Oxygen Forensics Tech Takedown: A Remote Journey

Dan: I’d like to welcome everyone to our Oxygen Forensics Tech Takedown webinar today. Our topic is A Remote Journey. My name is Dan Dollarhide and I’m the director of global solutions at Oxygen Forensics. I will be off screen manning the chat today. Sharing a screen and guiding us on the remote journey using our Oxygen Remote Explorer tool will be our vice president of training and technology, Keith Lockhart. We will be getting started momentarily, so buckle up.

Keith: Hey everybody. My name is Keith Lockhart. I’m the VP of technology and training at Oxygen. So we decided to get together and do this webinar called A Remote Journey because we want to talk about ORE. Which is Oxygen Remote Explorer.

And if you’re a detective user or an Oxygen user and you have OFD, Oxygen Forensic Detective, this is the natural evolution of, you know, maybe doing local extraction when you’re hooking up a device at your desktop to, let’s go get things from other places around the world remotely. And we want to see how that works. So I’ve got a few slides together just to keep us on track from a talking point perspective, and I have several windows open because I want to show different aspects of interfaces and things like that, but let me just start here and give a little background.

So, like I said, with Detective, if you would start a device extractor and, you know, let me just play along while I’m talking about this. If I came here and (that’s our AMC, we’ll get back to that in a second) and I ran the ORE interface, which is already running. Kind of like Detective with a few minor differences, it won’t make a difference for this conversation. And I ran the device extractor locally. That means I’m running this application, hooking up a phone with a USB cable and doing everything extracted locally to this PC workstation, whatever I’m on right now. That’s fine. That’s what we know, but we want to move away from that model in this conversation.

Think about, “oh, I’ve got a PC…”, and this is kind of like an enterprise technology that you would hear about from a PC perspective, but it also includes mobile devices, because that’s how we roll and what we do. In the old days, you know, if something happened on a machine somewhere, I may either have to travel to that machine or have somebody take it down, package it up, and travel it to me, you know, with a FedEx or UPS or whatever it was.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


And, you know, that was the days of, “wow, that’s tough because I’ve got to have a whole office building full of machines, if something happened, I needed to respond to.” Well, then we come up with the world where, “hey, let’s send agents out those machines that I can control with a console somewhere else and not have to get on a plane, and I’d have to ship a hard drive somewhere,” or things like that.

So that’s the one thing moving away from a desktop, local in place thing and getting the ability to get to machines or endpoints or workstations, whatever you want to call them, remotely. Well, then we add in the mobile device factor. Not just PCs and workstations like that today, but phones. And how are we going to accomplish that rather than hooking up with a USB cable right here at the desk?

So ORE, you know, Oxygen Remote Explorer, has two components to it. One is this Explorer interface, which is kind of like the Detective one you’re used to, the one I just started here. Okay, there are a couple differences. But one of the biggest other component differences is this Agent Management Center.

And we’ll come back and look at it in this perspective, from this interface in a minute, because I already have it running administratively, we call it the top admin, you know, somewhere in the world, there’s one Agent Management Center that rules them all, essentially, and this is what I want to walk through, because this is a new component that allows us to collect and generate endpoints from our workstations and mobile devices, you know, make jobs to run against them, make profiles for those jobs, schedule jobs, maybe over the middle of the night or whatever it is, build other users into the system that can log in and do remote work and things like that.

So let’s walk through this interface and we’ll just take for granted everybody knows the Explorer interface like Detective and have another conversation about that another day. So here’s the AMC, as we call it: Agent Management Center. And what’s on the screen right now is an endpoint list. And if you can see in this list, I’ll just say that I’ve got a couple groups generated in my endpoint list. The red group is a group of PCs. The green group is a group of mobile devices, right?

And what I’m allowed to do here is add an endpoint, you know, throw an IP address out there or a machine name, credentials to that, and then deploy agents to those endpoints, whether they’re PC ones or mobile devices. Then I can assign those to groups, I can issue licenses to them, I can see all kinds of pertinent information about them here, and I can run tasks against them.

So this is my endpoint list, and look, in a corporate environment, there could be 10,000 in this list. In my house right now, I’ve got six going. One’s offline, the other five are online, but, you know, consider this conversation at scale as we move along. So here’s our endpoint.

And again, they’re separated into groups right now because the next thing in the list right here are groups, which allow me to segregate devices for later, maybe scheduling jobs against a group of devices, kind of like an IP range, or inheriting access to a group of devices from a user perspective, so I can assign a user to this group as well as devices, and we’ll see that later. Okay, so I’ve got a group section and it’s very simply, “hey, create a group, you know, make it a color, name it, and comment it”, and then assign endpoints to that group or take them away, okay?

Profiles. Here is an interesting conversation. A profile is what we’re going to build with the variables and qualifiers in it. So when I say, “look, I’ve got this computer hooked up right now. I want to collect the following information from it, or I’ve got this mobile device hooked up right now, I want to collect the following things from it.”

So let’s walk through this process because it’s super important. I’ll create a profile, or click the button to create a profile, and you know, I can just name this “webinar test” or “demo”, whatever. But here’s where things start going. Is this a workstation or a mobile device profile? And we’ll go with workstation first, because that’s half the equation. And we want to point out that, or I want to point out that when a workstation world we’re talking about Windows, Mac and Linux, right? All the flavors that we want to get through here.

And then, if you’re a Detective user, and you’re familiar with the technology called KeyScout, this section of tabs here might be very familiar to you, because in this workstation profile, in this profile of things to collect, what do I want to go after? Well, if I click search…well, in general, I can just do this, you know, all applications, just browsers, just messengers, just some kind of prefab filters there, or I can start from scratch.

Do you recognize this if you’re a Detective and a KeyScout user? What paths do I want to search through specifically and at what depth? What places do I want to avoid specifically to not waste time? If I have other passwords, I can put in this list to try to go against password vaults or other things that have passwords. Put them here.

From a file filtering perspective, I can add all kinds of rules. You know, “hey, does this file name include this? What are the date ranges, sizes, file types?” From an application perspective, well, what do I want to collect or not? From all these different applications, and you can see Windows, Mac, and Linux variations all the way through this. From a system artifact perspective, you know, file system type things, registry type stuff, what am I after? From a memory perspective, why do I want to grab processes, keys for different encryption things, file handles? What are you after there? And do I generate some YARA rules from a malware analysis perspective?

All of these things can be built into one profile for a workstation. Kind of crazy like that. And then, do you want to recover deleted files? Put a description in there. Terrific, and you can save that. So that’s workstation flavor. Let’s do a mobile device flavor.

Okay, so general, am I doing a full extraction? Which is kind of what you see, what you get type thing, all files, all sections, applications, activity, media, preordained filters there. Or do I want to get gritty? You know, and maybe filter by operating system, additional files, application files, audio, databases, documents, pictures, APKs, WhatsApp, shared media things. I come over to data, you know, apps, browsers, calendars, some of the default things you would see, like if you’re maybe using an Android agent locally through USB cable or not. You know, and then iOS applications.

Do you want to target your iOS extraction? Very cool. Target collection is big name in the game these days. What do you want to pick? Everything or not? Android applications. This is fairly…all really new. If you’re into an ORE world, we finally started targeting third party applications for Android now. And WhatsApp is the name of the game to start that out.

If you think back to the Android agent locally, that was not even available. If you could get the Android agent on a device with an OTG device, you had access to a third party application menu, and I think there are probably 18 of them where you can go get individualized application data off your Android. You know, if you got it right on the phone and you had it in your hand. Now we started that process for remote. Very cool as this grows up.

So we’re building profiles and we’re saving them. Right? So here’s an Android targeted profile. Here’s a C-suite collection profile that hasn’t been run. Here’s a new local targeted mobile phone. I mean, here’s a top secret custodians only profile. Because the point is, what are you trying to collect? Who are you trying to collect it from? Maybe you have different needs for different groups of people or different devices or different whatever. So you have a whole repository of profiles that you can build with all those different parameters to target very specific things or full things or whatever. And here’s where they’re maintained.

Here’s a list of tasks, a list of profiles that have been run against different devices. Or canceled, or whatever they are. This is just a big repository of things that have been done on the AMC.

Here’s the schedule section. So look, if I create a schedule, what I’m going to call this? We’ll also call this “web demo”, and I could put a description in there. So I add that. That’s fantastic. Do I want to add an endpoint to this? Well, here’s my endpoint list. Let’s say we’ll do that computer and that computer. Terrific. Then what do I want to happen here? Well, I want to…details, great.

Additionally, I want to run a weekly task starting on a particular date and a particular day and time, and then I want to add different parameters. “Hey, do you want to queue things up? If there’s already something going on, do you want to export the data over to the ORE Explorer interface when it’s done?” So, you set a big thing to go overnight and in the morning when you come to work, you want it all to be processed and waiting for you. If there’s a failure, do you want to retry every so often and how many times? If it’s longer than X amount of time, you know, stop it or whatever. So a lot of different variables you can build into a task like that, or a schedule like that. We’ll come back and try to do it at the end so it doesn’t go and take up all my space.

Agents. So here’s a repository where we build the agents that we want to deploy, whether it’s a workstation or a mobile device. And there are a couple of things I want to point out specifically. One of them is when we create an agent, what do we want to call it? What operating system are we dealing with here? So we have to have a little conversation about how workstations work versus how Android devices work and how iOS devices work.

So if I’m making an agent to deploy brand new to a workstation, let’s say it’s a Windows one. That’s fine, the version of the agent that’s being created. Here is something super duper important. When this agent goes out in the world, and it’s supposed to bring data back, or send data back, where is it sending it to? So the default is this, you know, local machine loopback address here. However, you can see up above, these three agents I’ve created, two of them are pointing at 10.0.0.199 inside my local network. My AMC machine is 10.0.0.199.

However, what if I had machines outside my network, somewhere else in the world, that I wanted to deploy out there, but still call back to this particular location? Well, you can see here is a public IP address for a remote workstation. I just named it remote. I named it local. And my description is “this is for machines outside the local network.” No, that is not my actual public IP address, all of you that are like, “we just got Keith’s public IP!” No. However, if I was to set up a port forward to this machine and use my public IP address, that agent would knock on the door, come through the port it’s supposed to and have access to the AMC environment, the ORE environment here to do the work it’s supposed to do.

So you’ve got to think about that, right? And agents are not licensed. The only thing that really gets licensed here are endpoints. And we’ll talk about that a little more as we get into some of our additional point list. But you could have a whole list of agents that are local that are remote. You could have a Windows set of agents…like almost every one of these deserves a local and remote, right?

A Windows local network remote one. Linux: local network remote one. Mac: local network remote one. Android: local network remote one. Now, you don’t see iOS here, so let’s have that conversation as well. The Android agent today, the grown up, recent grown up version (I guess it goes in growth spurts) is now an agent that we can deploy to a mobile device that will collect from anywhere without necessarily needing friendly hands to do anything.

And what I mean by friendly hands is sitting…let’s say Dan is my cohort in crime here. Dan is in Alabama. Dan and I routinely do this exercise where Dan can log into this environment, control…build an agent that would talk back to his house, control this AMC, and say, “okay, Keith, I’m ready to collect that phone.” Because I’m an employee of Dan’s somewhere in the world. So I would hook up the phone with friendly hands and initiate the collection and Dan can pull it back to his house.

So that’s one way of doing things. And that’s the current way of the iOS environment. And we’ll talk about that a little more in a second. But the Android environment has grown up now to where if Dan deploys an agent to this Android phone, I can take it anywhere and Dan can call it from afar and I don’t have to do anything. So you can apply lots of scenarios to that. But that is the way an Android agent has had a growth spurt in recent builds of ORE.

Okay, I do want to then come back to the endpoint world and say, “look, from an iOS perspective, we have to close that loop on agents and how they deal with iOS.” So a workstation, like, look at this Burnett iPhone X. That’s a phone. It is currently online. It is assigned to the O2 workstation, because the O2 workstation down here is a machine. For iOS (and if I do this and just let’s see if I can smash that there) here is the workstation, O2, that has that phone hooked up to it right now.

And there is a remote device collector on that machine. This is it running. So, from the iOS perspective, I would take a machine, I would add an agent to it, and on that agent, I would also initiate a remote device collector component. So, not only could I collect from this machine, I can use it to collect remote mobile devices.

Now, the way the mobile device world works, look, this one, this Burnett iPhone X can only be collected from this O2 machine. The iPhone 7 can be collected from any machine out there with a remote device collector on it. So you have that kind of, I don’t know if security is the right word for that, but you have that kind of lockdown ability to say, “yeah, no, there’s only one machine in the world that collect that phone. It’s in a closet, and only one person has access to…”

I mean, again, build whatever scenario you want there. The remote device collection of an iOS device will require a friendly hand at this machine to hook it up, run the RDC, and once it’s connected like this, then you can initiate a task back here, run a task, and have that whole process complete like that.

Okay, so big conversation about profiles, big conversation about agents, especially when it comes to, are they local or remote, and what exactly are you trying to get? A Windows one, a Linux one, a Linux environment, or a Mac environment. Okay. Then we have users. And I just have four users in here, but each user has its own kind of nuance.

So first, let’s go look at the set user roles. If I make a user, what do I want this user to be able to do? Be a complete administrator? Do whatever? Or be just an operator with some limited things? Or I can set up a guest role, kind of like when you put that guest code on your garage door opener on the outside. Or I can make a whole custom one. Brand new role to anything I want and assign people different things to do. There’s like a whole permission matrix of, “hey, can you make a schedule? Can you make a user? Can you delete users? Issue licensing?” Right?

And that might be important, but, you know, reserve that for the administrator because your available endpoint licensing loops down here in the bottom left, I have 64 licenses left every time I hook up an endpoint, that decrements a license here. That’s where your licensing comes into play. So it might be important to reserve that only for special people, but I can assign permissions to users this way. So I’ve got an Amanda user, and interestingly enough, if I edit the Amanda user, Amanda is part of the green group, right? So I think that’s my mobile device group.

So if Amanda logged in, all she would see is the green group devices or endpoints. I’ve got a Dan user. I think Dan is assigned the red group. And we’re going to use the Dan user here in a minute to actually see how that looks when the Dan user logs in because Dan is also an operator. So, take a mental note: I’m logged in as the administrator right now of everything. I’ve got one, two, three, four, five, six, seven buckets of things over here to do. I don’t think Dan will have all seven.

Klavdii happens (oh, let me just look over here) Klavdii is assigned everything, unassigned green group and red group and Randy has no groups at all assigned to Randy. And I can see their individual permissions and things like that. So, watch this nuance, right? So, I am somewhere in an ORE environment. There is an agent management center, as I said earlier, the one to rule them all, kind of the top admin. One of those runs all the time somewhere so other people can do remote work if they need to do it through this AMC if it has to come down to it like that.

So I’m going to put this, just minimize it like that. We’ve got top admin here. And then I’m gonna come back to somewhere in the world somebody has the ORE Explorer interface, right? Two components in this environment. One place has the AMC server to rule them all, always running, other places in the world, there are users that have this interface, and they say, “that’s great. It’s time for me to do some more collection.” So I’m just going to start my interface to the AMC. Oh, I’m already logged in as Dan. Let’s disconnect. That ruined my surprise.

Okay, so I’m going to go start up my AMC, and I’m looking for this one, this top admin right here at 10.0.0.199. I’m going to log in as my Dan user. I’ve got my password here, so I can connect. So now Dan’s logged in, and if I look, Dan’s green on my board here. Where’s Dan logging in from? Terrific. When’s Dan last logged in? Terrific. And here, Dan only has access to the red group environment things, because that was, as we looked, I look at groups over here, for Dan, Dan has red group assignment.

So Dan can’t see the green things. He can only see the red thing. So it’s kind of permissionally for Dan inheriting like that. And Dan has endpoints, groups, profiles, tasks and schedules, not agent library, not users, because he’s an operator, not an administrator. Okay. So big premise there. You could have a thousand users, not licensed. Available endpoints are what’s licensable for the AMC environment as you hook up different endpoints.

Okay. What I want to do for a second before I talk about some of the additional points we want to do is come over here and see if we have any questions about this conversation to this point. Okay, so I don’t see any actual questions there, so that’s fine. That being the case, I want to come back here. And, okay, we’ve talked through those things about the interface. Let’s talk about this. So, covering Windows, Linux, Mac, Android, and iOS. So we’ve had that conversation, this is true. Allows for targeted collection. We’ve had that conversation. This is true. Workstation collection. Ah, scheduling.

Okay, so let me come back here and I’ll just minimize the Dan log in. I’m going to come back to schedules and we’re going to create one and try to run it against some endpoints here. Now, let’s go to endpoints. All of my PCs that are online right now are in the red group, okay. So I’m gonna come back to schedules. We’ve got our web demo. I’ve added those, so I’m going to remove those. And I’m just going to assign the red group to this.

Okay, so I’ve got three endpoints, three users, terrific, PC workstations, great. Then…what time is it? 10:31. So I’m going to come over here and do this once, and I’ll start it today. (Today’s the 12th, right? Yes. 10:31. How did I get to 11:17? I don’t know. So 10:32. Apply that.) Okay, so I’m right on the cusp of 10:32. Let’s do a scheduled workstation profile. I’ll apply that. Got my profile set now. Got my group. Let’s go back and just watch the endpoints and see what happens. I can see I ran one earlier and canceled all of them as they were going. So I’m just going to stand here and watch until 10:34 and I saw a question in the interface here. So let me see if I can get to that.

Is it imperative to know Dan’s IP address? Amy asked this question about that. Is it imperative to know Dan’s IP? Yes, Amy, if we were going to create an agent to call back to Dan’s house, we would need to know Dan’s IP address for sure. Okay, hope that answers that question. Kind of like his public IP address versus mine. And you’d have to port forward at that end to get through the door or, you know, whatever kind of VPN…however you set that up is kind of on you, but you’d obviously have to know his to make it go back there. Amy, good question. Okay. 

Doctor, what are the most features that enable option software to be distinguished than other forensic tools? Big conversation, not quite for right now. So I’ll come back to that if we have time. So, next question. So this is tailored towards organizations, which would work for like an ESI collection. We could work with the IT staff to allow access for collection. What if I want to use it more as a collector system for like an individual client that has a single computer and a single IFR Android is that possible? Ty, absolutely. Great use case. Right? You could be a service provider that works with one person that says, “hey, listen, I got to do this.”

You know what you say? “Hey, I need to send you an agent. I’m going to teach you how to deploy it on your machine, and then you’re going to hook up the phone for me, and I can collect it back to wherever.” Or in, you know, maybe it’s a consenting victim, maybe it’s a..who knows what it is. But Ty, you can absolutely do that use case, which is, I want to use it for more as a collector for an individual client that has a single computer and or phone. Is that possible? Yes, it is.

The third trial versions of what auction software? You know, Dan, you might have to put in this…we set up POC, proof of concepts, for our enterprise technologies versus a trial like that, I think. I’m going to hope Dan can clear me up on that answer. So I presume you could use (new question) I presume you could use a solution like tail scale to create a VPN network that doesn’t require port forwarding, right? Jacques, I think that’s, you know, networking, not my forte. There are a few ports that have to be open for communication above and beyond that you can secure that connection or make that connection any way you need to. 23891 is our port of communication by default. As long as you have that free and clear to connect to, you can tunnel your way there any way you need to. So, good point there.

Oh, and I’m watching that, not even looking at my screen. So if you look back at my screen, this PC has kicked off its process down here. So I think I made my 10:34 mark. (What’s this one doing?) So is this one. (And what is this one doing?) So all three of them, the red group, kicked off at 10:34 it looked like, and I think that profile is go collect Firefox. So that’s doing Firefox, that’s doing something, and that’s doing something, but this one’s already got to its Firefox point. So cool, I created a schedule, made my train stop time, and all three of them kicked off and are doing their thing. Now, from a time perspective, or no…from a size perspective, I just want to cancel them all because I’m populating space that I don’t know that I have right this minute, but that’s okay, I’ll let it go.

Let me come back to the questions over here. Okay, nothing there right this second. So then I’ll come back over here to these points. So workstation collections can be scheduled, we just did that. No recurring cost. And I said, you know what, Dan, you can have that conversation. But I think Dan’s point to that at that point was, yes, look, once you license an endpoint, I’m pretty sure the default endpoint count when you purchase an ORE environment is 20. And then there are, “hey, you want to purchase 20 more? You want to purchase…?”

I don’t know what that scale is. Price point per number of endpoints. I’m sure a great sales person beyond me could have that conversation with you. But once those are…that’s it, that’s the only real cost. And once you license them, your endpoint, your environment, you know, you don’t have to redo it every time. It’s not like you’re charging per collection.

Once it’s in endpointed, it’s an endpoint, and that’s what you’re paying for. So the cost savings versus travel. Yeah, that…look, if there’s one big pain point, like what does this do for me? It eliminates you having to have 30 people in an organization package up their phone and send it to you and take them offline all week so you can collect data from their phones for your, you know, “oh no, we’re getting sued!” You know, for your ESI, and man, it’s just crazy that you can do all this remotely and save all that time, effort, and pain. I mean, think of the COVID implication all by itself. Nobody’s going anywhere, and we don’t have to.

Super important point, though, this is on prem. We don’t host any of this. We don’t do your data. We don’t want your data. We don’t want anything to do with it. This is all you, right? So, however, you want to host it, whatever you want to hook up to, to collect you because it’s big, you know, that’s all you. But we do provide deployment. So, let’s take the example: Ty’s question.

So if it’s tailored towards this and I want to use it like this, I want to do this…hey, we can help you set that up, you know, I mean…here’s the kicker when people do what Ty had asked about single computers, single iPhones, helping a client like that. What I had mentioned was: look, there’s got to be a couple of ports open for agent deployment and or communication back through 23891. Again, not a network person. Anytime you’re doing the one off like that, you may be rolling into an “I don’t know what’s going on in this network situation.” And people do that. People have done Ty’s model before and they call us up going, “hey, I can’t get this to work.”

Then it’s a big exploration of, “okay, tell us about the environment.” And, you know, people get kind of frustrated. It’s like, well, “what about the environment?” “Well, what firewalls are up? What security things are in place? What ports are not allowed to talk?” We got to work through it. I mean, I can tell you the ones that got to be open by default.

And then we have to start troubleshooting network connectivity and, you know, access. And it’s kind of a…you can do this. You might not be able to do it immediately until you sort those issues out because people want the instant gratification, but they’re going into an unknown environment. So you just…a little bit of expectation management that learn that environment because once you learn it (back to Ty’s scenario, and other people would have done this) whenever that client needs another phone four weeks from now, you talk to him and you say, “hey, remember that machine we set up? Keep that set up that way. Go back to that machine. Hook up the device.” Because you’ve got everything, now it’s static, and you’re not unknown every time. So if you’ve got repeat business from that person, you’re in good shape, right?

Okay, Dan had said 20 endpoints, correct. Thank you, Dan. And the next question are you able to change those 20 endpoints? In our corporate environment, I’d only connect an endpoint, PC or phone for a collection, then remove it again. No, you can’t change those. Once they’re in there, they’re in there. But I believe there is a way, if you are retiring equipment out of your environment, because time. These machines are no longer going to be…I think there might be a way to do that so those endpoints in your license pool can be reused for new stuff.

Maybe Dan can write back to that as well. Because the question goes on to say, does that use up one of the 20 even after you release it? We can’t release it. So, yes, it uses up that one of the 20, or can you add a new endpoint repeat as long as you have 20 or less at any 1 time? Yes. So…I mean, no. Those endpoints, once they’re licensed, they are licensed in the environment for good. That is the decrement from your endpoint count. Adding new endpoint licenses is cheap and can be priced in bulk. Good answer, Dan. Keep is a good word. Bulk’s a better word.

Okay, so going back to our points for discussion. Ah, those were our points for discussion. These are good questions, so I’ll keep watching here. This is the point, right? And, matter of fact, let me see. So I’ve got many machines and many devices on while people are putting questions in as they continue to do that, I’m going to get gutsy and just try to come over here to this…this is a Google Pixel that I just have emulated on the screen here.

Let’s see if I can start the agent here. And I’m just going to do one of the magic ones. I’m going to run the Android targeted profile task against that. (Oh, where’d it go?) Okay, so at no time do my fingers leave my hands, but that agent is out there on that device now pulling WhatsApp data. And you can…I’m just emulating it so you can watch it do its thing. And you can see down below here that job is started and it’s a targeted collection against just WhatsApp, which is super, super cool, by the way. So a couple other points: this collection…any collection is encrypted for transport, right? We want to secure it. So, you know, it’s not out in the wild for people to steal.

Oh, there’s a question. If there’s Oxygen software tools to make forensic analysis of color laser printouts as digital printers work from computers and mobiles to…make forensic analysis of color laser printouts as digital printers work from computers. So, if it’s a printed document (I’m not sure if I understand that question completely), but a printed printout we could scan and import and potentially OCR, optically character recognize, what’s in that print out. If it’s a print spool, we could possibly analyze that just in the interface as a print spool to see what might have been printed. Doctor, I’m not quite sure if I’m interpreting that question appropriately. So maybe you can add a little bit more to it.

Okay. The jobs that are created that say “add data back to the interface.” (Oh, gosh, are they still going? Oh, wow.) So, that workstation completed from our scheduled job. All of our workstation jobs completed there. I let them go. Oh, boy! Let me just go…having said that, let me go look over here. I don’t know if I had those selected to import into the interface or not. And maybe I turned that off. Oh, that’s a good thing. Because I’m just…as I realized this morning, I’m kind of low on space on this machine right now, and it does not look like they imported. Good.

I could go get them, but that’s fine. This one however, I believe will import when it’s done, but I don’t know when it’s going to be done, so that’s fine too. But again, targeted collection. Shouldn’t be too big and that’s, you know, within scope because it’s targeted and I’m not collecting, you know, this isn’t like a…to be clear, we’re not exploiting a file system with this. We are getting what we can get and we have a lot of access with the agent. But this is not, you know, some physical export of the phone.

Oh, Dan and I did talk about a really interesting point, though, that I will bring up. So here’s a PC. I can right click on this PC and do some really interesting things. Grab memory, get a file lift, kind of a field mode extrapolation of what’s on there, or even today, I can capture…I just have a hard time recommending this, but I know there are people that it’s policy for them, I can capture a full disk image if I really got to do it, in the forms of E01 or DD, if that means anything to you, because you know that is, great.

If that doesn’t, that’s just capturing the entire content of a hard drive or partition by partition if we want to, as you can see from our menu up here. And collecting it back into an evidence file format for processing into Detective or the ORE Explore interface. So that’s kind of a recent development to customer requests. You know, I’m like, “wow, I would not be gathering up 10 terabytes over the network from afar, but maybe your network can stand that.” And again, maybe that’s your policy. So I get it and it’s in there now.

So the Android agent extraction from anywhere, will it be able to get data via cellular? Is it Wi-Fi only? Should Android be on corporate VPN to work? Excellent question. And the answer is: anywhere. That Android agent, once deployed to a phone and, you know, not today, but in the future via MDM, that can go anywhere. Wi-Fi or cellular. Excellent question. Glad you brought that up.

Should Android be on corporate VPN to work? Does not have to be. Could be, you know, if that’s your corporate solution, that’s fine too. But as long as it knows where to call home, right, whether it’s a VPN, whether corporate…whatever tunnel you make (I don’t want to mispronounce your name) but to your question, you could connect any way you want, but it does do cellular as well. Very cool.

Okay. Well, gosh, it’s 47 minutes after the hour. I can tell you guys are getting the conversation based on the questions you’re asking. That’s great. Oh, here’s more. Can this be deployed in a covert setting without the end user being aware of the agent running? So Aaron, what do you do for a living, Aaron? No, kidding! So Aaron’s question, can you deploy this covertly? So here’s a conversation point. I’m going to have with you…one moment while I pull up a picture online.

So right this minute, Aaron, and I’m just going out to Amazon to find my favorite OTG device. And I’ll tell you what I mean by OTG in just a second when I can show you this picture. (Really, they’ve moved everything around. I’m just getting cables right now.) Can you deploy it covertly?

Yeah, I use a James Bond storyline, Aaron, where let’s pretend Aaron, you and I are working together. We’re at the bar with Dan. Dan leaves his phone on the counter, walks away, goes to the bathroom, does whatever, and we very quickly plug an OTG device into it, which is basically a USB device with an SD card or something in storage in it, like where you download all your videos because you’re out of space when you’re filming the concert and need to quickly download them.

Same way we can upload and install the agent to the phone. And then connect it to you, Aaron, who’s sitting in a booth across the bar with your laptop there with a wireless access point. And we connect Dan’s phone to that. So you’re just pulling data from it while we’re all sitting there having a beer or something and nobody knows! So you could literally do something like that. Or once you deploy that Android agent, if you’re not doing a third party application collection like the WhatsApp one you just saw, requires permission to do human interaction with the phone, Aaron.

It wants to swipe. It wants to start the app up as you saw it. I wasn’t touching it. It was doing all that on its own. And you can see that we have not yet built into a dark mode with that, or built a dark mode into it for something like that. However, Aaron, if you do standard collection, you know, messages, media, calendar appointments, contacts, all that stuff, nobody is the wiser. So once it’s deployed, the collection component may be clueless. Is that the wrong word for that, Aaron? But I hope that answers your question.

So, okay, Jacques, I may have missed this, but can you throttle the speed of the collection to address endpoints with a slow connection so you don’t bring the network down? That’s a great point. There’s no throttling right now. Like I just, I kicked off three at a time and, you know, internally, you know, I’ve got gigabit cables running through everywhere and my routers gigabit, but beyond that, I could very easily probably blow everything up in my house like that. There’s no throttling that I’m aware of right now.

Dan, maybe you can put in the chat window, something about…if you know anything about a way to throttle those. I don’t. The only things I know on that scheduling conversation that might come close to that were, you know, if it takes so long, stop it, or if it fails, you know, restart every so often and only for a set number of attempts. So your network doesn’t get bogged down with that maybe. You can see I had turned off the export to ORE automatically. So it’s a great question. Matter of fact, that’s a great kind of feature point…and let’s…okay, so Dan says no throttling, Jacques, so there you go for that. But I like that request from a future perspective, and that’s part of my job, is to collect stuff like that, so I love it.

Jeffrey says, can this reasonably be used by forensic service providers who have the occasional one off need to image a remote phone, or is this geared for corporate? So that’s kind of like a question earlier from Ty. Yeah, Jeff, you can do that. Completely. And there are people that do that now. You know, one off, maybe two off. They have repeat customers that they’re not, it’s not a corporate environment, collecting all it’s like a service provider. So Jeff, absolutely.

Dan, any follow up direction? Oh, Dan is saying, so you can send questions to the sales team to discuss 1-on-1. Great.

Hi, we had a case last year that required collecting WeChat. WeChat is complicated as it can only be installed one computer and one phone per user. Yeah. I mean, WhatsApp collection, generally, you know, depending on how you’re collecting WhatsApp, you log in to collect WhatsApp and you log somebody else out. Maybe a lot of applications get into that kind of complication.

So, yeah, that’s kind of a statement. There’s not necessarily a question. Oh, there’s a question right after. Is this able to collect WeChat data? Not third party from Android. I don’t know if WeChat is in the iOS list, as a targeted collection thing, I’d have to investigate to see, Ty, if WeChat is something that comes from an iTunes backup, because that’s how we’re accessing the iPhone right now. So, don’t know the answer right now, Ty. Dan, give the contact link.

Jacques: we have staff in remote offices on a 12 megabit shared connection without throttling, we potentially kick off the rest of the staff. So, you know, what I would suggest for that is schedule your jobs after everybody’s left work, right? Run them…you know, maybe you do the red group at midnight, the green group at 2am and the blue group at 4am. Throttle yourself using some of the capability in the tool already and schedule those jobs to maybe not do that.

Dan agreed: good feature request probably from the one above about throttling the same conversation. Dan says yes, service providers are a big chunk of our early adopters. That’s kind of this…yes, I was hopefully answering yes correctly to that earlier, too.

Can it collect Telegram or Signal data? So not currently from a third party perspective, but that will have growth spurts for that, Joe, from Android perspective and I think Telegram and Signal I don’t know if they’re going to target on an iOS backup right now or not. I’d have to look and see. Excellent questions! Gosh.

And the ones I don’t know right off the top of my head, I’ll get back to you guys from this list here, after I get a chance to go look. What else as we come up on the hour? Dan, anything else you want to throw into chat from the points we were talking about before we logged in here?

What happened to my pixel job? Okay, I’m not sure if that went into ORE or not. You know, I could…while we’re sitting here coming up on the end of our hour, I can maybe go kick off a job on the Burnett phone. Run task, target iOS collection. I will be sure to export that at the end. I’ll run it here. It’s queued on the server. And if I go over here to this machine…so here’s my RDP window to the machine that has a remote device collector with the Burnett phone here that says, “oh, look, there’s an available task target iOS collection.” That’s what I just selected for my AMC. And if I go to extract it, now it’s trying to connect to the phone to do that. And you can see it just changed to connecting to the device for that target iOS collection, did the same thing earlier before we started. So it’ll do that on this machine, but that’s looking at an iOS version of it. This one though requires the friendly hands right now to hook up the phone and start the remote device collector, just FYI.

Okay, throttling is on the roadmap for next year. Oh, very cool. Can I send the APK via email or some other way? (Maybe that is.) Or is the remote agent deployable only via USB? So, can I send the APK via email? Yes, you can send it…oh, and to a phone? I don’t know why not. If you can get the attachment via email onto the phone, installed, saved as a file and installed, don’t know why not. So I’ll say yes to that.

Telegram and Signal up for next in targeted collection. Excellent, Dan. Thank you for that reply. Yes, growth spurt, I’m going to call that, Dan. Our next growth spurt includes Telegram and Signal! Good, but yes, however you can get that agent on there, email, USB, MDM someday soon in a growth spurt? Yes. Good question.

And you can see my iOS job has kicked off on the iPhone 10 over here that’s sitting there hooked up and now it’s processing data sources.

Interesting tool. Got a jump. Look forward to follow up. Excellent. Okay. Any other questions we can answer while we’re here? Again, I mean, the grand scale conversation here is we’ve taken local collection of devices from a detective model and grown it up to include PCs and Windows, Mac, Linux remotely, and devices, Android, and iOS mobile phones in a remote collected world, the remote journey we’re on! Remote journey with growth spurts, Dan. That’s what we have to call our subsequent follow ups to this.

Okay, terrific. Listen, thanks for joining us today. Really appreciate that. I got everything in my list out of the way I want to get out and I’ll bug out of here. Have a great day everybody and get in touch with us. We love to talk about this stuff all day long. Thank you so much. Bye bye.

Leave a Comment