Solving Digital Evidence Challenges With Oxygen Forensics

Si: Welcome friends and enemies to the Forensic Focus Podcast. Today, courtesy of a jet across the Atlantic, we have with us Lee Reiber, who is currently in London for the Oxygen Forensic Conference, I believe.

Lee: That I am. Yes. Having our partner conference here in beautiful and sunny London!

Si: You’re in a different London to the one I’ve seen on the news recently! So you’re CEO of Oxygen, a incredibly well-known and popular digital forensics tool for mobile phones, predominantly (he says carefully because I know you do more stuff than that, and we’ll open up). So John, tell us a little bit about yourself and how on earth you ended up as CEO of an amazingly successful company.

Lee: Right, and you say that interesting, “hey, how you wound up there”. But anyway. No. So, I have a law enforcement background. About 15 years in law enforcement, and during that time towards the end of my career, I said, “hey, you know what, these things, it’s called mobile phones might be of interest, right?” I was doing computer forensics at the time in law enforcement and I’m like, “yeah, these are little computers, so let’s do a little bit more research”.

So I started researching a bit, started…wound up in a training company called MFI that became pretty successful in the law enforcement side of it. We used multiple tools, the ones off the shelf that you’d get. And so we trained a ton of people. My company eventually was purchased by Access Data, that you know. Went to work at Access Data, developed a mobile tool there, ran a training program for Access Data, and then it turned out that doing computers, I wanted to do more phone stuff.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

And then there you have it: wound up starting with Oxygen as the COO and then moving into the CEO position. So it’s been crazy, right? Starting as pushing a patrol car around, doing computer forensics to running a digital forensic company. It’s been pretty surreal.

Si: So your background wasn’t, sort of, a computer science and then computing and then forensics, it was beating the street (he says very carefully, that can be construed in several ways in different languages), beating the street as a law enforcement officer actually on the ground. Is that right?

Lee: Yeah, yea…well, sort of. Yes and no, right? Commodore 64, I wrote a lot of code, did that during college and then, hey, my dad was in law enforcement and so when I got done with the university, I’m like, “you know what? Hey, let’s just start in law enforcement like my dad did”. So I did that. But interesting thing, I wound up taking and scanning and OCRing the entire code book that we had. And then I wrote lookup scripts so that people…and it was on a floppy that people would put in their little computers and be able to look up city codes on that.

So I’ve always been kind of on the computer side of it, and the objective in law enforcement was to go into the computer forensic unit, which I wasn’t able to do straight away just because there was an old crusty guy that was there and I had to wait for him to retire to get into it. So anyway, I eventually worked into it. So I’ve kind of really aimed on the digital forensic side of it. But at that time, mobile phones were like a flip phone with 13 contacts in it. So people were like, “yeah, whatever”. But it worked out.

Si: Yeah, Apple helped with that!

Desi: So when you were leaving the police force to move into the training company and then start your own company as well in mobile forensics, did you work with mobile phones at all in your job, even though you weren’t in the forensic unit? Did you handle that kind of stuff there and then that’s what inspired you? Or did you get out and you’re like, “alright, I’m going to self-teach myself how to get into these phones that are just mini computers and go from there?”

Lee: Yeah. To be honest with you, it was that. It was seeing these Nextel flip phones or these LGs or Nokias, these devices, and I’m like, “man, there’s got to be a way”. So I started doing AT commands. Writing AT commands, communicating with the devices, because they were modems at that time pretty much. And so it’s weird. You’d write these commands to the device and all of a sudden you start getting responses back about…and dumping and starting doing and getting some of the contacts.

And it’s interesting, so in CID, we would have detectives that would come in and they’re like, “hey…”, and they’d just start throwing these mobile phones in a brown bag before they go and interview them. They’re like, “hey, I’m going to go in there, they’re going to tell me everything”. And obviously they never confess to anything. And I’m like, “yeah, these mobile phones, you keep throwing these bags, there has to be…” So again, I started messing around with it.

There wasn’t a lot of tools that were out there. And then I ran into some individuals that went to a training course and it was a forensic course, and they started talking about mobile phones, and we wound up going to a regional meeting and there’s this mobile phone thing, and I’m like, “oh man, we keep having these…I think that they’ve got to be used in some investigations”. So that kind of just really took me down to becoming very interested in how to communicate with devices.

Was there any software that was available? And then ran into the training. And I mean, we’re talking that…if you guys remember cell seizure, SIM seizure, paraben. Oxygen actually had a product, Nokia product, of just communication for adding contacts, getting some of the text messages off that were using all these free utilities because there wasn’t anything available out there. So it’s been an interesting ride for sure.

Si: Yeah, I can imagine. So I mean, we’re now at the stage of these huge suites of software that are dealing with mobile phones. Can you tell us a bit about Oxygen? I mean, obviously Oxygen in particular more, you know more about, I suspect, than the competition. But where do we stand in going from the free tools (that are still available) to things like the ADB bridge and all of this? Where does Oxygen sit alongside this sort of thing?

Lee: Yeah, I really think that especially if you look at our tools starting from Analysts, we no longer have Analysts. It’s moved to Detective. And then obviously added two additional products with corporate explorer and our analytics center. So it’s really the focus has always been for us is understanding, decoding, taking a large amount of data and giving the investigator the ability to really take the focus to where they want to go with that, to find and uncover the data.

Because I mean, if you look at devices from when we first started to today, I mean we’re talking…I mean SIM cards, we’re talking media cards, terabytes of data. And now we’re talking multiple devices that you might run into. But then we focused really in trying to understand on cloud services, because as you guys all know, I mean, you have your mobile device and you turn it on, it’s active. It means that everything is going to be syncing with some sort of cloud service. And so we focused on that.

And to be honest with you, we are the leaders in the extraction of data from cloud services. Because we wanted to focus on clouds because to think about a device, how upset would you as a user, like, “hey, I just broke my phone”. You get a new phone and you’re like, “ugh, I have to install every one of these apps. I have to now repopulate it”. But, you don’t, right? I mean, all you do is download the app and sign in and then hey, all your data’s there!

So we really took that approach to saying, “you know what? For investigative purposes, if you don’t have the device, the device is broken, the data’s all encrypted, the device is locked, let’s start focusing on a lot of these cloud services.” And it’s really moved to law enforcement finally understanding that that data is available and that they really need to be processing that.

But I mean, we saw that years ago, and to be honest, our product is…and supports more cloud services than any other tool, I mean, times three. Just because of the focus that we’ve taken into and trying to understand where’s the future going to take us?  Because sometimes, I mean, Apple talked forever about, “hey, we’re going to remove any of the ports”. So we’re like, “oh man, if we’re not able to communicate with the device via cable, what are we going to do?” Well, hey, it’s all in the cloud. The data is still stored and available to the user. So if that happens, we’re ready for it.

Si: Excellent. And Apple has finally come around to standardizing to a cable so we can carry one less cable in the world anyway.

Lee: Exactly, yeah.

Si: So how are you attacking these cloud? I mean, not attacking, but how are you approaching them? Are you going through an API route or are you going through the sort of download my data and then processing it in a slightly more thorough way than we might consider just manually doing it?

Lee: Yeah, we kind of do it both ways really. I mean, for Google Takeout or any of those others that you can go in and log in and download the data, we can go in just that, but as for communication, everyone knows that, hey, we can log in with QR codes. That allows us to do that as well. Username/passwords. If we go in and collect a device and maybe there’s a token that’s still active, we can utilize that.

But again, it comes down to the communication. If the device communicates with a cloud service, then obviously the likelihood is we’re going to be able to communicate via our software, just like you would, kind of, with a mobile device to then go in and grab some of the data. But it’s like a cat and mouse game. Because obviously we do it for investigative purposes, for law enforcement, for our customers. However, the large companies are like, “hey, you know what? It’s all…we need to make sure that we’re protecting our users”.

So they change the algorithms all the time. And I’m happy to say we have, and especially the development, the development teams are pretty keen to keeping up with that and pushing out any hot fixes. But again, it is a cat and mouse game especially with the cloud services.

Desi: To put you on the spot a little bit, do you have a story about where your development team might’ve been working to law enforcement needed a particular cloud service and it was down to the wire, big investigation, trying to decrypt part of that, and then how did you guys go about that? And I guess what was the feeling to get that done to work with something that had a changeable outcome?

Lee: Yeah, we’ve done that a couple of times, both with cloud services as well as with devices. We’ve had several opportunities to work with federal law enforcement agencies that…they come to us and say, “hey, we have this particular device or this particular cloud service or an app that no one is necessarily supporting”. And we’ve actually turned things around in a couple of days, sent out a fix, almost a beta to the law enforcement agency with significant implications.

I mean, we’re talking national cases that they’ve gone, utilized our tool, and we’re successful. And that’s what…I think that’s the most important part of working at Oxygen is that we’re at a position to…and I have obviously law enforcement background, that if people reach out to us, we’ll drop everything in a development cycle to get them a version that’s available. It might just be available to them, but we want to make sure that, I mean, we always say to make the world a safer place, and that’s really what we want to do. We want to offer that ability, be agile to our customers and provide them with a service that just does that, right?

Desi: Yeah.

Si: How…one of the things that I’ve seen becoming more prevalent in terms of the countermeasures that are being put in place by the large companies is multifactor authentication. How is that impacting upon your ability to do things?

Lee: Yeah, that’s interesting. We do understand that, and it allows within our software, several different…if you have that with the QR code…if it’s a text message back, it really comes down to a training and understanding that, “hey, if I make this thing live or maybe I take the…if I have the availability of removing a SIM and having it call back either to an email address”, it’s been a bit of a challenge. Especially we start talking about UV keys or allowing those types of limitations. It comes down to really the innovation, right?

We see that we understand that we’re one of the first to kind of tackle that and allow within our interface the ability for the user to enter those additional codes that 1) either might be received by email, by…if it’s a text message, as well as any other multifactor authentication methods. If you remember, even before that, we would always have…you would have an issue with…if you’re accessing someone’s Google account, Google then implemented either location verification that would allow you to do that, but then also emails.

So you have to, again, on the training side, especially law enforcement, understanding that, hey, if you’re trying to either surveil or this person isn’t in custody, it’s likely that they’re going to receive some sort of notification from a carrier indicating, “hey, did you access your account?” And so we built in…there’s things that you can build in for proxies as well, is that, “hey, I need to access this from this particular location utilizing this access” so that it can help circumvent some of those notifications.

Si: That’s pretty cool. Do you run those proxies or is that something that the…either you are going to now external service, or is it something that the examiner has to set up?

Lee: It would be something that the examiner has to set up on that. One of the things that I pride myself in is…and especially for some of our users, is it’s an on-prem solution. We don’t use any protocols that hey, say, call back to home or anything else. So that 1) people can be very confident in being a solution that they completely control. And we want to make sure that they’re comfortable with obviously utilizing this software that it’s not going out somewhere to get this information and return it back to them.

Si: No, that’s great.

Desi: I’m not familiar with mobile forensics too much. I didn’t have a law enforcement background, and most of my experience has been in IT/IR. But in terms of doing investigation, say you wanted to track a image or a particular piece of information coming down from a cloud service. So, let’s say it was like a WhatsApp or something, and you wanted to see which other apps that went into in the device, is that left up to the investigator and maybe doing a global search within Oxygen’s tools, or is there any kind of automation done that may help track an image or say it was a keyword that you wanted to track through all of the apps?

Lee: Yeah, yeah. What’s nice is…let’s take images for example. So, with images we have a fantastic image categorization, as well as we have really image or facial categorization as well. So say you pull something down from the cloud and you have their device. If I have their device, it’s really nice that it takes it into, say, one case where I’m able to go to an image and find every image, not necessarily based on hash, but based upon the image itself, and run that through and say, “okay, here’s the WhatsApp, and actually this came from their device because here is the, say, exif data, or the image that they actually, they took with their camera, and it’s identical to this one that has been uploaded”.

In the case of keywords, we have a very, very strong and powerful search that allows you to search for keywords, phrases, anything within a dictionary, watch list that you might have, and immediately see that reference in any application that was utilized, if it was on the device, where it came from living on the device itself. So that’s one of the things that really is important because the time consideration, right? You have to have actionable intelligence, even in IR side of it, even if it’s not law enforcement, you might have to act on something and you need to understand.

So we take, and really, I mean, filter out the information so that you’re able to go in, select a keyword and find exactly what file it might’ve come from, show within the file where it had come from, even if it’s repeated in multiple files or in multiple applications, you have all of that there so that you’re not culling through terabytes of data. We want to go and filter out the information so that they can have the information at hand immediately.

Si: Yeah, consolidated search is a really useful feature from an examiner perspective. So yeah, I think that is definitely a good one to be having.

Lee: Yeah, we just added Elasticsearch, if you’re familiar with that as well. Really bit more powerful. Yeah, we added that a couple releases ago just because obviously the volumes of data that we’re dealing with…because within our tool, you can pull in computer artifacts.

We have a tool that’s built into ours, it’s called KeyScout, that allows you to put parameters if you want to search, for example, I want to go and search a computer, right? Say a Mac, Linux or a PC box. I can go in, create a profile within that profile saying, “hey, I’m looking for this particular keywords, or I’m looking for documents, or I’m looking for the WhatsApp messages that they might use, say, on a desktop or any desktop communication. I need you to pull this information”. It creates an executable. You can then either…you can load that onto the machine, click run, it returns all that data. You can then bring it directly into our products.

And within the product, you might have extracted data from multiple mobile devices. You might have some cloud service data that’s within this case. So now you’re really taking all that information from all these digital sources and finding things that might’ve originated on the mobile device wound up with onto the computer, and is also stored within the cloud service. So we understand there’s, especially in a digital investigation, there’s multiple sources that you might have to investigate, and we bring that under one platform that you’re able to go in and really show the similarities, might show the differences within all those types of media.

Si: So, your background and the products background is in law enforcement, forensics, evidence base. But this sounds to me a lot like something that’s…are you branching out into eDiscovery for corporates?

Lee: Yeah. So we launched our Oxygen Corporate Explorer that is geared really for that market. It doesn’t contain things like warrant returns, some of those things that might be specific to law enforcement. It also allows for endpoints. We have within that product is…it’s called an agent management center, and it allows agents to be deployed onto PCs, onto Macs or Linux boxes that you might have a certain profile that you built into it saying, “hey, you know what, every Wednesday collect the Excel sheets”, or, “I would need to go in on this particular endpoint, and we needed to do a collection of all the text messages or any of the messaging apps”, and then pull that back into Corporate Explorer.

And we also just added the ability for the remote collection of Android devices and soon to be with iOS, meaning that if it’s a corporately owned device, I can deploy an agent with a profile and saying, “hey, I need to extract the text messages from this particular device and then bring it into the platform”. And the best part about it, we have Relativity and export to Relativity for those users so that they’re able to push this out into, say, RelativityOne. Be able to conduct their…any type of examination or send it out to legal.

Si: Now, when you say remote acquisition, I’ve heard that phrase from one or two competitors. That means you need to take the Android device and plug it into a laptop. Is that the sort of remote acquisition we’re talking about, or do you actually mean…?

Lee: Correct. At this point, our first phase in releasing that is that, right? So we have an agent on…it’s deployed onto a PC. And so you have that collection point, say, you’re in London where you have, say, Corporate Explorer has been installed, but in the States, in Virginia, we have another corporation who’s doing this investigation.

You can deploy the agent or many agents to that particular PC. They then just go in, they plug the device into that PC and everything is acquired in London. Everything is handled that way. The person just plugs it into the phone, it then registers that particular device as IMEI which means it’s unique, which means that once it’s deployed to that device, it becomes licensed and it becomes at any time you can plug that device in to that PC and do that collection on that particular device. Correct.

Si: Is there a future whereby we will be deploying an Android app or a iOS app that does that sort of…?

Lee: I promise you, yes.

Si: Yes! Okay. In progress at the moment then, is it?

Lee: Yeah, right. It’s an interesting topic, just simply…I would hate to be, you know…I look at it and we need to be very careful. We need to be very careful in the deployment, especially on that. It needs to be monitored as in, in a corporation. Because you don’t want to have it wind up on girlfriend’s, boyfriend’s phone, things like that. And so we have to be very careful in our process and the vetting of those…and the building. You do everything for good. You want to make sure that…and so everyone’s kind of looking at that. But yeah, you have to be very careful.

Desi: So I guess Oxygen Forensics and the tools that you have are quite powerful in acquiring data and you work with law enforcement a lot and talking about vetting, I guess, so I assume there’s vetting in place for the current tool set and then working mainly with potentially just Five Eyes countries or…what’s the kind of limitations that Oxygen has around that space?

Lee: Yeah, exactly. So we want to make sure that the tools, again, are used for good. Everyone, as part of the process (because we have lots of partners), but we maintain that we do not sell any tool unless we know the end user. A lot of our partners sometimes like, “hey, they don’t want you to know”. I’m like, “well, then we don’t need to sell that”.

So we need to make sure and we understand of all of who our end users are. We only sell to the forensic space, or we talk about eDiscovery. You have to be in a business. It’s not like, “hey, I work at 7-Eleven”, or “I work here and we’re going to do mobile phones”. We are very careful about who the product is going to go out to because it’s never worth it to just say, “hey, I just want to sell the product”. So, we want to make sure, and we are very diligent in who our product is sold to and who it’s used by.

Si: I feel mildly honored that at some point I have had an Oxygen Forensic license. That’s good to know!

Lee: Hey! You should. You should. Yes, exactly right.

Si: Going off on a slight tangent, because it’s a question that I had from earlier that sort of missed out in the chain, but mobile malware: how is this affecting a) the way we do acquisitions and things like that, and b) what impact does it have on evidence, really? I mean, we’ve all heard the Trojan defense a million times, and it’s usually…I’ve never come across a real one, put it that way! So, what is the malware state and how does Oxygen deal with that?

Lee: Yeah, and so if you could push it back to say, computer forensics, right? It’s like, “hey”…it’s some CP case and it’s like, “hey, you know what? I just wound up on the site.” So it comes down to the investigation side of it, right? Is that when you’re going through that, you’re looking at dates and times, right? If it’s in cash, like internet cash, that could be an issue, right? Because if I just showed up, I didn’t mean to do that. However you go and you look outside of that conducting your investigation, were there at this particular time, this date and time, were they utilizing another application?

So if we’re talking about mobile devices, was there another app that was being utilized for that? Androids are fantastic with some great log files, as well as with iOS. And so it comes down to you being the tool, not necessarily relying on the tool, right? Because people can develop some application that might have some sort of malware in it, however it might be developed that day before, right? No one necessarily supports and identifies this is what happened with this particular app.

So it comes down to the investigation. I’m always a proponent of getting away from push button forensics, because once you do that, if you’re just pushing a button and out it comes and this is what the tool tells you, that becomes an issue. And so with that in mind, especially as part of with any of our Oxygen products, it allows really the user to dive into the data, to look into those logs, to find out if it’s an Android device, the APK, being able to look at, alright, is there any type of embedded…any type of embedded malware? Is this talking back to this country? It’s sending the information back. But again, our tool doesn’t readily identify that, and there’s really no tool.

So it comes down to you being an investigator and understanding that. It comes down to really training and education, which is one of the reasons why we’ve launched a training as included with any purchase of our detective, which the limitation that people’s always has, well, “hey, either I can afford the software or I can afford training”. And generally it’s a software, they don’t have the training.

And really the issue comes down to just what I’m talking about, is that if you’re going to breed investigators, you need to make sure 1) they’re educated. And in doing so, we push to now include training for a year in all of our products so that they can go in any calendared event that we have, they can attend, as long as they have purchased the license. So that is going to allow us to now create investigators instead of just the push button people who are relying on it. Because you’ll miss a ton. You really will.

Desi: I just want to ask about the training, because that’s really interesting. And I wanted to ask whether the training is scenario based, so you give them a fake investigation but with real things that would happen on different devices and go through that? Or is it more…some of the trainings that I’ve done for vendors in the past is just like: here’s the interface and here’s where you find this thing. It’s not like an investigation.

Lee: Yeah, no. One of the great parts about our classes is just that; they’re real world and practical. So it’s a horror story for our training team because every release we have, they have to go through their scenarios to make sure it didn’t break, right? And so as part of those training classes, just our basic class as well, there’s images that we obviously provide.

It’s really a hands-on experience, not like, “hey, if you push this button, this is what it does”. It comes down to our training VP, Keith Lockhart, who’s been in the business for a long time. I’m sure that you guys have heard, obviously…but it’s that, it’s the real world practicals, so that once they’re completed this, they can go in and apply exactly what they learned to real cases. And so that’s exactly what we hear from those people that are in our training classes is that they’re sitting there in the first day and they’re going through some of the practicals, they’re walking through really, “hey, Bob Smith did this. This Uber driver”. And they’re like, “I have a real case that involves this”. And so they’re able to go in and apply that information straight away in their own cases. And that’s the only way to learn, right?

And that comes down to my background and training, Keith’s background and training. We’ve all sat in a class and going, “oh my gosh, I am about ready to fall asleep”. Because they’re like, “okay, go to this menu and push this”. And you’re like, “I don’t even know!” And PowerPoint, death by PowerPoint. So that’s far from what we want to provide.

Si: I mean, I was just going to ask (before I rudely attempted to interrupt Desi), are you doing training in London at the moment on this in your user conference or is this a scheduled thing otherwise, or is this a mixed conference for you?

Lee: Yeah, yeah. So it’s really our partners. So we bring our partners in from all over the world. I mean, we have, UAE, Brazil, France, gosh, all over Europe that we have our partners, have come together to talk about technology, get training. Actually, Keith was here doing training on our products because it’s extremely important that 1) the people who resell our products as our partners are just as versed in our tool and understand our tool and the benefits and how to really work it, so that they can provide that service to their customers.

So, we come and we educate them for three days. They do have, and they do get hands-on and they get training, and it’s been very, very good because what’s nice is you get so many questions you’re like…and they’re like, “hey, what about this? My customers want that”. And you’re like, “oh, fantastic roadmap”. Some of those things that you have. So it’s good to get this face time and live feedback.

Si: Amazing. I mean, you’ve segued beautifully into it: so what’s on the roadmap coming up for Oxygen? What new features are we looking at in the next couple of releases?

Lee: You know…with our products, our new products that we release with Analytics center? Analytics Center is a web-based tool that allows review. So, you’re able to ingest our image, you’re able to push directly out of our Corporate Explorer and Detective products into a platform that you can give username and password and assign privileges. People can now log into that and be able to cull through the data, search for data, create reports wherever they are in the world.

So again, allowing that flexibility. And so we’re really trying to concentrate on giving people 1) a tool, not just on the law enforcement side of it, but how can we go and provide to the human resources team? To an IT team that might, on the corporate side of it, an IRR, that they’re able to go in and get the information that’s needed and be able to formulate a plan based upon the information that they have.

So, again, we’re building in not only on the, say, the law enforcement, the collection extraction side of it, but really the processing of the large amounts of data and then being able to have people collaborate to have multiple users within a single case, being able to say, “hey, you’re going to go through all the images. Hey, you need to go through all the text messages, you need to go through all the applications”, so that you can have multiple people working simultaneously to eliminate obviously the workload of one person.

Because I always remember going and doing forensic exams that you’d have the investigator who has all the knowledge of the case and you’re like, “hey, so what do you need me to find?” And they’re like, “yeah, everything.” And you’re like, “everything? There’s a lot of everything”. And so this now gives the investigator the power to, because they have all the knowledge of the case. It doesn’t matter law enforcement…if it’s corporate investigation, whatever you’re looking for that you have an expert. And it might not be the digital forensic guy. So it allows them to really go in and find the information that they need immediately and have that information instead of saying, “hey, digital forensic guy, you need to hurry up.”

Si: Yeah. I mean, just building on something you said earlier, that web-based interface, that’s hosted locally to the client on a system, they set that up themselves. It’s not something you are hosting?

Lee: Exactly, exactly. I’m all about that on-prem stuff, they’re able to go and build that out. They’re able to open up whatever ports that…to have the infrastructure to have that review area. All the data is 100% hosted. And there are some other companies that, “hey, we’ll host your data and everything else”. And I’m like, “I don’t want any part of anybody’s data”, because now all the whole governance, and I mean now the certifications and making sure that you have that, I want people to be responsible for their own data; we’ll provide the tools to access it.

Si: Yeah, a very sensible approach, I have to say. Yes, being responsible for other people’s forensic data: not something I want ever to have to deal with. My own is bad enough, thank you very much.

Lee: Yeah, agreed. Good stuff.

Desi: So I had a question from I guess all your experience over the years and the peers that you work with now and before, is there any piece of technology that’s come out that was a big hurdle at the time? I’m kind of thinking maybe first iPhone ever came out and everyone was just gawked at it because it was so different and so strange. But is there anything that sticks out in your mind that was that big challenge?

Lee: It’s every day, right? Having to keep up, especially with the cloud services, but the mobile devices, right? iOS when…back in 2007 it came out and they had some security, but then we were able to get a full physical on that. I remember at access day we built that and we had the full physical, you’re able to get it and then everyone’s, “oh my gosh, Apple’s locked everything down. It’s crazy”.

I think the biggest hurdle is helping people understand that there’s always a way. People have always kind of thrown their hands up as an investigator saying, “oh, you’ve got to be kidding. Really?” No now…but I think it’s…the sky is falling, right? There always will be a way. Because if people make, or manufacturers make mobile devices that are so difficult to 1) either operate or be able to access, they’ll never have a user, right? It’s like, “hey, here’s an iPhone.

We’re going to get rid of this port, but now you have to enter 14 digits and you have to remember a passcode that is 25 digits…”, no one will use it. They’re like, “no”. They have already forced security on those devices, but they’ll always have the ability to back things up online in the cloud. And so people, again, not to be long-winded, but I think the biggest issue that we’ve ran into is helping those examiners understand that there is a way and we can provide that.

Desi: Yeah, interesting.

Lee: Yeah, one of the things too, I mean if you look at the encryption, encryption side of it…we were talking about you would have full disk, now you have file-based encryption. That’s a hurdle, right? I mean, that becomes very difficult, especially when you’re dealing with devices that you have on those, especially if we look at…with iOS devices, any of the new Android devices, we talk about Samsung or any of those.

That’s a hurdle. However, explaining to people the access that you might have for those third party applications, if the device is locked, that’s okay. I mean, if you have access and we can go and you can access any other cloud services, their Google account that owns everything. Looking at…trying to make sure that people understand there are other ways.

Si: Well, that’s fundamentally, you’ve got…if your data is inaccessible, it’s of no use to anyone. So it must be accessible at least to one person. And therefore there’s always a way, isn’t there?

Lee: True story.

Desi: So I was just going to say, so it does sound like that initial hurdle is just like you were saying at the start, the user passwords, the tokens, and then if you’re in law enforcement or it’s a company device, you’re likely to get that anyway.

Lee: Yeah. And that’s a nice about if we talk about the corporate space. The corporate space, especially if it’s a company owned device, either you’re managing it already under some MDM solution that you can go and access, and we can make sure that 1) either it’s unlocked or…that space is nice. It really comes down to side of the law enforcement side of it and help them understand that that data can still be available to them even if the device…I mean, someone takes a hammer to the phone, smashes it up and everything else, there’s still ways, there’s still ways to go in and obtain some of that information.

Si: Do you guys deal with the chip off acquisitions given…processing it?

Lee: Yeah. Processing it. Yeah, exactly. So we do ingest binary images. So if someone goes in and…a lot of the whole JTAG and everything else is kind of gone by the wayside simply because of the level that you might have of the encryption. However, if it is available, yes, we go in and we’ll parse that information out to it just like it’s a binary…or it is a binary, like you wind up going extracting a full disc image.

Si: Yeah, no, that’s cool. Well, okay, so I mean, I think this seems like a good sort of natural break point to say we’ve had you and picked your brains for the last 45 minutes or so. But you’re stuck in London in terrible weather and some of the most exciting…Desi, you missed out on this. Desmond, Alex left the country on Sunday.

Desi: I did. I was just there. I had a week of beautiful weather!

Si: He rocks up in Oxford wearing shorts and he made the right choice. I did not. Did you get the thunder and lightning the other night? It was incredible over here. I don’t know what it was like in London.

Lee: Yes, it was. Yes, it was.

Si: So anyway, what will you got planned for the next couple of days? I mean, obviously you’ve got the conference and the vendors and your partners to be catching up with, but have you got anything else on the cards while you’re here? It’s a long flight.

Lee: Yeah, yeah. No, I think just some fun and games, right? It’s…quite honestly is in trying to…with all the partners, making sure that 1) they have all the tools that they need and enable them. I think that’s the most important part. However, we have some events planned and I think they had some events last night. It was quite interesting to see them all when they showed up. I’m not quite sure what…

Si: A good morning lecture, yeah?

Lee: But hey, I don’t know. I’m just here for the ride to enjoy.

Si: Excellent. And what are you going to do to get some R&R when this is all said and done?

Lee: Yeah, actually I think I’m headed in Octoberfest.

Si: That’s a good plan. Excellent.

Lee: Hey, if I’m over here and it’s an hour and a half flight, might as well hit Munich, right?

Si: Yeah, absolutely.

Lee: When we’re done the event and enjoy a liter or two.

Si: Yeah. Good plan.

Desi: That sounds really good.

Si: Well, thank you so much for your time today. Thank you for joining us. Thank you for being so eloquent about Oxygen and everything that you guys have got going on. I think…I mean, again, I’ve used it, it’s a great product. I honestly would recommend it to anybody who wants to trial it and give it a go.

Lee: I do appreciate it.

Si: So you can find these recordings on the Forensic Focus website, Spotify, Apple Podcast (whatever it’s called this week), YouTube. Where else are we, Desi? I said Spotify. Yeah, that’s it.

Desi: Yeah. Most places you get your podcasts from. We’re…the vidoes are on the website and on YouTube, with transcripts.

Si: With transcripts, which are excellent. And so thank you very much, again. Really appreciate your time and…

Lee:  Of course. Thank you guys.

Si: Thank you. And we’ll talk to all the rest of you in our next thing, at some point in the future. So thank you very much indeed.

Desi: Thanks all.

Lee: Thanks guys.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles