Oxygen Forensic Complete Training

Reviewed by Brad Robin

Introduction

This review will be based solely on the Oxygen Forensic Complete Training class that occurred in Lafayette, Louisiana between April 19-21, 2016.

Coming into this class my knowledge of the Oxygen Forensic Detective program was very limited. I still remember calling a friend the first time I used the program and asking “Where are the pictures and videos?’ Now don’t get me wrong I have a vast knowledge of the digital forensics community and programs, however you will find that all programs are created different and the GUI interfaces can be quite tricky until you learn each. This is why I am an advocate of being trained on the software you actually use in your day to day investigations.Expectations

Prior to this class I have taken many other classes since 2009 in the digital forensics methods. Some of these classes have been exceptional and some have been very boring. I think many of us in this field will agree that the instructor is a very important aspect of these classes as they can make something very exciting boring, and vice versa.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


My expectations for this specific class were pretty low. I knew that this class was one of the very first training classes that were being taught by Oxygen Forensics in the United States and was prepared for the “bugs”. I would soon be surprised.

Starting out the course

As with all mobile phone forensic courses we immediately start out with the basics. This is where we learn the acronyms: GSM, CDMA, IMEI/MEID, ICCID, UCCID and so on. As an examiner I can honestly say that there are many times I have had to look back at my textbooks to remember what the acronyms stand for. This part of the class is a good refresher for the seasoned investigator. Now for the new investigator this is where the whole thought of the plug and play system gets changed, you mean I need to know the difference between an GSM and CDMA phone. This small detail can be the difference from obtaining all the information from the device to looking at a phone as it wipes itself, scary huh.

Now we move onto the legal ramifications of what we do and how we do it, legally. As electronic evidence becomes more and more popular laws are constantly changing. Then we add a whole new level with backups, cloud storage, and protected information. This information was covered briefly as many jurisdictions have a different set of laws, however this is very important. One huge advantage of attending a local training is that many students are familiar with the laws in this area and can help you. Networking at any class can sometimes be just as important as the class itself.

So I now have the device, what do I do with this device? I think every examiner has their own steps that they take once a device is received. However, this class teaches you these steps on the process of handling these devices in a forensic manner. As a seasoned examiner this is a good refresher and for the new examiner a very important piece of the puzzle. The last thing you want is a mistake occurring during your watch.

Once you have taken all the precautions, you are ready to examine the phone. Wait, the phone is passcode locked! “Didn’t anyone get the passcode you ask. The common response is no; you can’t bypass the passcode? Who do you think I am, the NSA?” You may not be the NSA but you may still have a chance into the phone. This section teaches you some alternate ways into the phone and how to use the plist files. As an examiner you will quickly realize a locked phone will give you headaches, but there are additional ways into the data!

I have unlocked the phone, took all necessary legal and isolation steps, but the phone won’t communicate with the software. This my friends is called troubleshooting 101. It doesn’t matter what program you use; you will learn that the art of troubleshooting is a key element in forensics. I always laugh when troubleshooting resorts to “Hey can you do these exact steps I just did to verify I did it all? Sure.” Colleague then does exact steps you just did and the phone automatically connects, this my friends is troubleshooting 101 undefined. Luckily this portion of the class goes over in depth troubleshooting methods so you don’t have to rely on luck as much.

Oxygen Interface

This is what I have been waiting for months to do, learn the Oxygen Forensic Interface. Like I have said before, it doesn’t matter how much you know about forensics if you do not understand the tool you are using. For me this portion of the class is where everything comes together. During this section I learned many key features that I did not know before. It is always wonderful when you are a student in a class and you realize just how easy the actual interface is. Here are a few key features I learned during the class that I wasn’t sure of before:

Aggregated Contacts

This is a feature that I was honestly not sure of when I initially tried the software. Sure we all have contacts stored in our devices from multiple sources, however Oxygen Forensics takes these different sources and puts it all together in one nice package. This training took it a step forward and showed us how to merge and even unmerge these contacts as sometimes a software doesn’t understand it all. This is a key feature that without going to the class I would not have known about.

Cases and Devices

If you ever wondered how to add devices manually into a case or remove them, Oxygen Forensics gives you an easy method. On the top toolbar you will see “Open case”. Once you click on here you will be able to manage your cases and devices. This is a very easy feature that I thought was a key element.

File Browser

Before this class this tab has made me question this software heavily, even making phone calls asking where are the pictures and videos. Don’t make my same mistakes. The file browser contains all of your images, audio, videos, documents, database files, other files, plist files, geo files, photo thumbnails, and photo streams.

Cloud Extractions

Cloud extractions is a new element of forensics that is taking a leaping step forward, honestly I was very skeptical about cloud forensics until I had to use it. Oxygen Forensics makes this very easy with Oxygen Forensic Detective.

Many applications are now available using cloud extractions and some of this data can only be obtained by using cloud extractions.

It is a great feeling when that case comes up and you don’t even need the device to obtain the data you are searching for. Now that’s impressive.

Conclusion

Whenever I attend training classes there are certain questions that I ask myself after the class: Do I feel that the training was worth my time and the price, Do I feel comfortable using the software, Did I leave the class understanding more about forensics or am I even more confused, Would I recommend this class to others, Would I take this class again? Yes, these can be very tough questions to judge a training class by but it is my deciding factors on how to grade classes.

Do I feel that the training was worth my time and the price?

Short answer to this is yes, this was a three day training class that cost $2,399. This is the average time and cost of most training classes I have attended. The three day class was enough time to learn the software and not be bored during class. We have all been there when you look around the room and everyone is playing on their phones while the instructor talks, I did not find this happening during this class!

Do I feel comfortable using the software?

Yes and no is the best way to put this. Yes I feel that the training did a very good job in teaching me the software and how to use the software on a daily basis. However, and this is no hit on the training class itself there are times that I do have to look back at the book to see how to complete certain steps that I uncommonly use. When you take the class you are supplied a 180 page training book. Make sure you keep this book as you will sometimes rely on this for guidance.

Another reason for the no is like any programs there are constant updates to the software. Yes these updates are a very crucial step in forensics as we all know things change very rapidly. A downside to these updates is that something I learned six months ago may now be different in the software, an example is extraction techniques. These updates do require you to constantly re-train on the software.

Did I leave the class understanding more about forensics or am I even more confused?

This class was not one of those classes that I left thinking, what did I just learn and is anything I learned in the past accurate. This class was on par with other trainings I have taken and did not deviate from the forensic methodologies that I know and have learned in the past.

Would I recommend this class to others?

If you use any of Oxygen Forensics software I would highly recommend this class. Coming into the class I knew little about the actual software and when I walked out of the class I had a much better understanding of the software and how to use it for my daily investigations. One thing I would say is that this class was a three-day class and was the perfect length for someone to be introduced to the software, learn the troubleshooting techniques, conduct extractions, and ask any questions you may have. This was a very well-paced out class.

Would I take this class again?

As someone who has had the opportunity to take several classes on multiple occasions this is a question I commonly as myself. Some people may ask why, why not just take another class on a different topic? Every time I have taken a class again as a refresher I learn little things that I may have missed the first time. This class was well thought out and one of the best classes I have taken so my answer is yes, absolutely I would take this class again!

About the reviewer

Brad Robin has been employed in Law Enforcement for the past 16 years. He started his Law Enforcement career immediately after graduating from high school. Literally days after his senior trip, he was in the police academy. Since then, he hasn't looked back. Brad has been assigned to Patrol and the Criminal Investigations Division, where he is currently assigned to the Special Investigations Unit.

Brad remembers how he accidentally became a part of digital forensics. Back when he was working Crimes Against Persons he was involved in a homicide investigation and the location of the phone became a priority. Brad, along with another detective, began searching for different ways and determined through triangulation the possible location. Turned out that this location was correct and saved hours of searching. Since then he is hooked and is always looking for new methods that could assist law enforcement.

Since 2009, Brad has attended many trainings, certifications, and has spoken on digital forensics. He has written articles on digital forensics and has assisted investigators with digital forensics internationally. His peers consider him an expert in mobile forensics and he has testified as an expert in Federal and State court on digital forensics. Brad has been involved in several high profile national cases as the lead mobile forensic examiner and is called upon by his peers often on high profile cases.

About Oxygen Forensic Complete Training

Oxygen Forensic Complete Training gives an overview of mobile forensic techniques for people who are using Oxygen’s tools in their forensic investigations. Upcoming sessions are scheduled around the USA throughout the rest of 2016 – click here for more details.

Leave a Comment