Si Biles, co-host of the Forensic Focus podcast, reviews Oxygen Forensic® Boot Camp, a three-day instructor-led training event focusing on the extraction, use-case, and reporting capabilities of Oxygen Forensic® Detective.
“Boot Camp” is a military term that equates to “basic training” – the induction process whereby you become fundamentally adept at the required skills. It’s a naming convention that is well applied to a number of training courses that bring you to that base level of knowledge required to use a product or do a job, or – occasionally – both.
The “Oxygen Forensic Boot Camp” is a three-day course that is focussed around the use of “Oxygen Forensic Detective” (OFD) in the analysis of mobile phones. It’s an instructor-led course, available online, with sessions scheduled on various dates and across different time zones. This flexibility should make it easy to find a session that fits your schedule.
Instruction and Course Materials
Delivered with flare, humour and no small amount of patience by Phill Russo from (I believe) Perth in Australia – a good seven hours ahead of the UK; his staying power until past midnight was impressive. The other four delegates were spread out over the rest of the world, occasionally with less than stable internet connections on their side, and Phill kept us together and progressing at a reasonable pace throughout.
This was aided by the training guide – provided to us a few days before the course start as a Windows executable, giving us a standalone e-book of the training manual. I noticed a glitch in this e-book, where the index bookmarks didn’t line up with the respective sections, and personally, I would have preferred a PDF.
Learning Environment
The overall teaching environment was very interesting. As well as this e-book of course material, we each had a dedicated machine running OFD – and much to my surprise, these aren’t VMs, they were real physical boxes co-located with Phill in Australia and shared out with LogMeIn. I found that they were responsive and usable – both in terms of their desktop performance and in their accessibility over the 9,000 miles.
Others struggled a little more where their internet wasn’t performing quite as highly as it does in the UK, US or Australia, but even then they seemed able to keep up – just with occasional disconnects. The nature of the LogMeIn meant that a disconnect didn’t result in the machine going down – so they were able to carry on where they left off.
Course Delivery
The audio-visual, meeting part of the online training was delivered through Zoho – it was a new one to me, but nearly all of these things are equal on the surface, and it certainly performed fine for the purposes of the course – no better or worse than the more ubiquitous Teams or Zoom.
There was also some use of quizzes in recapping, which always brings out a competitive streak in me. I really like the gamification of training – at least in part – and it does allow for both the student and the teacher to gauge progress.
The course content itself is focussed on the use of OFD in its analysis capacity. Oxygen makes it quite clear that this is not a course about acquisition and for good reason. The Oxygen “Extraction in a Box” (XiB in Oxygen parlance) course (also three days and instructor-led) provides students with a selection of physical devices to plug in and take images of – which really is the only sensible way to do that piece of training – so is left as a standalone course. Nonetheless, this foundation does cover off the true basics of installation, configuration and updates – so, acquisition aside, it’s a “from scratch” introduction.
Balancing Technical and Practical Knowledge
Finding the balance of a vendor course is a real challenge – what responsibility lies with the vendor to teach digital forensics, as opposed to the use of their tool? This is doubly so with a powerful tool like Oxygen, with which one can achieve some very impressive investigative results without really understanding how you got there. When you’re running a three-day course rather than a three-week course, this question becomes even harder.
The course book is perhaps a little light on the inner workings technical detail, but that’s where a skilled and experienced trainer comes into their own. Someone who has “been there” knows not only about the product, but what you “need” to know when you’re dealing with the real world. It’s also an important aspect of having the respect of the students, as although the course or the product might be new to them, they often have significant experience of “doing the job”. Often it is the tips and tricks imparted by a regular, real user of a tool that prove to be the most valuable, as often they reveal unexpected and practical uses that the software designers might not have anticipated.
Advanced Features and Practical Applications
There are eight additional courses on top of this “Boot Camp” (including the XiB course). These range from the niche specific (Drone, Cloud) to the advanced generic (Advanced Analysis) and from one to three days in length. This boot camp covered a huge breadth of the features available in OFD. These features include useful tools for image categorisation, optical character recognition (OCR) and facial matching. It also demonstrated how to consolidate multiple acquisitions into the same case for a universal search, social-graphing, geolocation and mapping, as well as the timeline analysis feature, which is every forensic analyst’s favourite.
Any practical teaching of forensics is actually limited by the example lab materials that you are working with, and in this regard Oxygen did a great job of giving us enough to create an analogous case to one that you might find in the real world, containing all of the requisite data but not overwhelming the student or causing the training environment to grind to a halt. The material was well put together, and even when we deviated from the prescribed course and strayed briefly into cloud acquisition (at my request!), it had been constructed well enough to allow that flexibility.
Final Thoughts
I enjoyed my “Boot Camp” – I certainly learned enough to be able to operate Oxygen competently at the fundamental level that would enable me to be able to use it in a real case. I also think that Phill did a great job delivering it; his skill in delivery and his levels of experience added to the course. I think that there would have been something there for you even if you’d been an Oxygen user for a short while – something I felt was borne out by some of my fellow students who weren’t quite as green as I was to OFD, but who were still asking questions and learning things in the labs – but for me as a complete OFD novice, it was definitely worthwhile.