Manual review of data structures

#dfirsummit has been generous this year in that they’ve provided a free live stream of the 2 days of presentations. This quick post was prompted from listening to Lee “Gervais” Whitfield, and his discussion of where to look to disprove the ‘bios clock changed’ conspiracy when it comes to disputing the evidence on your hard drive.

He indicated several locations that exhibit temporal anomalies should the clock in fact get changed. For example, thumbs.db (thumbnail databases in folders with images) stores thumbnail data sequentially – changes in the timestamps of those thumbnails may indicate time change.

He was asked, what are the Top3 places to look for for evidence of clock changes, and as #1 he mentioned Event Logs. But I don’t think for the reason why it is #1. He mentioned one event for XP and a couple of events for Vista/7 that show the clock being changed that get recorded in the event log. This is good of course, but I believe the real deal with event logs is just as with thumbs.db. Data is written to the event log sequentially – it is not ordered chronologically.

Talking Windows OS and NTFS.

Again: event logs are written to the NTFS file system, and then individual events appended to the log. If the clock changes, new events are appended to the log with these new timestamps. This is where reliance on tools such as Encase/FTK to perl scripts, to Event Log explorers, even log2timeline, that may auto-sort events for us chronologically for presentation, or at the least, our first step is to sort output chronologically. If we manually inspect the contents of the event log file with a hex editor (i.e. a raw view), and do some decoding ourselves, we can see the jump in time/anomaly clearly.

Of course what is ‘clear’ is subjective – but this is a good example of where manual review of data structures may in fact save the day rather than relying on our tools. Manual review of data sources may only be appropriate for certain scenarios, and I’m not recommending it as a daily approach; but it is something to be mindful of when trying to prove a point.

OutsideIn Part 3

So how do we get there?

1. Put all your exhibits in a single folder
2. Set up your Output folder structure
3. Edit batch files/config file to point to correct paths
4. Go

All of my exhibits are in the OutsideIn HTML SDK Samples Files folder at “E:\downloads\outsidein\outsidein-html\sdk\samplefiles”.

My output folder structure is like this:

Go.bat

@echo off
del navi-source.htm
for /f %%a IN ('dir /b %1\*.*') do call runner.bat %1 %%a

Runner.bat

@echo off
echo "Processing %1\%2"
e:\downloads\outsidein\outsidein-html\sdk\demo\exredir.exe %1\%2 d:\temp\output\report\%2.html d:\temp\output\default.cfg
echo.^<a href ="report\%2.html" target ="showframe"^>%2^</a^>^<br^> >> navi-source.htm

The ‘^’ in DOS batch files is the escape character.

Report.html

<html>
 <frameset cols="200,*">
  <frame src="navi-source.htm" />
  <frame src="intro.html" name="showframe" />
 </frameset>
</html>

Intro.html

<html>
 <body>
  Please click a document on the left, and navigate
 </body>
</html>

Kick off the process by executing “go.bat <path to exhibit folder>”, for example:

go e:\downloads\outsidein\outsidein-html\sdk\samplefiles

For each file in the folder, runner.bat is executed, which calls the executable exredir.exe, the file that performs the actual conversion. The output of the conversion is to the folder “d:\temp\output\report\”, and reads the configuration for the conversion from “d:\temp\output\default.cfg”

“default.cfg” is the default configuration file that came with the OutsideIn demos. The only option I changed in this file is which HTML template to pick. In the output folder structure screenshot above, you’ll see a folder called “standard”. This contains the HTML template that I used to generate my HTML output for each processed file.

The OutsideIn process creates a navigable HTML interface for each individual file, my batch files wrap a second frame around this so that the reviewer can select which file to view.

The frames are controlled in “report.html”; the navigation frame is populated at runtime in a file called “navi-source.html”, and the default frame is “intro.html”.

The contents of navi-source.html after the processing is completed:

<a href ="report\adobe-acrobat.pdf.html" target ="showframe">adobe-acrobat.pdf</a><br>
<a href ="report\amidraw-bitmap.sdw.html" target ="showframe">amidraw-bitmap.sdw</a><br>
<a href ="report\annotate.doc.html" target ="showframe">annotate.doc</a><br>
<a href ="report\archive.zip.html" target ="showframe">archive.zip</a><br>
<a href ="report\autodesk-autocad.dxf.html" target ="showframe">autodesk-autocad.dxf</a><br>
<a href ="report\bitmap.bmp.html" target ="showframe">bitmap.bmp</a><br>
<a href ="report\bullet.gif.html" target ="showframe">bullet.gif</a><br>
<a href ="report\corel-presentation.shw.html" target ="showframe">corel-presentation.shw</a><br>

..snip..

All that’s left is to double click report.html and navigate through the report.

Note: if you view report.html in Internet Explorer, you can see a preview pane in the bottom of the second column (doesn’t work in Chrome).

OutsideIn Part2

The OutsideIn HTML Export tool can take a single document and produce an HTML navigable interface. The options are many, but in the end, you can produce HTML or MHTML versions of your files. Check out the following sample files (mhtml versions, so view them in Internet Explorer).

• Adobe Acrobat PDF (277k)
• ZIP Archive (2,478k)
• Corel Quattro Pro (27k)
• Microsoft Visio (70k)

The OutsideIn SDKs come with the following sample files:

Once the scripting process is executed, you will have a new folder with many news files that represent each individual source file (for HTML output) or just a single file (for MHTML output). I chose HTML output.

The following screenshot shows the intial presentation of “report.html”:

And the following screenshot shows the exploded view as you click on the desired file for viewing:

On the Outside looking In

This post concerns the OutsideIn technology, owned by Oracle. The following link takes you to the OutsideIn product page.

I conduct digital forensic examinations in the corporate world and my customers, while capable investigators, do not always have high technical skill. When providing them with data such as office documents, pdfs, internet history summaries, email (pst/ost), lots of images and movies, the ‘presentation layer’ can become very complicated. The presentation of so much data is complicated by the delivery (how do you get 50 megabytes of media to the customer) and also by the viewing of said data.

My ideal goal is to package up all the data, including report, in to logical evidence files and to provide a self-contained executable that can both mount the LEFs, provide a navigation screen, and incorporate viewer technology. This is a product opportunity. OutsideIn may just be the ticket that provides the viewer technology.

At the above link you can find the download page of OutsideIn that provides SDKs for various components. There are various download options:

1. Content Access – extract/view metadata from all supported formats
2. HTML Export – create html versions of all supported formats
3. Image Export – create image versions of all supported formats (e.g. TIFF or JPEG)
4. PDF Export – create PDF versions of all supported formats
5. Viewer Technology – create viewer applications that display all supported formats.

For those of you that use Encase, you have already seen OutsideIn in operation. That ‘doc’ pane is simply a viewer window and the content is rendered by OutsideIn for display.

I downloaded both the Viewer Technology SDKs and the HTML Export SDKs. They both come with  sample applications. The Viewer technology gave me my first <Takai>”Oh my”</Takai> moment.

See that screenshot?

That aint no PST it’s an OST! Woot, now I have a demo application that can view OST files natively!

Next, playtime with the HTML Export SDK. Coming up, some quick and dirty scripting creates a decent navigation experience for a case reviewer.