My Road to Digital Forensics Excellence

Archive for October, 2010

OutsideIn Part 3

Posted by Paul Bobby on October 15, 2010

So how do we get there?

  1. Put all your exhibits in a single folder
  2. Set up your Output folder structure
  3. Edit batch files/config file to point to correct paths
  4. Go

All of my exhibits are in the OutsideIn HTML SDK Samples Files folder at “E:\downloads\outsidein\outsidein-html\sdk\samplefiles”.

My output folder structure is like this:


@echo off
del navi-source.htm
for /f %%a IN ('dir /b %1\*.*') do call runner.bat %1 %%a


@echo off
echo "Processing %1\%2"
e:\downloads\outsidein\outsidein-html\sdk\demo\exredir.exe %1\%2 d:\temp\output\report\%2.html d:\temp\output\default.cfg
echo.^<a href ="report\%2.html" target ="showframe"^>%2^</a^>^<br^> >> navi-source.htm

The ‘^’ in DOS batch files is the escape character.


 <frameset cols="200,*">
  <frame src="navi-source.htm" />
  <frame src="intro.html" name="showframe" />


  Please click a document on the left, and navigate

Kick off the process by executing “go.bat <path to exhibit folder>”, for example:

go e:\downloads\outsidein\outsidein-html\sdk\samplefiles

For each file in the folder, runner.bat is executed, which calls the executable exredir.exe, the file that performs the actual conversion. The output of the conversion is to the folder “d:\temp\output\report\”, and reads the configuration for the conversion from “d:\temp\output\default.cfg”

“default.cfg” is the default configuration file that came with the OutsideIn demos. The only option I changed in this file is which HTML template to pick. In the output folder structure screenshot above, you’ll see a folder called “standard”. This contains the HTML template that I used to generate my HTML output for each processed file.

The OutsideIn process creates a navigable HTML interface for each individual file, my batch files wrap a second frame around this so that the reviewer can select which file to view.

The frames are controlled in “report.html”; the navigation frame is populated at runtime in a file called “navi-source.html”, and the default frame is “intro.html”.

The contents of navi-source.html after the processing is completed:

<a href ="report\adobe-acrobat.pdf.html" target ="showframe">adobe-acrobat.pdf</a><br>
<a href ="report\amidraw-bitmap.sdw.html" target ="showframe">amidraw-bitmap.sdw</a><br>
<a href ="report\annotate.doc.html" target ="showframe">annotate.doc</a><br>
<a href ="report\" target ="showframe"></a><br>
<a href ="report\autodesk-autocad.dxf.html" target ="showframe">autodesk-autocad.dxf</a><br>
<a href ="report\bitmap.bmp.html" target ="showframe">bitmap.bmp</a><br>
<a href ="report\bullet.gif.html" target ="showframe">bullet.gif</a><br>
<a href ="report\corel-presentation.shw.html" target ="showframe">corel-presentation.shw</a><br>


All that’s left is to double click report.html and navigate through the report.

Note: if you view report.html in Internet Explorer, you can see a preview pane in the bottom of the second column (doesn’t work in Chrome).


Posted in General Research, State of Affairs | Tagged: | Leave a Comment »

OutsideIn Part2

Posted by Paul Bobby on October 15, 2010

The OutsideIn HTML Export tool can take a single document and produce an HTML navigable interface. The options are many, but in the end, you can produce HTML or MHTML versions of your files. Check out the following sample files (mhtml versions, so view them in Internet Explorer).

The OutsideIn SDKs come with the following sample files:

Once the scripting process is executed, you will have a new folder with many news files that represent each individual source file (for HTML output) or just a single file (for MHTML output). I chose HTML output.

The following screenshot shows the intial presentation of “report.html”:

And the following screenshot shows the exploded view as you click on the desired file for viewing:

Posted in General Research, State of Affairs | Tagged: | Leave a Comment »

On the Outside looking In

Posted by Paul Bobby on October 14, 2010

This post concerns the OutsideIn technology, owned by Oracle. The following link takes you to the OutsideIn product page.

I conduct digital forensic examinations in the corporate world and my customers, while capable investigators, do not always have high technical skill. When providing them with data such as office documents, pdfs, internet history summaries, email (pst/ost), lots of images and movies, the ‘presentation layer’ can become very complicated. The presentation of so much data is complicated by the delivery (how do you get 50 megabytes of media to the customer) and also by the viewing of said data.

My ideal goal is to package up all the data, including report, in to logical evidence files and to provide a self-contained executable that can both mount the LEFs, provide a navigation screen, and incorporate viewer technology. This is a product opportunity. OutsideIn may just be the ticket that provides the viewer technology.

At the above link you can find the download page of OutsideIn that provides SDKs for various components. There are various download options:

  1. Content Access – extract/view metadata from all supported formats
  2. HTML Export – create html versions of all supported formats
  3. Image Export – create image versions of all supported formats (e.g. TIFF or JPEG)
  4. PDF Export – create PDF versions of all supported formats
  5. Viewer Technology – create viewer applications that display all supported formats.

For those of you that use Encase, you have already seen OutsideIn in operation. That ‘doc’ pane is simply a viewer window and the content is rendered by OutsideIn for display.

I downloaded both the Viewer Technology SDKs and the HTML Export SDKs. They both come with  sample applications. The Viewer technology gave me my first <Takai>”Oh my”</Takai> moment.

See that screenshot?

That aint no PST it’s an OST! Woot, now I have a demo application that can view OST files natively!

Next, playtime with the HTML Export SDK. Coming up, some quick and dirty scripting creates a decent navigation experience for a case reviewer.

Posted in General Research, State of Affairs | Tagged: | 1 Comment »

Why “the malware made me do it” appeals so much to the juror.

Posted by Paul Bobby on October 4, 2010

Okay, provocative title.

I recently read through the excellent work by Richards J. Heuer, Jr, entitled “Psychology of Intelligence Analysis“. As the title suggests the goal of this paper is to produce an analytical workflow that is resistant to the intended and sometimes unintended failures of the cognitive process. Part III discusses the various cognitive biases that we are all prone to.

“Similarity of Cause and Effect”, page 132, describes the tendency of human beings to infer cause based on the properties of the effect. For example, “…large animals leave large tracks…” and “…heavy things make heavy noises…” The problem is that people “tend to reason in the same way under circumstances when this inference is not valid”. Political events have political causes, economic events have economic causes and that “little events cannot affect the course of history”.

The previous section in this paper, “Bias Favoring Perception of Centralized Direction”, discusses the tendency to “see actions as the intentional result of centralized direction and planning”. Oswald could not have acted alone…

These two biases, similarity of cause and effect, and centralized direction, is why conspiracy theories are so effective. The “Trojan Defense” is a tactic employed by the defense (and sometimes used within corporate investigations) as a way to infer cause from observed behavior. Heuer indicates in this paper that “intelligence analysts are more exposed than most people to hard evidence of real plots, coups, and conspiracies….”, and I believe this can be extended to the forensic analyst. Our day to day job exposes us to many of the behavioral patterns of individuals and we have a deep understanding of the computer artifacts involved.

To the juror however, presenting a mysterious rhetoric of conspiracy, through malware, appeals directly to the cognitive biases that Heuer warns against.

Note: I consider the entire document a must-read. For incident response and cyber intelligence analysis it provides real working tools to combat the often flawed thinking when trying to create a model that represents the adversary. We are so not working with script kiddies anymore – APT requires real thinking and real analysis. These concepts apply equally as well to the forensic analyst, whether law enforcement or corporate analyst, these tools can help you arrive at the appropriate conclusion, free from ‘past experience biases’ and other conundrums.

While there are smoking guns and hard facts to be found when conducting forensic analysis, quite often the conclusion must be inferred from a large set of forensic artifacts that ‘paint the picture’ of activity. It is this inference that is as weak or as strong as the thought process that produced it.

Posted in General Research, State of Affairs | Tagged: | Leave a Comment »