Matt Finnegan: Hello, everybody. My name is Matt from Oxygen Forensics. Thank you for taking the time to listen to this webinar today. And the topic that we will be talking about is Oxygen Analytics Center, or OAC for short. OAC is one of our newer products, so you may not have seen it or heard about it before. And the aim of today is really to provide a general overview of what the system actually is, but also what it can be used for, where we think it fits within that digital forensics ecosystem of of tools.
So to give you a brief idea of the things that I’m going to talk about today, I’ll talk about what OAC is in a nutshell. And also a little bit about the architecture of the system, how it can be deployed, where it can be deployed. I’ll move on to, you know, logging into the system. And the first thing that I’ll talk about when I do that is actually the system of user roles and permissions that we have, which is really integral to OAC.
I’ll then talk a bit about how you can load data into OAC and a few different ways that we can do that. And then finally, I’ll give you an idea of of what the data actually looks like within OAC and some of the functions that you have there. So to go back to the start, and I’ll try and sum up what OAC, is in a, in a nutshell. I think the easiest way to do that is to say that it’s a client server based application.
And the idea is that you can upload data from digital forensic sources into this central server, and then you can access that data through a web browser, which has a number of advantages that I’ll come on to talk about in a moment.
So you can see on the screen in front of you that I have the OAC login page. And I’m going to log into OAC in just a moment. But before I do that, I want to talk briefly a little bit about the architecture of the OAC system. So it can be read in terms of deployment. The end user can really deploy OAC wherever they like. It can be deployed on premise, so it can be deployed on bare metal or virtualized environment on premise. Or if people do want to deploy OAC into, you know, a cloud environment or some of the virtualized environment, they can do that as well.
The installation process is quite simple. It’s just a single executable installer file. And once you have that, you can install it wherever you like. So we want people to be able to install it on premise if they want to because that can be quite important. But equally it can be installed absolutely anywhere.
So I’m just going to log into OAC, and I’m actually going to log in as this administrator user that comes as default with OAC. And you’ll see the reason for that in a moment. When I log in as the administrator, it gives me access to this administration page. And by default it will actually take me to this users page within the administration section.
So this is the users page that you can see here. And this concept of having multiple users is really, really quite core to OAC. And it’s its role. You know, one of the primary use cases, for OAC is to give other people access to digital forensics data easily and quickly as well.
You know, if we think about when digital forensic examiners do extractions, then they process and decode and parse data from those extractions. And, you know, that is generally done in quite specialized digital forensics tools such as, you know, Oxygen Forensic Detective. But once the digital forensics team has done that work, there’s usually a requirement to share the results of that work with other people, who are not necessarily digital forensic specialists. So those are the people. For example, they could be, you know, police personnel that have been assigned to review information from digital forensics data, be it images, messages, web browsing history, etc., and they might not be digital forensics people.
You know, their day job might be completely different, but they’ve been pulled in just by the fact that they were working on a particular case to review some of the digital forensics data from that case. But it could be it, you know, a lot of other people that would need to look at digital forensics data as well.
For example, that could be more specialized analysts if if we’re talking about a law enforcement specific example. Again, it could be analysts whose day job is to work with cell phone records and Cd-R. And so they might just need access to a list of the contacts that were found on those extractions. And they could be more general analysts who are looking at data from a number of different sources, including digital forensics data.
And it could be people outside of that law enforcement sphere. It could be in legal proceedings. Quite often third parties require access to digital forensics data. So there’s a whole raft of people that kind of act as customers, of the digital forensics teams that are producing this data, but they’re not necessarily all technical.
They’re not necessarily all digital forensics specialists. And the way that we would share data with those people traditionally is through the medium of things like PDF reports, spreadsheet reports or possibly, using something like the Oxygen Viewer, which is a free, standalone, portable, tool that can be used to view digital forensics data.
And those methods – they all work. But there are disadvantages to them. You know, probably the biggest disadvantage is the time in the overhead that can be involved with generating those reports and getting those reports to people. And particularly if it’s something like the viewer program where the, the end user then has to set up the viewer on that machine and import the data into the viewer to be able to look at it.
And all the while, when you’re using those methods, everybody’s looking at that data in isolation. And that brings me onto one of the key features of OAC is that you can have all of these different users created. And if those users are logged in at the same time, they will see the work that other users are performing.
So it is a, a multiple use, collaborative environment. And that is becoming more and more important actually, with the sizes of cases and even just the amount of data that can be on a single device. You could be talking about a case with 20, 30, 40 different devices or extractions from different sources. And each one of those extractions could be huge.
That could be thousands of images, millions of messages on each one of those extractions. And increasingly, we see that the the task of going through all of that data is assigned to more than one person. So you quite often have review teams of ten, 20, 50 people. So one of the ideas behind that we see is that instead of everybody working on that data in isolation, you can create all of those people as users within the OAC system.
And then as long as they have access to the server, they can log in and work on that from any machine that is capable of running a web browser, which is pretty much everything. Right? It’s going to be every computer, but also phones, tablets, laptops. And so there’s real big advantages to having this system that you can log into through a web browser.
So to talk about the way that users and roles and permissions to data work and you can see that I’ve got a number of users already created in my OAC instance that I’m running here. And I want to talk about actually two separate things here. So the first is roles and the second is permissions to access data.
So if I talk about permissions first, we appreciate that especially in a system like this where data is held centrally, you won’t necessarily want to give every single user access to every single device or case inside the system. So you can assign particular devices or cases to particular users. And actually if I go in and just edit this particular user, and go to the permissions page, sorry, the data access page, you can see an example of that.
So there’s a concept of departments, cases, and individual devices here. So you can create departments and you can put people into those departments. And then you can also put devices or cases which can contain multiple devices into that department. And people, if they’re in that department will inherit the permissions for the cases and devices that fall within that particular department.
So as an example, if I select this one department that I have created for counter smuggling and within that we have this particular case, I don’t say these particular devices, but you can also give people access to data on a one off, case by case, or case by device, sorry, device by device basis.
So if I just wanted to give somebody access to a single extraction, I could do that as well. And I’m going to give this user just access to this one extraction here. The other concept that we have within this user section is the idea of permissions. And to demonstrate that if I, want to go and add a new user, there’s a number of different roles I can select.
Now, some of these are predefined roles. The first three, are predefined within the system when it’s installed. And the fourth is actually a custom role that I’ve created. So I’m just going to go back and go on to the role manager, which allows you to create these custom roles, and you can name them whatever you like.
And this is not really about, defining what data people have access to. This is more about defining what functionality and actions are available to those users within the OAC system. So there’s quite a detailed matrix here which allows you to give people access to particular sections of the system. So as an example, if you had an analyst whose job was purely to look at communications data, you might only want to give them particular views for contacts and communications, as I’ve done with this user.
And also actions. So, you know, the ability to create or view or edit tags, are things that can that can be defined within this role manager. So I’ve only given this user permission to view and create tags, but not to edit or delete, already existing text. So there’s a lot of flexibility in terms of what data people have available. But also what actions they can take and what views they have available within the system.
You know, there could be different reasons for that. It could be that, for legal reasons or compliance reasons, and people shouldn’t be allowed to just do broad searches. So you can remove those search abilities. And there’s that kind of reason. But it also may be the case that if the users who are using the system are not as technical – if looking at digital forensics data is not their day job – you may just want to simplify the view inside the system so that they don’t get distracted or overwhelmed with the amount of different options that are available.
And it will simplify their workflow because there will only be a few different sections that they can actually go to. So as an example, and I’m logged in as this administrator user, and I have access to all of the different views and analytics and search functions within OAC. So you can see I’ve got a number of different views here. A number of different options for searching. A number of different analytics etc.. And if I was to log out now and log in as this user, where we’ve more tightly defined that user’s role to just be around communications and contacts.
It’s like, bear with me when I log in as this user, we have a much, much more simplified view. So we do still have the ability to look at the cases and devices that we’ve been assigned to. But within that view section, we really only have the ability to look at contacts and communications. So I think this is quite important to be able to control and restrict what what users can see and do, but also to make it more simple for users. If it’s somebody who just needs to look at communications, you can make their life much easier.
Particularly if they’re not that familiar with the tool by just giving this communications view to them. And then when they log in and it will be quite easy for them to see where they need to go, in order to review or analyze that data. I’m going to look back in as the database administrator user because there’s a few the things I want to show you inside the full view version of OAC as this user.
So the the next thing that I would like to talk about is how do you actually get data into OAC? How do you load data into the tool, and what does it look like once you’ve done that? The really two main methods to load data into OAC. And the first one is actually through Detective. So if I open up a copy of Oxygen Forensics Detective here, you may have noticed if you are a user of this tool, over the past year or so, if you right click on a device, there is a new option here, which is export to Analytics Center server.
Within the settings in Detective, you can actually put the IP address and username and password for an OAC instance into detective and actually link the two together so that you can push data directly from Detective if you want to. And so once you have an extraction loaded into Detective, you can right click it. Or you could do this on an entire case basis as well, and export data directly to the Analytics Center server.
And it allows you to export data selectively as well. So if you do have somebody who just needs access to those contacts, you could do that or you can send everything from the device. But having that selective extract, selective, export to OAC, I think is quite important because again, with the volumes of data that we’re seeing in cases and devices nowadays, if you can just send the data that needs to be looked at, or that is the most important always, or maybe just the most relevant, for the person that you want to give access to, it will significantly cut down on the time that is taken to do that. And you can also do export based on tags. So, it’s important to note that all of the tags and key evidence, styles and notes from detective will transfer across into OAC.
And you can even do the export selectively based on particular tags as well. The second option to get data into OAC is actually to do it through the web browser. So if I go to the data view, or the data page and go in the load data view, you can load data from a few different formats, through the web browser.
It is, I think, worth saying that anything that will go into Detective can also go into OAC. So this is not just a tool for analyzing, mobile phone data. All of the things that you would be able to load into detective, including mobile phone data, but also computer data, cloud data, downloaded accounts data, warrant returns, vehicle data, drone data.
If it will go into Detective it will also go into OAC. So this is not just a tool for looking and analyzing mobile phone data. It’s more broad than that. It’s digital forensics data. Generally in terms of how you can view the data. So there’s a lot of different options here. And I’m not going to talk about all of them.
I’m just going to give a general idea. If I go into this devices page where I can see all of the devices that I have access to as my current user. If we open the statistics, this looks quite similar to that dashboard that you get in Detective. And as I start to click around these different devices, I get some statistics, about the top ten contacts, top ten apps, top ten groups, etc., etc. And I also get the device information that I would have in detective as well.
So if I wanted to look at the model or the IBI or the SIM card history potentially, I can find all that data in this page. If I then want to start looking at the data on a device, there’s a few different options. And like I said before these can be restricted based on the users roles.
One of the views that we added in the last release is a really, quite useful one, actually. It’s a general communications view. And this is a really a quite simplified view of the communications data on the device. And I just want to show this one to you as an example. So the idea is that you can, you know, look at the different accounts for messaging applications that might be on that device.
So for Telegram, for example, there’s two private chats within this account. And then if I click on one of these I just get a really simplified chat bubble view of that particular chat thread as the user would see it on the device in those chat bubbles. Really, really easy to view.
The general UI layer that we have actually within that we see quite closely mirrors Detective as well. So we usually have filters on the left hand side, some content in the middle and some details over on the right hand side. Everything that you can see within OAC is an item you can tag. So I can add tags to things. And like I said before, other users will be able to see those tags as well.
So as I start to type things or even add notes to things, when other users are looking at that data, they will see those tags, and they will also be able to filter on those tags as well. So as an example, I could go through one day or one particular shift and tag or mark things as key evidence and then say to the next person, “I’ve worked up until here, if you filter based on my tags, you will see all of the things that I’ve marked as being interesting or where I’ve gotten to in my current work.”
I just want to show maybe 1 or 2 other views. So if I go back to devices, and maybe look at a different extraction that has a little bit more data in it, you can see there’s lots of different views. If I wanted to view the files to do an image review, I can do that. I can just look at a list of the contacts and I have a mapping tool as well.
Maybe this is the last view that I’ll show within here. And we’re not really going to have time to go into the search functions and the analytics within OAC. This workspace view and this is a aggregation of all of the parsed decoded data on the device.
So you can also view communications within here although it’s I think easier to view those within the communication section. But what you’ll see in this workspace view is a really, thorough set of filters, for the different categories that we have. So this is not just the messages. It’s also the web browsing history, user searches, etc., etc. It can really be thought of all of the parsed data on the device.
And then we can start to filter based on those particular things. So we could just filter on one category and we can add a lot of additional filters as well. But just as an example I’m going to apply a filter to this web history. And we can see the web history from that device at a quick glance.
And again, as we’re going through and reviewing this, we can mark things as key evidence or add tags. The purpose of this is really to give you a very quick overview and general overview of the system. I’m not going to go into the particular analytic views or search functions that we have. Hopefully this has been enough of an intro to give you an idea of what the system is. Where we see it fitting – particularly with that kind of review use case, giving other people access to data easily. The idea that you can just send somebody a username and password, and an IP address or a web address to your OAC server, and within seconds they can be looking at that data.
And you could have even pretext, the things that you want them to look at. So all they have to do is filter on those tags. You know, that’s that’s a very different and much easier workflow than the traditional export to a PDF or spreadsheet or export to the viewer format, email back over to them or Dropbox it over to them and then it could be quite a big file. And then try and explain to them how to load that data into the viewer and then try and point them at the right thing. And this is a much, much easier process. It’s as simple really as giving somebody that username and password. And you can already have predefined in their roles and permissions what they have access to. And what different functions they have access to within the tool. So I’m going to round off the webinar there.
There’s much, much more to this tool than I’ve had time to show you. So if you do have any questions or you’d like to see it in a bit more detail, please feel free to to get in touch with us at Oxygen Forensics, and we’ll be happy to do a more detailed demo or chat in more detail about your particular use case and see if it can fit that.
So thank you for taking the time to to listen to this and watch this webinar today.
