Real-Time Collaboration Any Time You Need It

Keith Lockhart: We’ll get started. So again, my name is Keith Lockhart. I am the vice president of technology and training at Oxygen Forensics. And if I’ve known you in the past, that’s kind of a change in the last few months, I’ve added a new facet to my role at the company, which involves trying to make sure when we have conversations like this that are forward facing to our customer base, the suggestions and comments and bugs or anything else we can find a software perspective, have a good line of communication back to the development teams so we can, kind of, be responsive and agile in how we address things and make new features and get things fixed when they need to be.

So that said, Dan Dollarhide is also on this webinar with me and us. Dan runs a sales engineering team and he and I spend many, many hours a day, a week, a month, in the analytics center. So, to show some collaborative capability of the center, Dan and I have agreed to have some fun together with this hour and maybe at the end demonstrate some of that collaboration from afar.

So, that said, let’s talk about Oxygen Analytics Center. And I would say that by the name, there are some really interesting analytic technology built into this web-based, collaborative, real-time platform. (I think I’m covering all the buzzwords that were in the description of this webinar.) The way we talk about the tool. But it’s web-based. So we’re trying to make the footprint light, make it so you can access things from anywhere, anytime, which is another cool set of buzzwords. Then really build into it as we go forward, the ability to make it applicable to technical folks when they want to get out a social analyzer or do some text analyzing or elastic searching, down to the folks that don’t want anything to do with that and they just want a way to review, assign data to them, make some reports real quick and get some work done by force multiplying users and capabilities.

So, I want to talk about the interface and what’s in it from all the menu perspectives to, kind of, give you a vision into the tool. And then also, kind of, impart the way Analytics Center can interact with Detective. So if you’re an existing Oxygen user, you probably have Detective and there’s some really cool functionality between those tools in terms of collaboration or “hey, I need help with this. You do this part,” to say somebody who’s running a lab maybe has Detective already, and then wants to get other people involved from a web-based perspective. Dan, you want to add anything to that voluptuous definition?

Dan Dollarhide: No, man, I think you nailed it pretty well. I think I would add just for the couple people that are still kind of joining us, during the webinar the microphones are going to be muted for everybody and that’s just to keep good webinar hygiene, shuffling papers, barking dogs, et cetera. But while Keith is chatting, I am going to be manning the questions and the chats in the tool. So, if you’ve got anything that I can try to jump on for you or I can bring to Keith’s attention and he can try to cover during the middle of it, please put them in there.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Keith Lockhart: Appreciate that. Okay, well, so first I’ll show you this: up in my toolbar or my bookmark bar, I have a remote OAC bookmark that’s not my local machine and then a local machine bookmark that’s just running the OAC server on my laptop here. So right now we are going to log into the local one and play here before we try to go remote and do some collaboration, maybe between Dan and I. And maybe if you saw this, my dropdown list had a bunch of users in there. I’ll show you that in a second. But I’m going to log in right now as the ultimate database administrator into the environment so I have full control and full view of everything.

So, this is your initial view and if you’ve seen this before, because this is not the initial release, we got a lot of work done, I’ll say productive work done on the interface to add a few more dropdowns to it that you might not have seen before and reorganize some of the classification of the dropdown venues so they flow a little more logically if you’re going from the older version to this new one. But let me just start here in administration.

So if you are the DB admin, you have the ability to do things like create users, create departments, monitor user activity, look at the statistics about the system and check out user logs for any of the users and what they’re doing. If I just log into the users section, this is (I’ve got some created already), this is where you’d make new ones in different roles. So I’ve got three reviewers right now, actually four reviewers, that is a case admin, then I didn’t change the role to case administrator, that’s kind of funny. We’ll go see how that works here in a second. The ultimate administrator that I logged into now is and then an uploader user. So, let me just have a look in here real quick because we’re going to talk about those user roles and then go over to Detective and see how we can use one of them specifically.

So if I make a user, I can pick, are you a case admin, a reviewer, or an uploader? And I can just highlight this little information thing here to give a description of each one of those. And the case admin can do things right now like a DB admin can, and reviewer can also do things like a case admin, but they can’t delete anything or remove anything that would be of value. Then the uploader does nothing but upload data. And it’s kind of interesting because right here I’m going to jump out of OAC and go start Detective. And this may be a great use case going forward… (oh gosh, my Detective’s pretty busy. Hold on, let’s lemme clean this up a little bit just like that.)

So if I go look at the settings in my Detective, I can actually set my detective up with a user in my OAC environment, connecting to it and I’m just connecting locally through a port and I’m successfully connected like that. This could be around the world. And then I could come into my case list and anywhere I have a set of data, and I’ll just pick Alex Burnett’s phone, I could right click and export data to the Analytics Center. And interestingly enough, I can do it by key evidence or tags.

So, think about that for a second. If you’re running the lab and prior to this conversation, you’re the only person in the lab who gets evidence dumped on the desk all day long or case matter or whatever it is, and everybody just says, “hey, do what we need with this” and runs away, you’re like, “whoa, whoa, wait a minute. No, it’s not just me. You’re the one who knows the most about this stuff. You look through it.” There really wasn’t a super good…well there was a way you could do it, but not like this, because previously from detective we could create an OFBR with two super limited options on the data we want to include in it and give, kind of, a neutered review version of Detective to someone and have them load that OFBR.

But now I can literally take data that I’ve tagged in different tags or marked as key evidence or maybe said, include different filters of dates and sizes, or at least sizes here, and then export that over to OAC and assign it to users for review. So that just becomes a super effective way when you’re (not that window) when you’re in here and saying maybe I want to use an uploader user, go throw that in my Detective environment. So all they can do is upload data to the OAC environment. Kind of cool.

So then once it gets in here, then we can start working on things like, you know, let’s look at the data section where we can look at the devices we have loaded, and/or create cases and assign those data to cases. (I don’t have any now, we’re going to make one a little bit.) Or I can create regions, other filters around the globe, or in my case some pun worlds of Middle Earth or the Matrix or things where incidents occurred, so you can kind of filter different ways. Same thing with let’s create some incidents to apply to cases.

So hey, this case was a particle implosion case, it occurred in the Matrix, so we’ve got four of those this month. Let’s plan accordingly. Just different ways to categorize data once it’s in the Analytics Center. And then view wise, let me jump over here to say, once we have data into the center, whether it’s in a case or a device or it’s assigned to one person or 50 people, we have the workspace, and well there’s three views right now: workspace files and contacts. Contacts is kind of like what you’d imagine in FTK Detective where you’d see groups, accounts and contacts. But I’m really interested in workspace and files because this is where we’re going to, kind of, find the meat of the data that we’re after.

So when I go to views, this is kind of a top-down filter right now I’m looking at everything in the database. There are 37,000 entries in my database right now. Not filtered by anything. But what I could come do really quickly is come down and pick a case if I had any (don’t right now) or a device if I have devices. And sure enough there’s Alex Burnett’s iPhone. So if I’m just going to pick that and apply that filter, now I’m down to over 10,000 things, but I’m only looking at the things from Alex Burnett’s phone. And then later we could come back and, “hey, just show me the messages from I don’t know, WhatsApp and apply that”. And now I’m looking at the 155 WhatsApp messages from Burnett’s phone.

So the overall premise of the interface is, “hey, pick what you want, filter down to what you’re after”. Maybe you’re right clicking and adding a tag, or marking up key evidence here, or maybe modifying a note and then maybe creating a report. Or if you’re tagging things up other people can see them and you can start working on things together.

So we’ll come back and look at this later, but the workspace is more akin to user data, kind of things you would find on a timeline. But we also have the view that is files. And I can do the same thing here, if I’m looking at everything first and then I can start drilling down by saying, “you know what? Show me Burnett stuff”. I’m going to apply that filter. And you know what, here I’m just going to go to the categories and say, “show me all the pictures”.

And as a web interface that’s kind of clunky, so let me just scoot that over and check out thumbnail view because maybe that’s more effective for me to scroll through, you know, things you’d expect from a review perspective. And then the other view here is contacts where if I just go hit my contacts world and, oh I don’t know, grab Burnett, and apply that filter, then I can come down and see, “hey, there’s 888 contacts, 6 accounts in here, in 3 groups in Burnett’s phone as a dataset”. So, you know, easy way to filter to that kind of thing from a view perspective.

I come over to search, I’ve got the ability to search the entire database of cases and devices in here. And, you know, maybe that’s…careful. Maybe you see scope on that and maybe you assign the right data to the right people say “don’t do that!” But that is a massive database search capability where you can create templates, so you can come back and use them again. I have one in here now, let me just see what that looks like.

Let’s see, I said to the search through the Burnett phone, and I looked in the workspace at details and the descriptions and details categories, which are column fields, actually. Description is like content and details is other things about any given line item. In the file section, I said look through all the file names and all the file content there. And I think that was…now what I also say, no, I picked some category, I don’t know what it was at the time. And I looked for, this was the Burnett webinar test, and I looked for Burnett. And of course I have all kinds of Burnett hits and all kinds of different things.

I picked the one device at that point, but like I said, I could pick everything in a database search perspective, or I’ve got just a device search, which isn’t templated, but I come through and particularly select a device and use a text search, regular expressions, what fields am I trying to focus on to save bandwidth of searching everywhere? And I can throw a keyword set against that if I want, and a date and time field. So different search capability. And I’ve got the elastic search ability. If you don’t know what elastic search is, let’s index everything like crazy, then provide a bunch of operator based searching.

If I had a query here and choose a field, let’s say communications and description. I’ll add those operators. I could…has a value by template or expression as a search mode. I could add conditions like exclude or has not, but I’ll just make that search Burnett. And I’m just, kind of, adding and doing things as I move through these menus. I’ll probably come back and do some more as I haphazardly do those things, but I’ll search that. And I should get some Burnetts out there and some descriptions and images and things where Burnett exists all over the Burnett dataset.

So a lot of search capability, which would make sense. Some people that have talked about or seen OAC are like, “wow, we could do some really big data work with that”. This is true. So, I mean depending on how many people you assign and how much data you load and how much access you give them to go pour through it, that should get some wheels turning as people start thinking, “I want to do this and I want to do that” on a web-based interface.

Analytically, I mean, look, we have the ability to match, and a matter of fact, I’ll just go there. Of course I have a Burnett test there. What did I do here? So I added Alex Burnett’s iPhone and then I added I think a Burnett match data set. So I’ve got the whole phone, and then a subset of data from that phone, which obviously would match. And you can see I have matches over here, but I said, “look in the files section or the files view, go after all the files”. We’ll go back and look at that in a second. And then I came down and I think I just did that and said, “Burnett, test it and go”. And we’re going to go search by hash, as we can see here. And when I detect that match set, I get a bunch of different results and let’s just see what the first one is here.

Now let’s see, there’s a (let me get my third column back over here)…here’s a picture of the Virgin River Casino that is from this particular set. And here is one from the actual (excuse me) the Burnett iPhone, right? And matter of fact, you could see some crazy OCR results from those. I wasn’t planning to look at OCR right then, but I wonder if I can find something that’s more fun to look at. But we’ll go look at OCR in general in a second. But yeah, it’s a great way just to do some data matching and from an analytic perspective across devices or all over your database for that matter.

You know, one of those great examples of the sexting case where everybody has the same picture, let’s go find it across all the devices so we can get everybody in trouble. The social graph. If you have Detective and you’re used to a social graph, I think I already built one from Burnett’s phone, kind of like what you would expect. Let’s get some more real estate in here and I don’t know, expand the communications pane, let’s do the WhatsApp messages between whoever that is and whoever that is.

And kind of like what we’re used to seeing in the Detective world. “Hey, is this Jessica’s number? I like that. I’m going to tag it. Mark it as key evidence, have a blast with that”. A lot more coming with a social graph right now you can do it against one device. We’re looking for multiple devices obviously to find common contacts and things we’re used to like that, but building technology like this into the web platform is pretty darn cool to support that.

So text analyzer, I’m pretty sure I’ve done a Burnett test in there. No data really. Text analyzer…(what did I do to break my…no, I did not go…all my columns disappeared. That’s one. Come back over here.) Okay, so from a text analyzer perspective, I had it all shrunk up for real estate. Let me just look at my dictionary settings and right now I’ve just got the default where it sit in here: trafficking, organized crime, money laundering, guns and drugs. Things you might recognize from Detective.

So I’ve already indexed those against everything. If I come back here and I say, “right, let’s do the Burnett phone and all the categories: go”. Well, I get a result of, “wow, you got 1,642 hits from the money laundering list, 941 from the trafficking list, 530 drugs and they’re relative eye candy percentages”. If I go look at the trafficking ones, they’re 824 from group chats, 113 of them were from accounts and contacts, 3 search histories, 1 file. I could come over here and say, “okay, so threat: there are two detected matches of threat. Show them to me.”

I’ll go look in the workspace and oh I’ve got 4 in the workspace instead of 2, maybe I have duplicates, I have to go back and see. But kind of a cool way to say, here’s a list of terms. Not only I want to know if they exist, I want to know how much they exist from, I call it eye candy perspective, but when I have a graph and can show somebody else a picture that’s worth a thousand words and they’re like, “oh wow, you’re not only in trouble, you’re in trouble way more because you have so many more examples of that”. So, fun analytic tool in a way to take you right to those results.

And then the map. Gosh, you have to have the map, think of the map view and Detective, I can come out here and pick my Burnett phone again and apply that and sure enough there are hits all over the map. I’ll go to Hawaii just because I want to be in Hawaii all the time. Let’s see, let’s drill down into Waikiki Beach and right there on the beach. And what are these 6 things right here? Let me get this column back over here because there’s an attached file to that hit. It’s a picture, and oh that looks like cheeseburger in paradise. So, what’s this one? More of cheeseburger in paradise. I need to zoom out.

Okay, let’s go look on the beach ones, maybe there’s more fun picture there, but smaller. No, I’ve got everything so big, I don’t know…there we go. The lifeguard station on the beach. But you see the point to that which is “hey, find things on the map and go check them out”. (Oh wow, I really zoomed out of the map there. Wow. I zoomed out of the browser like crazy. Hold on, let me fix my life. There we go.) So, having a map as an analytic tool, great thing to go do the things like you’re used to in Detective and find things geographically. Geolocation data.

Tools, you know we’ve got keyword sets, hash list tags and something fun called the watch list. But a keyword set, I think I have one here for Uber. So you make a keyword set, I would create one and I added a stunning term to (let’s edit that one), the stunning term “Uber” to this one and I want to apply it in the workspace and contacts or files or all pages. Let’s just do all pages, and save that.

So then I’ll index that against all those pages. And it’s interesting that this workflow is, “well, do you want to take time, space, and energy to index it against everything, the whole database or just particular pages of information because you think you might get better results there?” Obviously I have very small data in this database, but think about those resource allocations, you’re doing things.

So I indexed against all of them. If I went back right now and looked at the workspace, which we’re going to do, I want to see if I have any hits of Uber. So, matter of fact, I’ll just open it from right here in the workspace. Kind of handy I can do that anytime there’s an open button I have, where do I want to open it available. I could also open these in new tabs to compare them against each other. So, in my world where I have four monitors, I have a map on every tip…or one tab all the time and workspace on the other. And then I’m going to files and looking all over the place. So that’s pretty handy. I’ll just go to workspace straight up right here. And oh look, there’s a bunch of hits of Uber waiting for me right there, just based on my keyword set.

Okay, same thing with hash. I think I created a hash set. I don’t know if I have anything in the hash set right now, let’s see. I don’t think I do. So, what I could do is I’ve got this Burnett hash set. Let me come back to the workspace. And again, I’m starting at the top and filtering down. So, devices…I’ll show you another way to do that. You can start right with Burnett, but I’m just going to the whole database and filtering down. Let’s do Burnett’s iPhone, and I’ll start simple with, I don’t know, pictures is what I really know. Let me get that first. Filtering top down and then I’ll do (gosh, scroll down here for me) images so I can pick something really fun and easy. So, the rock formation out of Las Vegas.

So, if I right click and add…oh no I can’t, and here’s why. That’s a fun enumeration of that item in the workspace. Let me go to files and pick Burnett and apply that (locked myself in my own door) and go to categories and find images here. So, I’ll right click on this crazy snowman from winter and add that to the Burnett hash set and we’ll take Elon Musk and add him to the Burnett hash set and the rocks from Las Vegas and add those to the Burnett hash set.

So now, if I go out to that hash set, I should have three items in there that were indexed against everything else by hash value. So, if I went back to a particular view, and I’ll just go back to the files, I should have those three hits based on that hash set down there. Very cool, right? So, you create them on the fly inside the interface, if you saw you could import those from outside when you’re creating a new hash set. And super common that I could be in Detective and be doing a couple first passes of review: “give me a search term list”, and then I could import whatever it’s in Detective filter down to those search term results. “Hey, give me a hash list”, filter down to those hash results and just export that key evidence over to OAC.

Or on the flip side of it, maybe I don’t even get Detective involved. I import data and I do just what I did. Let’s get some keyword hits. Let’s get some hash hits. Let’s tag those up and leave them available for someone else to review, because the next thing in the tools section we want to talk about is tags.

Now interesting enough, when you look in here, you may see what we’re calling common tags. These look familiar to you at all if you’re a Detective user? And you have a 50/50 shot of an answer there and the answer is: yes. These are all the image categorization tabs…or tags, not tabs. So the things that we’re algorithmically analyzing, like we do a detective to say, “hey, that’s a drug, that’s an alcohol thing, that’s something of violence or a chat message”. We’re categorizing those the same way in OAC, which is good for the user. You can see I’ve created a Burnett data tag here.

So if I want to run around and tag things that were relative to Burnett, I can do that. We’ll come back to tags in another way here soon. But then I can make a watch list and I think the one I made earlier was an Uber watch list, and I read it…or ran it. And what it does when you make a watch list, it’s saying, “hey, here’s a set of things. Go immediately against all the data and find out if I have matches to this things or this thing or these things. And when I import again later, compare against this stuff immediately”. And this little bell kind of notifies us, “hey guess what? Within this device Burnett match data, you have a detection of Uber”. “Really? Show me”. And I can go out there and see it immediately. So it’s kind of like a, I don’t know, a watch list. “Hey knock, knock, you have a result.

Go look right now you told me to watch for this, I saw it. Here’s a notification”. And people have already seen this and said, “hey, that’s great. Text my phone, I’m not in the office”. And look, that’s actually a future request now to notify you outside the interface when something is done that you want to know about. So the dev crew has lots to do, but that kind of functionality literally warns that I don’t have time to sit here and watch the screen. So if you find something when some of the imports something at midnight, let me know. So watch list. Pretty cool like that.

Reports. So I happen to have a few reports made, but I’m going to show you how to make a report here in a second. But I’ve got a CSV, an HTML, PDF. Let me just open the PDF one because those are always my favorite. Let’s see. PDF report. And this one right here is just sections. Here’s the phone, what was this type of thing? To, from the description field tags. I got some thumbnails in there. I think all the way down to, I can include the eye candy of a device in here, meaning here are the statistics charts, there’s device information and then report information, investigator location, agency, things like that.

So, simple way to wash, rinse and repeat. When you get in the interface, you find the things you want to find, you tag them up or key evidence them and then make a report and give it to somebody, or not. So let me go back. I don’t want to be in this browser…where I was in reports? So I’m want to show a couple of things and then do some tagging and then do some collaboration.

So I’m going to go to views and files. Not that I want to see myself all the time, but I know there are multiple examples of me in this data, so I’m going to pick the Burnett iPhone, and I’m also going to go down to, well let me just load Burnett first and so we’re going top down. So I load Burnett and I’ve got a bunch of things in there, but I want to use facial categorization and say “listen, show me the things that contain faces”, face templates like you’d be used to in Detective. So there are a lot of face templates out here. I think I am on page 4, maybe not…okay, maybe page 5, maybe I’m at the end.

Okay, there’s a horrible me screaming, I guess I’m going to have to live with that. Oh there’s me with long hair, we don’t want to see that. Let’s start with this one, and I’m going to pick that face and find other faces like it. And now there’s plenty of me and gosh, my whole set point to this, I guess I’m happy it worked out this way. Sadly my daughter is in another room, but back when my daughter and I got along great she was that old…anyway, the ability to search and match from facial categorization is in the tool, which is really cool, right? Let me also do this other example of analytics here and make sure I’ve got Burnett selected and then I’m going to go find (I’m using the wrong zoom when I zoom), but let me go find the additional property of not exif information.

How about little OCR icon of recognize text and see what we see here. Don’t know what all we’re going to find here. That’s nowhere near as fun as…let me try to filter that to pictures. Let’s see, not that. If I click on this picture my OCR has at Terence Hill French Foreign, oh this is the movie March or Die. Terence Hill Adventure War, March Die. I mean this is the OCR result for this graphic, right? So again, analytically it’s called the Oxygen Analytics Center. So when we’re trying to do that collaborative review, we also have some really fun analytic capability like you’d be used to in the analytic section of Detective, right? So that’s cool. Again, right click, tag it up market as key evidence, whatever it happens to be, because: wash, rinse repeat.

Let me show you this other way to do this. I’ve been approaching this at top down and then show the whole database and filter downward. I could come to the device list here and pick any relative device and let’s just say, “okay, Burnett, let me open you specifically in the workspace.” Instead of going top down now I’m just starting bottom up with Burnett. So there’s different use cases for approaching it one way or the other, but the tool can do it either way. Funny enough, let me just apply everything into the view here and then I’m going to show in a map right away another way. Yes sir?

Dan Dollarhide: I want to make a note there. I threw it in the chat real quick, but I wanted to tell people since you got to a good spot on that, the reason that…

Keith Lockhart: …is that where we were sitting?

Dan Dollarhide: No, we’re okay. I was just going to say the reason that you were able to see when you were going the other way getting to the data is because you’re logged in as a DB admin so you can see all the files, everything available in the database, but if you were just a user…right. But if you’re logged in as a user, a regular review or something, it’s only going to take you back as far as whatever’s been assigned to you, which…

Keith Lockhart: Which we’re going to try to show with you, Dan!

Dan Dollarhide: Right. That’s what I know, but I just didn’t want them thinking, “oh, everybody can see everything all the time in the entire database.” That there is an assignment level there that would…there’s kind of a backstop there at the assignment level.

Keith Lockhart: No, that’s a great conversation point because you know how we feel about backstop when we play DB admin and we’re always rolling back to everything, right?

Dan Dollarhide: Right. And I just want to point that out just in case it wasn’t clear to anybody. That’s all.

Keith Lockhart: No, so what Dan’s saying is when you create a user (and matter of fact we’ll do this here shortly), you can then provide them case access and only give them access to certain cases so you are not having to filter top down all the time. They’re only going to filter…so what do you call that, Dan? Not top down, not bottom up, but middle ground all the time?

Dan Dollarhide: Middle to other middle, right? Partial middle, right? Yeah.

Keith Lockhart: There’s up, there’s down, there’s this, and this only. So yeah, that’s a great…I mean that’s an integral point actually to the whole collaborative environment of the OAC. So it’s funny. (What time is it? 11:30. Halfway.) Let’s do that. Yeah, I want to go to do something really interesting. So in this…you can see this address here: So right now, when I was playing earlier in my Detective, my uploader is configured to currently (here, click that) currently upload to my local machine So, what I’m going to do…I also know there’s an uploader user with the same credentials at that remote location. So, I’m going to start going out on the ledge/edge and I’m going to take this server address that I just logged into. Where’s this, Houston, right? That one.

Dan Dollarhide: That is Houston.

Keith Lockhart: That is Houston. And I’m going to change this server address to Houston, and let’s check that connection. No.

Dan Dollarhide: Houston, we have a problem.

Keith Lockhart: “Houston, we have a problem.” That’s funny. Let’s try that. No, let’s try…that.

Dan Dollarhide: I think it’s the login slash at the end.

Keith Lockhart: Oh, you know what, I’ve got my password and he’s got his, hold on, that’s right. I changed my password format’s different than his. Hold on. His is…that’ll work. That’s not working, okay.

Ali: Without the https.

Keith Lockhart: So back to the…

Ali: Yeah, it’s all…

Keith Lockhart: …how many addresses going. Are you miserable?

Ali: Take out the login piece.

Keith Lockhart: Okay. The man who has the server, you just got to know the right people!

Ali: The extractions are already encrypted anyway, so that’s why.

Keith Lockhart: Yeah, so Ali is the one speaking on the phone right now, who’s hosting the server for us to do this demo and in the last few days we’ve, like, “let’s do this address, let’s do this, let’s not show that one”. So thanks Ali, appreciate that. I have that pasted in a file, but in that file I think are some other passwords, so I was trying to do it from memory. Thank you. So, my uploader is now connected to, in my Detective here, to this remote OAC environment. So I’m going to log into his DB admin where I can see…what do I have from a data perspective in here. I’ve got the Alex Burnett iPhone 7, named a little different, two or three location data things, another version of the Burnett phone and some match data.

And Ali, I had to do that because your version of the Burnett OFBC was older than the match data I put in there and I couldn’t find any. I’m like, “wait a minute. Oh that OFBC hadn’t been to Disneyland yet and didn’t have the pictures from Star Wars on it”, which is what I was trying to find! So I’m like, “oh, okay then”. So I pushed a whole new one. Largely looks the same as the one I was just showing you, except we are someplace totally new, which is a perfect illustration of use case and functionality of the OAC. “Hey, listen, I’m in Florida right now, I’m going to push data to Houston so somebody in Virginia can look at it”, is our plan. So, let’s get even crazy more adventury. In my Detective, I’ll come back to, let’s just say, oh, let’s come to this phone, this Android agent extraction of something. And I’ll go to images and I’ll pick this image and I’ll mark it as key evidence. Dan, you get one thing to look at. Can you handle that?

Dan Dollarhide: I will try.

Keith Lockhart: You’ll try. Here we go.

Dan Dollarhide: I like my chances, right?

Keith Lockhart: Look, this is your lineup. You have to pick the one person that did it and you get one choice. Okay? So, I’m going to export that by key evidence, because that is all I got is the one key evidence thing to the OAC in Houston. And that should be over in the OAC in Houston. Let me go see. Well, you can see text analyzer index is complete, the device has been imported and typically until all the processes are done on it, you would see it in the load data section, but it’s gone.

So I’m hoping it’s in the devices section at that point. And there it is, and it’s queued for something, and I’m not sure what. So let me try to open it and see if it will let me open it yet with anything in it and I’m going to files and devices and that. Well, it’s got the eight things to support that picture. So we won’t even have that conversation. We’ll go to workspace and we’ll go to devices and that. And there’s two things in there. I wonder what two things…what did I have in there? Oh, the account. Well, I’ll just have to take the account for the device itself right now, and the one picture. Interesting enough. So Dan, you have the account name that’s associated with that picture and the picture itself. So, what I’m going to do…

Dan Dollarhide: I’ll look at two files!

Keith Lockhart: You’ll look at two things for me. Perfect. I like it. What I’m going to do, I like it, is go to cases and I’m going to create a new case. I’m going to call this case 1, number 1 with the name “danuser” case, to be very consistent, and from a device perspective, I’ll add that Android data we just sent over. Okay, so case number 1 is danuser and it’s got that device in it, which we know has two things for Dan. Okay, now I’m going to go back to admin and create a user.

So I’ll make this user login “danuser”, give the first name “Dan”, the last name “User”. And Dan’s password is going to be “Oxygen” with a capital O, 1. And I’ll confirm that with “Oxygen1”. So uppercase O, number 1. Okay? And I’m also going to provide case access to the Dan User, and shockingly I’m going to give Dan User the danuser case and add that.

So now, we walk back through what we did. I’m in Detective in Florida. I’ve sent some data to my server in Houston and created a user for Dan who’s in Virginia to log into there. Now, when Dan shares his screen here in a minute, Dan logs into the same location in Houston. I can preface you with, “is Dan going to see both cases in here, because we have two cases, or is Dan going to see just the dancase in here?” You got a 50/50 shot in your answer. Let’s see what happens! Dan, I’m going to stop sharing and let you share.

Dan Dollarhide: Okay, let’s see here.

Keith Lockhart: Dan needs to be back on the screen.

Dan Dollarhide: So Dan is now the presenter. Let’s figure out. There…show screen. Here we go. Y’all see my screen?

Keith Lockhart: I see your screen.

Dan Dollarhide: Dan has one case.

Keith Lockhart: Oh, I just minimized your screen. Hold on. Oh, so Dan logged in with danuser (look at Dan’s address). Dan is in the same server. The OEC demo Oxygen. Dan has one case.

Dan Dollarhide: I do.

Keith Lockhart: Super job!

Dan Dollarhide: Just the one. Okay, well let me have a look at my case, shall we? I’ll open my case, how about in files? What do you think?

Keith Lockhart: Okay, you much account for a couple of things, but that’s cool.

Dan Dollarhide: Oh, that’s right. Well that’s one way to look at it.

Keith Lockhart: That’s cool. I mean look at it. You got your key evidence item plus the other structure that supports it, and that’s…I’m good with that.

Dan Dollarhide: We can view that also in workspace.

Keith Lockhart: Dan has the green UFO icon. That’s the circle.

Dan Dollarhide: You like that? Yeah, that’s next level there. So, I had something to look for and I’m looking at the account information, that’s great. Let’s see. Look at this file. Let me look at this picture. You know what? I think this is probably the most important thing, or when I was…you asked me to review that photo from afar as you have, as you assigned it to me, and I want to tell you some important things about this and I’m going to look at that going, “this is the evidence that we needed. Smoking gun.” There you go. I think I’m going to leave that message for you. Oh, look at that. My note was saved.

Keith Lockhart: All right, I think I know where you’re going with this! So…we can do hard things. Let me share my screen again now that Dan is…

Dan Dollarhide: Okay, do I need to change presenter? Is that what I do?

Keith Lockhart: If I can hijack from you, it’s okay.

Dan Dollarhide: There you go. I’ve stopped showing my screen.

Keith Lockhart: Okay, and I’m now going to show my screen again because…

Dan Dollarhide: Yes, I see your screen.

Keith Lockhart: If I come back down to my OAC or I’m still in the same place, but I’m the admin or I could be a case administrator right now if I go to, let’s say, you did that in workspace, huh? Not that I think it would matter right now. So, I’m looking at the entire database right now, and frankly I don’t know what all has notes or not, so I could be stepping on a landmine right now, but I’m going to try everything and I’m just going to go to the additional property. Oh, there’s 12 of them. So nevermind. Let’s pretend Dan’s case had 15,000 things in it, and if I just select Dan’s case and apply that, and then I could go to the thing that says “has a note”, and filter down to that, I should see what Dan said, “this is what we need. The smoking gun thing”. Interestingly enough, Dan, that’s not your picture, so I wonder not having tried that exact thing that you just put the note on. Let’s go see if we can view it there and see if it’s on that picture. (I can get this out of the way.)

Dan Dollarhide: So, I’ll tell you me what? Let me help you here. I actually typed it on the account information!

Keith Lockhart: Yes you did because it’s…

Dan Dollarhide: I sure did, I’m looking at it right now. I actually typed on the account information!

Keith Lockhart: You put it on one of them, and it was the account information!

Dan Dollarhide: Doesn’t matter how good the software is, it doesn’t make up for Dan being a bit of an idiot!

Keith Lockhart: Well, hey, go do the graphic now.

Dan Dollarhide: Okay, I will definitely do that.

Keith Lockhart: We can do that too.

Dan Dollarhide: Okay, so I am…I’m doing this in live time now.

Keith Lockhart: Collaboration is good, albeit when it’s done the right way.

Dan Dollarhide: And so here you go. There you go. So, there. Now you have two notes, check them out.

Keith Lockhart: You have a new note. Okay, so let’s do that. Okay, now what did he have 15,000 things, right? And however he’s noted how many of them?

Dan Dollarhide: So I fixed that note? Yeah, right.

Keith Lockhart: Oops. Well, I don’t know if I’d go that far! Oh, so we could leave notes back and forth. No, Dan, it’s okay. You’re a good guy. You’re a good guy. But now wait a minute, but did you note the picture or did you just change the note on here?

Dan Dollarhide: Check the picture too.

Keith Lockhart: Okay, let’s see here. Images. I don’t…

Dan Dollarhide: I did that second. It may not have refreshed yet.

Keith Lockhart: Let me go look over here. I just want to see. (Devices, Dan stuff, and has note. That all work together.) Dan says, “this is the evidence that we’ve been looking for. Smoking gun”. Brilliant, brilliant.

Dan Dollarhide: Almost, man. It was almost flawless!

Keith Lockhart: Listen, if I could have all fits since Ollie’s on there, we all three get in there and share a screen and do a “what’s my IP” to show we’re really not sitting in the same room. You just have to trust that hey, that’s the essence, right? I mean, if we recap that, I’ll be the lab person who has never had a web platform ever, I’ve just had Detective. And everybody dumps their stuff on me and I’ve been dying for a way for them to look at it without trying to teach them a Detective review interface.

And I know they’re on the web all the time. This is standard collaboration conversation here. “Hey Dan, I’m sick of doing this work for you. You know more about your case data than I do. You’re going to look at it”. Dan’s like, “yeah, right. I’m not using that crazy thing and I know nobody’s going to buy a license of that for me”. And my response is, “haha, au contraire, mon frère, I don’t need a license for you. I got my own new tool. Sit down right there, go to this website”. “What?” “Oh yeah, I saw you surfing on the web today. I know you know how to do it. Here’s the username and password. Log in. Now I’m going to show you two things: the workspace and the files views. Click in there.

See anything that looks familiar, Dan?” And Dan can’t help but say, “no way, really? Yes, yeah, I do, but I don’t want to admit to this, but yeah, I do!” And life changes from that moment forward because I can assign specific data to Dan. That’s the killer is Dan can dump 10 gig on me and I can give Dan 500K back and stuff to go through. That’s relevant to what he gave me when I said, “woah, don’t you leave here without giving me a search term list.” Or, “I know you’re looking for these type of images or this proprietary data that I can hash and work with you and help you. And then I’m going to show you how to tag something.

And once you think you’ve got cool things tagged and you feel really cool about it, we’re going to make a report for that. And now you’re on your way and you’re not waiting on me!” Or Dan and the entire unit dumped 200 terabytes on me…okay, dumped a lot more on me. And we in turn give it not back to just Dan, but a bunch of people. “Hey Dan, you do all the pictures. Hey Ali, you do all the documents. Hey Keith, you do all the whatever data.” And I can really start partitioning out the work and they can all collaborate together in real time. And as you saw, Dan just left me the note that he’s a dingdong and I could write back, “no man, it’s cool. Find it by tomorrow though or you’re fired!” Right? I mean, we could use the notes to talk back and forth again. That’s a nice side feature. But we did that across three states in this conversation, in this webinar.

So that’s what OAC is doing for us is giving us an ever-growing analytic web-based platform to collaborate in real time all over the place. What kind of questions do you guys have on that? Questions or comments or, “hey, can it do this?” or “hey, this, that or the other.” And I can actually pull this up right now and look and see. Questions? None. Okay.

Dan Dollarhide: Nope. Question chat’s been quiet.

Keith Lockhart: Chat’s been quiet. Oh, there’s one. Something to note here. Oh, that’s you, Dan.

Dan Dollarhide: That was me.

Keith Lockhart: Okay, well, I want to leave little time for Q&A, you guys and gals or everybody. Dan, what else would you want to show right now? Or Ali, what else would you want to show right now given the opportunity, since we can play?

Dan Dollarhide: Well instead of just showing something. I just want to recap on something that you said. And it’s…we’ve all, in the forensics world, all of us who’ve been doing forensics for a long time have been comfortable with the whole idea of the viewer program or reader, portable case or whatever kind of idea that is. And the limitations of that, we pretty much hit that once we got to COVID, right? Sharing these large bulk files, sharing these applications. You may or may not be able to load on your computer because the IT department or whatever. This is the new model. Collaborating with this stuff over the web.

The internet’s there and this is the way that everything’s going. Not just us, but I’m sure other companies are going to catch up with us on some of this stuff too. The abilities it gives us in real time collaboration are just amazing. When you have large cases that span multiple jurisdictions or even around the world, we can all get in here and work on this stuff together so that when you have a mass event or something like that that you’re investigating, you can get the information out to the people that need it as fast as possible.

And so we have built this with that in mind from the law enforcement side of the house, just to get data out, to have actual intelligence all the way over to just the regular review side of the house that just needs to find documents or find photos and just have a look and see what needs to be forwarded on for just an individual case perspective.

So, we’ve got a lot of cool stuff planned for this even going forward. It’s still a relatively young product, but we’ve gotten great feedback from our users and we got a nice list of things that are going to be incorporated in coming releases and we’re really excited about it, where it is now and where it’s going as well. If there’s something y’all see in here that you’d have a question about or maybe a feature that you think would be a really cool thing based on everything that Keith’s shown you today, we’d love to hear it. But we’re really excited about it and the way it kind of works with our other existing product lineup is really, really cool. That’s it.

Keith Lockhart: Well said. I’m just creating new cases and playing. While you’re doing that, Ali, go ahead.

Ali: Yeah, I would just like to add, I mean, having a deep IT background and a deep distaste for sending my personal data to somebody else’s servers. This is nice that the data belongs to the owners. We never see it. And that really excites me in that sense where you never have to share anything with the vendor. So, I don’t know if Keith or Dan, you guys spoke about how this is hosted, right?

Keith Lockhart: Yeah. I mean it could certainly from a, oh dang, what’s the word I’m looking for here? From a not vendor…service…

Dan Dollarhide: I think…and something a good point Ali brought up is, just so you know, we didn’t really touch on this, but this is an application. This is an application that you host on your box, not ours. You’re not sending data to be hosted by Oxygen Forensics. That’s not what we do. We sell software and you can install that software on your environment and you host from your environment. This never comes to us. We don’t see your data. We don’t want your data. So, you can host this Oxygen Analytics Center application internally on your network. You can host it in the cloud. You get to set the parameters on who can join and who can’t. It’s completely up to you. We don’t want control over your data and we’ll never have it. Good point, Ali.

Keith Lockhart: Yeah. Excellent. Okay, well, that’s about five minutes to the hour.

Dan Dollarhide: All right. Everybody gets five minutes in their day back.

Keith Lockhart: First time in history I am not talking over the time allotted! I guess we could do some more fun examples, but I think we got the point across and listen after this, I don’t have a slide made up for this, but or dan.dollarhide. I mean, let us know. I mean your questions, comments, ideas, want to see again, want to see it this way, want to make it do this. We love doing this kind of stuff, and we’re all about that, so drop us a line.

Okay, then I’ll close out our webinar. Have a great Monday, everybody, and we’ll speak to y’all later.

Dan Dollarhide: Thanks everyone. Have a good one.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles