got to get that entire drive, have a blast with that. But from a file list all the way down to a complete drive image, that’s pretty versatile—not having to get on that plane and go through Joburg.
Si: That’s a great example. You said you can do memory as well. You can grab memory at a given point and a full disk image. But this is on the live machine, right? So you’re talking about a disk image that’s changing constantly as you’re imaging it.
Keith: Get it as it was—get it as stacked in there. Yeah.
Si: So that’s well managed within Oxygen, I take it?
Keith: Yeah, within the agent. So that—I mean, that’s a workstation world. But then we have devices and it’s crazy because we have people that only do workstations. I’m like, “Come on, you’ve got something that does it already.” “No, no, we just want it for that. Ready to learn about phone?” “Nope, don’t even care.” I’m like, “Okay.” That strikes me as crazy.
When we get into devices, here’s the oddity to this. Think about what you were doing or what you did in class, Simon. You were doing local collection—you just happened to be clear across the ocean from where the class was occurring. I could still get an agent on a phone in your shop there and connect it back to me here in Utah. Or I could get a workstation configured to be a collection machine for me and say, “Simon, I need your friendly hands”—I made that term up, we use it around here—”I need your friendly hands to hook up that device for me, Simon.” And we could be just like this, ready to go.
Or it’s an Android and you don’t know how to get it into ADB mode—hold it up, let me show you. Tap, tap, tap, tap, do this, go down here, turn on debugging. Now hook it up and I’ll see it in my console. I’ll issue a license to it and I’ll say, “Okay, you can just watch on the screen—watch me do my thing.” I’ll send a profile to collect from it. Though you are hooking it up locally, I am collecting all the data back to Utah. That is a local collection that’s coming remote to get the data home and be analysed somewhere else. Kind of funny, but there’s an option.
Didn’t you ask about remote? Remote because we’ve got agents. We can hook a device up to a cable, but we can also put an over-the-air agent on a device that connects on the airwaves—cellular or WiFi.
Si: That’s quite new, isn’t it? Yeah, that’s quite new. Because I remember we talked—I have talked with Oxygen about this previously, and we were still at the stage of, “Yes, you can have a remote collection, but you need a laptop at the site and you plug in and you do all of the usual stuff.” But now we’re at this agented, over-the-air collection for both iOS—I mean, for Apple—and Android.
Keith: Yeah, my top one was Croatia, but I just topped it about two weeks ago getting one from India. I’m like, “This is so cool that I’m pulling them back to Utah.” With over-the-air from cellular, WiFi—that’s amazing. Flipping awesome. Granted, it’s still a consent game. This isn’t like we’re going to surreptitiously steal all your stuff. It still pops up on the screen: “Hey, click okay to this.” Or the agent has the ability to say, “Okay, you want to add some files of your own? Go ahead and navigate and add those into the collection as well,” because you’ve got things that the agent can’t get by itself. There’s a lot of flexibility despite being over the air.
Desi: I was just going to ask, because you touched on when you go to organisations and they’ve got the workstations kind of sorted out with remote collection—why do you think they’re less inclined to move towards devices and phones? I have an idea of why I think, but I’d be interested from your experience.
Keith: Well, what’s your idea? And I’ll see if it drives a response.
Desi: My thinking is that everything you’re talking about gels with incident response in terms of taking a triage image. Organisations aren’t thinking about the insider threat or trying to take information from devices to look for fraud or if there’s a legal case. They’re just thinking from an external perspective—what if an attacker gets onto my endpoints? There’s possibly no cases really where an attacker has gotten onto a phone and then compromised the network that’s publicised, at least that I know of that I could reference. So in my mind, when organisations think about what they’re going to invest in, they’re not investing in that because there’s no risk sitting in their mind where they’re going, “I have to worry about this.” No imminent threat.
Keith: That could very well be. It’s interesting because—let’s talk about some of the use cases. In a service provider world, if I was your service provider and you call up and say, “Hey, I’ve got this phone, I have to get data collected from. I don’t know how to do it. I pay you to do it.” I’ll say, “That’s right, Simon. Hey, you know that machine we’ve got configured in your office? Go back to that one.” That’s because we’ve done this a while and we’ve navigated the challenges.
Think about this—this is going over a network. There’s connectivity that has to be established. I bring the service provider model up easily in this because some, as soon as a call comes in, are like, “Oh, I can do that, no problem,” and then they’re calling saying, “Hey, this isn’t working right.” Well, I know what I need to have connected—what connectivity on my side. Simon and I have been down this road. We’ve already figured out on his side—whether I bribed his IT guy with washing the car for the weekend or Simon just did it himself—what port’s got to be open on a firewall. We establish the connection, whitelist what we’ve got to, secure it all back up, and we’re good.
Versus—it’s really difficult. What do they say? You can have anything you want with time and money. But when you just say yes and then on the other end of the equation, you have to get some connectivity going and nobody’s there to help you—you’ve got to establish that. So in that model, I say, look, you have to get a computer involved to get a static working connected workstation so we can say yes whenever we want. Versus, “Hey, I’m on the boat about 20 miles south of Aruba. I see some clouds out there.” No, that’s a no answer. Don’t say yes to that because the connectivity is not going to serve our needs to maintain a connection to do what we want.
There are motivations like that. We also have another customer who says, “Look, I don’t want to do that model. I’m going to configure my own workstation to collect locally, plug in the phone, and I’ll ship it to my people.” I’m like, “Well, okay, we’re not shipping you on a plane. It’s kind of defeating all the purpose to do remote, but it is getting out there.” You’re still going to do a local collection remotely and connect and send the data back. People come up with all kinds of ways to make this work to their advantage.
When you say who benefits from something like this, or why would they want to do it—I think it’s across all the market segments. Employers and employees both benefit from all the resources we were talking about. But I would say corporate probably benefits the most because it’s a managed environment and there’s implied consent that we can do whatever we want with our devices. “We give them to you to work here. We have to be able to protect our data for litigation, whatever.” There’s no real questionable benefit there.
Versus law enforcement, which—any copper on the side of the road is probably not applicable to this. However, a kiosk model—I mean, what’s a kiosk? A remote-collectable laptop built into a box or something, right? That’s sending data somewhere. Unless it just sits there and collects it all to a hard drive and then somebody comes to collect the hard drive out—that’d be kind of crazy. Why not collect via the kiosk and remote it back to the server somewhere?
Or—I have two country perspectives here—probation and parole, right? “We’re going to let you out with all the conditions in the world, including Simon’s going to monitor me. I’m not allowed to have a device at all. Or if I have one, I’m not allowed to go to these websites.” The traditional model is, “Oh, hell, it’s Simon—quick, throw the device away, flush this down the toilet, delete all my browsing cache.” Well, Simon can probably get around to it. He’s got a caseload of a bunch of people he’s talking to all month long—gets to you once a month.
But if part of your condition was to have an agent on your phone or your computer, Simon could do it in the middle of the night. He could get data from your computer all day long. And I’m telling you, Keith, if that little green light ever goes off, that’s like the equivalent of me cutting the band off my ankle—the house monitor, right? If that light ever goes off, you’re going back. “Well, what if the power goes out?” “Get an uninterruptible power supply. If that light goes off, I’m coming for you.” Because that’s the stipulation. Simon can check on me every day of the week if he wanted to, or have an agent on the phone where he could just pull stuff.
Si: You better clear that, or I’m coming for you. I have actually done a case in the UK of a person on parole who had a PC with some monitoring software installed on it. It was possibly one of the worst-written and buggiest things I have ever come across. The guy had actually taken it off, which obviously is a direct violation.
Keith: That little green light went off. The connected light.
Si: It went off because it kept—it had a memory leak. It kept using up all the memory in his computer and it would gradually grind down to a halt. He just couldn’t use it, so he took it off, which obviously was an issue. But they were like—my role in the case was to verify whether the software worked or not. I got about halfway through it when, looking in the unused material for the case, the engineers from the company had admitted that there was a memory leak and it didn’t work properly and it was easy to bypass, and they had it all in writing. I was like, “Okay, I’m not putting any more work into this. Please read this to the court.” It was like that. But the use case exists and there is a desperate need for good software to do it. I will wholeheartedly recommend Oxygen the next time we come around to that one.
Keith: I just know the old-school model and have helped people learn the old-school technology. Man, I just look at what we can do now—the evolution of anything, I suppose. I’m like, “Man, you guys could be doing this, this, and this.” If I was in that job, I would be looking around going, “Look, I can increase my contact with my people, my productivity, everything—what I can gather now versus what I could gather before, how I can report on it, all those things.”
That brings up an interesting story. I’m thinking locally, like at a state level or a county level. But what happens when you start crossing country lines, or oceans? You take data outside of a GDPR regulation or chain of custody. So this isn’t all just slap it down and whoo-hoo, run with it. Don’t get yourself in trouble. Stay in the bounds, stay in the lanes you’re supposed to stay in.
We even have state regulations here about privacy laws. Some of the states are much more stringent about what you can do and what you can’t do. GDPR is always a concern in your neck of the woods. Because if your collection is crossing a line like that, that could be problematic. That’s why law enforcement is probably the bottom of the rung of applicability because chain of custody is such a big thing. You have to have somebody go out there—”No, I’m the guy, I grabbed it here, never left my side.” That type of thing. But there are things that—if it’s connectivity—it’s mitigatable.
Si: I think it’s an interesting one because what we’re seeing a lot is this targeted acquisition stuff. I’m not saying that chain of custody is not important—it’s always important. But when you’re doing a targeted acquisition, you can verify the chain of custody of that when that’s taken more easily than you can an entire disk’s worth. You’ve got that record of that connection, you’ve got that record of those things. And the device is still live and it’s only a subset of the data—it’s usually either with the suspect or the suspect is there allowing you to browse a limited subset of their data to record it.
A lot of the things that we would consider—it’s a live acquisition and all of this stuff—it starts to become a little fuzzier around the edges. And actually, that plays into the idea of remote acquisition because if you’ve got a good agent on there, you can verify that the data’s come off in an encrypted channel that’s secure. At the time the agent was on the phone, it was taking a true image of it. Well, beyond that, what benefit is there to having the device at place B? There’s not a lot—there’s no logical change to the data that’s acquired.
Keith: And oddly enough, Simon, not to discredit the human factor to this, but I would say the logging that occurs during this process is much more repeatable, probably defensible, and complete than a human trying to do the same logging every single time. It’s sad to say, but probably better that way. We package it all up nicely, secure it for transport when data goes like that.
Rob’s presentation that I talked about earlier—one of his points was, because of this being kind of an emerging thing, there’s not a lot of vetted industry-acceptable knowledge or policy about this. He’s had to write his own policy: “Look, this is what we’re going to do, in this environment, or in this way.” What a novel concept—just because there’s not a lot of things to fall back on right now like this. It’s like asking a chat client or a GPT client, “How does this work?” “Well, let me go pull together whatever I can find off the internet, put a paragraph together.” That doesn’t really make any sense.
There’s a lot of use case relativity to this. I just saw a LinkedIn post—Briggs put a post out today about file system versus what-you-see-is-what-you-get and what you’re missing. Here’s an application and the vendor technology says it’s getting everything it gets, then there’s LevelDB and protocol buffers and all these other things that might not be gotten with that application data that are missing—application-relative data or dependency data to the application. A bunch of people are commenting on that, saying, “Yeah, well said.” There’s still the need for that.
So when I think about who’s benefiting the most, I say corporate first because it’s managed, there’s the consent to do it, and they will target exactly what they want all the time, however they want. You’re not necessarily having to break into things or go for file systems because they just want these things relative to a policy violation or a litigation thing or whatever.
Law enforcement—and I’ve got to bring this point up for Oxygen, independent of the conversation—if you have the tool we have called Oxygen Remote Explorer, or ORE, you can still sit there in your lab where you’re collecting data back to it from all over the world with agents, and take a phone apart and use tweezers and hook it up and do all the things you still did. It’s not like that’s gone from your repertoire of things to do. You’ve just expanded your capability to go grab remotely while you’re still tinkering with devices taken apart back at your desk.
Si: It’s an extension, not a replacement.
Keith: There you go. Good way to say it.
Si: I think it’s interesting—the corporate world is the ripe area for this. You mentioned eDiscovery. It tends to be—gross generalisations are always wrong, till tomorrow, right?—but it tends to be the content of the material that is more relevant than the metadata of the material. Times and dates when something was sent is relevant, but we’re not looking at that same low level as we are in the criminal cases usually—for where did this file get downloaded from. It’s like, “Did so-and-so send a contract to Joe saying that they would buy 50 widgets at £2,000 a piece?” And the answer is yes, he did, therefore we probably should honour that.
It’s a bit different to, “This indecent image has been downloaded from which website, when, and was it with the user’s knowledge?” There’s a difference. At that higher level, where bit-level kind of acquisition is—I’m not going to say less important, but less necessary.
Keith: Not as necessary. That’s the pill—absolute sector zero to infinity. Why? That’s the pill. And especially when you tie that to the fact that I’m not trying to break into something because it’s locked. You may lock it and quit the job because you’re mad at the company—well, that’s a different issue. Then we bring it back and start taking it apart, doing those things to it. But by and large, 99% of the corporate environment’s going to be consentable. I have credentials or we have capability. It’s all managed. That’s just how we roll because we’ve got to protect ourselves as a company.
Most of the service providers are the same way. Somebody calling up saying, “I need this done” is coming to that environment with, “Yeah, just tell me what to do.” Not chasing it down. In the kiosk model, even in a law enforcement kiosk model, if they’re showing up at a kiosk with a device, they probably have access to it. Or the instructions are, “Look, if it’s locked, bring it back to the lab. You’re not going to be able to stick it on a kiosk probably.” There’s a lot of use case relativity to it. When we step back and look at it—look at all those savings things—gosh, why not expand to that?
The money—I just play with the ROI thing because I like the sliders and watching the numbers move. Applicability for me, none. But if people can save that money and reinvest it in other things to make their day better, rock and roll, right?
Si: Yeah, absolutely. Two questions from my side. One is obviously memory acquisition on workstations is—I’m not going to say it’s easy, I mean it is easy, but it’s reasonably common. Are you able to do memory acquisition on remote phones at this point in time?
Keith: No, not today. Relatively easy as far as time—if you’re going to grab 128 gigs of memory, go do something and come back, and then where you’re putting it because it’s one big thing. But no, most of the phone collection is targeted. We try to keep it targeted because it’s a device and we’re probably in that mode where we’re not trying to collect the entire thing. But no memory right this minute.
Si: Okay. I know it’s an interesting one. I just happened to hear a piece of research on it a couple of weeks ago now—the F3 conference, which will mean things to people who’ve listened to other podcasts. Some of the things that were hanging around in memory—it wasn’t a straightforward operation to get it necessarily, but that was—
Keith: Do tell. I want to go read that too.
Si: I’ll find it and relay it later. But that was an interesting thing. It’s certainly an area of research that in future I think will be fascinating. That was one thing I was going to say, but I’ve forgotten what the other one was. Oh—given that that’s possibly a future development for you, what else are you looking at to push this forward?
Keith: It’s funny you say that because earlier today I was sitting with the product manager of the tool and he goes, “Let me give you a roadmap.” I’m like, “No, I don’t give you a roadmap. I don’t even want to go down that rabbit hole.” I’ve worked in a software company environment for coming up on 25 years now, and as soon as I say a roadmap, then you’re going to go, “Oh yeah, well, we’re not doing that anymore.”
I’ll tell you this—one thing that’s super critically important that we continue to do all the time. If you take an Android agent and you take it on an OTG device—on the go, USB—put it in the phone, you have a bucket of third-party applications available that are parsers written specifically to grab WhatsApp or Slack or whatever. That bucket probably has 20 parsers in it right now. That’s if you’re downloading it from your Detective environment, putting it on that, and sticking it on the phone here in the lab—taking data back to the USB versus the over-the-air agent for remote collection.
So it started without those third-party things. And here’s me, the limited user that just works at the company in my position, going, “Dude, really? Come on, you guys.” Well, the communication protocols are completely different than an OTG device. We’ve got to build some stuff first. Then it happened—all of a sudden the build comes out with WhatsApp. I’m like, “Get out!” It’s like cracking the seal, right?
So now, if there’s ever a build, I’m looking in the “what’s new” notes. If there’s not a new third-party application, I’m like, “No, no, no, no, no. Not acceptable. Put more in.” I think it’s up to four or five right now. So that is a constant evolving thing above and beyond just getting messages and all that. We’re getting the third-party parsers to show up in the over-the-air agents. In the other technology—again, a lot of different communication protocols to build to—but those are always coming in and multiplying. That’s a constant roadmap. I’m comfortable throwing that out there. If it wasn’t, I’d be really angry. And in defence of the masses, because that’s kind of doing a disservice to the users if we weren’t doing that. You’ve got to do it.
Si: No, it’s a good one. There’s a new application yesterday and there’s a new application tomorrow and you need a parser for it. The constant development of that is probably soaking up a huge amount of your R&D time, I would imagine. It is gratefully received when it turns up, I’ll tell you that for free.
Keith: That’s one of the best things. I look in the list, I’m like, “Oh yeah, excellent, excellent.” Anytime we have a new release of the tools come out—we just had a hat trick, three weeks in a row all three of our technologies came out. One of the things I do is get the release candidates and go through them and talk through all the new features and do a preview for the company right before the tools come out, just so everybody has all the knowledge. And yeah, I’m right in those notes and I’m like, okay, that’s the first section I go look at to see when that tool goes—”What’s in there? What do we got?” Fun stuff’s like Christmas early. Anytime we ever have a release, I just go in the notes and go, “Woo!” Or, “Wait a minute, I was asking for this and that’s what I got? Come on, you guys.” It’s a constant bribery to get the things I would like to see in the tool above anybody else’s.
Si: Nice. Now talking of bribery to get things in tools—I’m going to take you slightly off topic from what we’ve been talking about. Tell me about drone acquisitions in Oxygen, because I know there’s a drone course. I know that you do it. Are you going to send out an XIB drone? Do I get a Mavic in my inbox—through my post—to play with? How does this all pan out for you guys?
Keith: Do I have the stories? We do a limited number of drones and a limited number of drone applications and a limited number of flight logs. Well, we do a ton of flight logs if you can get them, decrypt them, right? So there was a point in time—I don’t know where that point in time was—since I’ve been at the company. When I got to the company, I was like, “Ooh, drones, I’m going to get a drone.” I got a DJI whatever—I don’t even remember what it was, I still have it.
I was literally able to take that drone—this was about the time they were flying drones over the runways at Gatwick and shutting down the airport. My fantasy was, “I’m going to catch that drone, I’m going to catch it alive and look in the camera and go, ‘I’m coming for you.'” Because I was able to take my drone while it was alive, plug it into Extractor and extract the physical content while it was running. It was amazing. And then one day that didn’t work anymore because of all the encryption now.
There are some tools out there—little boxes, I can’t remember the name of the cool little box right now, we have it in class, we talk about it—that can extract the content of the drone, decrypt it as it extracts it, and put it in something that we can then pull and detect. I think hands down we map it and play with the data as cool as anybody. But acquiring the drones is a challenge because of all the encryption that wasn’t there when I first got to the company. Kind of a bummer.
So there’s a limitation on the drone. We just added a DJI drone the other day—the key for this drone is out there all over the free space now. So I think that one’s in there, but everything else is proprietary, tough to get. Rob Attoe’s class for Spyder—he does a crazy class with drones.
I bring that up because when I got my drone originally, here’s the fun story I’ll close this out with just because you have a laugh at my expense. I said, “I’m going to get a drone,” so I go on Amazon. We had little drones from the store down the street—my kids had a couple, one was a remote control car that drove on the road and a drone, but they weren’t anything that tracked GPS and satellite stuff like you’d want to get. So I get on Amazon and I find this drone that’s really cheap—refurbished—and I buy it. It shows up in a box with some bubble wrap.
I get this drone out and I’m like, “Okay, I got a drone now. What?” I think Rob and I talked the next day and he’s like, “So let me see what you got.” I’m like, “Well, here it is.” He goes, “Where’s the controller?” I’m like, “What do you mean, where’s the controller?” He’s like, “You’re an idiot. You didn’t get a controller.” He’s like, “Well, I’ll send you one, you dingaling, but you can control it with your phone with the app.” I’m like, “Okay, bye.”
So my son and I hang up on Rob and run outside, download the app, and now I’m using my phone with this little screen and the camera. “Oh, this is cool.” The killer to this, Simon, was at the time—you connected the drone to the phone and to my DJI account. But I had no idea what I was doing. We’re flying around out of my house and I didn’t sit down and calibrate the home point properly. Why would I do that? Let’s just go fly it. Why read the instructions?
So we’re flying it and we’re like, “Oh, son, let’s fly down to the park.” So we get it way high up and we’re going down the street. I’m going along and all of a sudden the drone just stops. I’m like, “Uh, it’s up there. Come on, drone, do something.” My neighbour’s like, “What are you doing?” I’m like, “Nothing to see here. Drone!” And it just starts floating this way. I’m like, “Oh, you’ve got to be kidding me. I just bought this thing and I’ve lost it. It’s going to fly into the mountains or something.”
Well, I had no idea that on my phone, what’s missing from that? It’s not a controller with a big long range to stay connected. I’d flown it out of reach of my phone and it’s just sitting up there. And I’m yelling at it and my neighbours are laughing at me. My son’s panicking and I’m panicking. Eventually it starts beeping. I’m like, “Oh boy, it’s going to explode, right?” And it turns around and starts flying back to the house. I’m like, “Oh, this is great.”
Well, it flies right over the roof of the porch where it thinks the home point is—that I didn’t calibrate correctly—and it starts coming down. I’m like, “No, no, no, no, no,” because it’s a slant there. “This can’t be happening.” Finally, I’m restarting the app and everything. It finally gets back to, “Do you want to fly or connect?” I’m like, “Connect, connect, connect.” Right before it hits the roof, I connect to it and am able to land it. Scared the crap out of me. I didn’t know what I was doing.
But what was really cool was—I got the physical of that drone versus the logical flight where it lost contact. You could see me flying around the house and going down the road and blink—that route of dots ended logically. But when I physically got the drone, the return back to the house and the landing were physically inside the drone. The logical one was in my account online. I could go to the cloud and download it and show people because that’s where the logical connection stopped. But physically inside, the rest of the route was in there. Very cool. No telemetry, no height, no speed—none of the stuff, no altitude that’s in the logical one. But all the waypoints were in there. I could make out the whole route. Very cool. Back in the day when you could just do that very easily.
So it’s tough now. We explore that a lot. There could be things that development’s doing right now that I don’t even know about. But currently, there are limits on the devices, logs, and applications that we’re supporting.
Si: Fair enough. I’ll tell you a different drone story—I’ll trade you. I’ve got a Mini Mavic, one of the first generation. Lovely little piece of kit.
Keith: Is that a dig that you bought the whole set? I didn’t even get the whole set. I have a remote.
Si: Well, it gets slightly worse. I did buy the whole set. I did have a remote control and I got some spare batteries and all of this, which is great. Then I took a holiday up to Scotland and I was like, “Scotland, beautiful landscape, amazing mountains, incredible. I’m going to take the drone with me, take it out and fly it. Brilliant.” Got to Scotland, parked up, beautiful location. Got out, got the drone out, kit it all up, set it all up, standing there and it goes, “Can’t find a mobile network. You have to connect to a standard mobile network to use the DJI app.” Because I couldn’t reach a network, I couldn’t fly my bloody drone.
Keith: You couldn’t get any service to your phone?
Si: No, no signal because I was in the middle of nowhere in Scotland. That was it. I carried my drone all the way up to Scotland and then drove it all the way home again because I couldn’t fly it.
Keith: But listen, I bet the people watching you were like, “Man, look at that guy. He’s got a drone. That’s really cool.” You’re like, “Hell yes it is. Too windy today.” That’s brilliant. Neither one of us ended up in a crash. That’s good.
Si: In my case, it’s because it never even got off the ground. Safety first.
Keith: Safety first. Ships are safe in harbour even though that’s not what they’re built to do. The drone’s great on the ground.
Si: That’s it. Absolutely. Great footage from worm’s eye view.
Keith: Oh my gosh. That’s brilliant. Well, hey man, thanks for letting me come on.
Si: No, always a pleasure. Do send me a label and you can have—although it’s a really lovely box, I wouldn’t mind keeping it—but let me have a label and I’ll send it back to you.
Keith: You can keep it as long as you show it in every podcast. “Hey, if you haven’t seen this, check it out.”
Si: I’ll just mount it on the shelf behind me.
Keith: Mount it up right behind you. Find a light in there. Yes. I’ll watch for that to come home and I’ll repack it and it’ll go back out to somebody else. You should carve your initials in the bottom of it somewhere, and we can say, “This is the one Simon signed.”
Si: Just like graffiti at the bottom of the thing. All right, I’ll consider that.
Keith: You can do it with a Dremel tool. Yeah, that’s it.
Si: Hmm.
Keith: Well, awesome. Any other conversation you want to have about remote stuff? There’s a lot to it, but a lot that can come out of it. You can save a lot of resources and time and effort.
Si: I think that’s it. We’re looking at so much data now. The requirement to collect it, the requirement to process it—so not having to go to site to do it, not having to collect it all and doing the targeted acquisitions, and some of the features that you would gain from that live network-wide stuff—certainly from a corporate perspective, I think there’s a lot of future in remote acquisition. I look forward to seeing how it develops over time.
Keith: I should probably throw in there—it’s obviously Oxygen technology that I’m talking about, and when you collect, whatever you collect just ends up going into your Detective-type interface. The ORE interface is just like Detective without some of the law enforcement stuff in it—no warrant returns or things like that. But it’s the same cool intuitive interface. It’s fun and easy to use and all that data is going in the same place people are used to analysing anyway and reporting with and analytically going through. So there’s that, which kind of compounds the ability to get it remotely and then put it in cool tools. I didn’t get paid to say that.
Desi: Awesome. I have one last question on that. Thinking from a use case of the corporate perspective, when you do collect, is there a way to export metadata into something like a SIEM? So if you are a corporate environment that’s maybe wanting to track certain things within corporate-owned devices, you could flag on that and then that goes into their security stack or some type of alerting platform.
Keith: So you can—once you get into the heavy client, you can export anything out of it like that. If you’re going to push it to some other tool, essentially, you can do that. Yeah, you can do that. You can save it out into an archive. You could export or save a file out to the desktop and do something with it—whatever you need to do at that point.
Desi: Yeah, I was just thinking about when you were talking about taking the triage state of things, which is something that I’ve done a lot before for workstations. That’s a really good way of tracking behaviour or tracking fraud or external threat cases. But yeah, doing the same with mobile devices would be good.
Keith: The collection profiles are where the rubber meets the road. It’s a very robust creator. You can make templates, which are great—”For Simon stuff, he likes this. For dead stuff, he likes this. For key stuff, he likes this.” You can pick even down to, “Go get me files with this header. Don’t care about names—I’m looking at content then.” Or “Go get me by hash.” Or “Go get me by date.” There are a bunch of filtering rules. Here’s a list of all the applications for all the operating systems. Give me this, this, this, this. Go look at all the normal locations or go four levels deep from there, because maybe they’ve done features or functions that have added some more folder structure. Go to memory and grab these things.
So you make these really crazy profiles. If a corporate environment has some weirdo proprietary thing that’s not in there, they can build a filter, a rule, to go get it—like scripting to go get what’s above and beyond the norm. I think that’s one of the huge strengths because it’s targeted. But man, you could have a really big target if necessary. “I want to do everything but a physical drive. I want to get every logical thing I can see but not get all that unallocated space in a disk image.” That’s super powerful in my opinion, because even though I swallowed that pill a long time ago, I can still flirt on the edge of where I want to be all the time without worst case scenario. So yeah, the original question—can you get stuff out of that big package and do other things with it? For sure.
Si: I do have to say that’s an interesting thing that is very American—the idea that there are things you are specifically not allowed to collect. You are very tight on your warrants and scope. “Please don’t pick up anything that’s titled legally privileged” was something that I came across in the previous configuration, which I thought was fascinating—which also meant that I now label everything at the top “legally privileged.” But it is an interesting thing to have a negative acquisition label that you can apply. I find that quite fascinating.
Keith: Yeah, that’s huge in the legal industry here—privileged data. If you’re not able to do that, people get really bent out of shape. Because I should be able to send a data set to you, Simon, that you can see these things, but nobody else can. If I send it to you, that’s protected out of your view. Then we get into review technology and, “Well, who’s the special master that determines what’s privileged for this person and not for that person when they’re looking at the same data?” That’s a lot of times legality.
What’s even worse on the law enforcement side of that is you had a scope of this and you just came across that. Well, guess what you’ve got to do? Go increase your scope or you’re outside bounds—you get in trouble for that. So that’s the way that cookie crumbles for us. But yeah, privileging data, that’s some recent functionality in our tools that’s really come of age—largely because customers said, “We’ve got to be able to do this, you guys. Let’s make sure that happens, make sure that’s doable.” Good conversation.
Si: Yeah, thank you. And we’ve done our outro so we can go now. It’s gone simple, hasn’t it? “Thank you very much. Goodbye. We’ll see you later.” But no, Keith, thank you very much for coming on again. It’s always a pleasure to talk to you. Love Oxygen. Have great fun with the courses and the demos I’ve had. It’s good to see you going from strength to strength and coming up with great new things. Good luck with your drone. I hope it pans out.
Keith: Oh, that thing. Yeah. Well, I’ve gotten another one now because we were working on the whole encryption problem. So I went and got one that was truly to be encrypted, so we’re still working that problem. I can’t quite have as much fun with that one yet. But keep watching. Did I walk right into this? Keep watching the skies—right on the heels of a drone conversation. I didn’t plan that. But keep watching the skies. Great to see you guys.
Si: And you, Keith. Thanks so much. See you later.
Keith: Cheers. Thank you.
