Building your WinFE Update

For those that have been using WinFE and wanting to know about recent updates, I have only a little news to mention.    WinFE is still just as good today as when Troy Larson first created it, so not much in the update area there.  WinFE still boots the same computer systems and you can do the same forensic work as before, not much has changed since then.   DiskPart is still the primary (only) method to toggle drives on/offline, which isn’t difficult to do.  Still command line, but easy commands to use.

WinFE Batch File Building Method

And building WinFE is the same as before, no changes there either.  If you use the batch file method, you can write your own or you can download pre-made batch files using the Box.net widget on this site to the right.   Several to choose and modify to suit your preferences.

The location of the batch files on this blog looks like the below screenshot, so if you don’t see it, you may need to have Java enabled in your browser.

All the batch files are in this zip file.

WinFE WinBuilder Building Method

If you are using WinBuilder (www.reboot.pro), there have been a continual update of the WinFE scripts by RoyM.  The reboot.pro site is also the best place for forum support directly with the script writers if you have problems building your WinFE.  RoyM (and others) has taken a great lead in the WinFE WinBuilder development.  My hat is off to all the contributors.

Other Forensic Boot Systems

The “other” forensic boot systems have had a few updates, some major.  I would highly recommend checking out Raptor, CAINE, and DEFT!  A major difference between WinFE and several of the Linux forensic boot systems is that many of the Linux systems are pre-made forensic OS’s, with freeware/open source tools already installed.  WinFE requires you to add the apps you want to use, which may be freeware, open source, or commercial.    A more complete forensic G0-Bag Kit has all of them….just in case….

 

An update to a long awaited project

It’s been awhile, a long while, since there has been anything added to the WinFE project, and the bad news is that nothing is new other than Microsoft not quite accepting of Colin Ramsden’s write protect tool.   As that is not good news, both Troy and Colin are working toward an effort that may meet Microsoft’s needs for an acceptable (to Microsoft…) write protect application other than DiskPart.

Sorry for the news on no news, but WinFE still works as it is, you just need to use the command line to toggle drives on/offline.

Sharing the love with WinFE

There have been numerous presentations showing how to build and use a WinFE boot disc around the world.  Most recently I see that IACIS has given a demo this year along with several HTCIA Chapters and a DOD conference as well.  A write up of Imaging a MacBook by Sean Morrissey shows just how easy WinFE is to use on a MacBook based on one demo at IACIS.

As simple as it is to use, it has become even easier to build using WinBuilder.  Probably the most significant difference when using WinBuilder rather than building via WAIK and the command line is the numerous options that can be automatically added, particularly in that of supporting more software able to run on WinFE.

Many examiners have already tried to build and use WinFE, but I know there are a few of you out there that just haven’t sat down to give it a whirl.   If you can speak to anyone that uses WinFE, they will each tell you that it is well worth it!

The next coolest thing to be added to WinFE is Colin Ramsden’s GUI currently being finalized.   Say goodbye to the DiskPart command line!

Friendly reminders are always nice

Always test your tools (this includes WinFE).  Considering that NIST recently discovered that some Ubuntu based forensic boot discs could make modifications to a booted suspect drive (modifies the $logfile upon booting….),  these sort of news breaks are a friendly reminder to test your tools.  Additionally, when ‘bugs’ are found in forensic tools, it may help to review any cases that may be affected by a past use of a tool.  Even Guidance Software just released a firmware update to a hardware physical write blocker in which writes to the evidence drive were not protected.  How’s that for reassurance with hardware write blockers being known as the absolute write protection tool?

You can’t rely upon someone else’s work, you can’t even rely upon the label of a box of something you buy.  You just have to spend the time to test it personally.

If you’ve not tested a tool that you used and later find that there was a problem with it, how long will you worry about one of those times you relied upon it to come back to haunt you in a past case?

Better that you tested it (“I know it works because I tested it“) rather than rely on someone else to test it (“But the company/website/brochure said it worked...”). 

How easy (or difficult) is it to build a WinFE with WinBuilder?

An easy quickstart guide to build your WinFE ISO…

1) Extract WinBuilder to the root of your C:/ drive

2) Run WinBuilder

3) Click 3 buttons and you are done.

If you want more features, such as additional programs, network support, audio, more drivers, customized wallpaper, create a bootable WinFE flashdrive, etc…, then you just need to push a few more buttons.  Download and read the write up (Users Guide to WinFE) for details on adding features.  It’s just as easy as pushing the 3 buttons.

These screenshots show all that is needed.  Now, after looking at what is needed to create your WinFE, what is the reason you haven’t started yet?…..



Triage Notes and WinFE

One of the biggest benefits (besides imaging storage media) of WinFE is the ability to create a customized triage system at virtually no cost.  Purchasing a pre-made system may not be an issue when only one or a few systems are needed, but when outfitting an entire unit or perhaps an entire police department, bulk purchases of software to be issued individually most likely may not happen.  Completing disregarding the ability to triage due to cost does not benefit the community or country.  Finding solutions does.

With a WinFE “triage system”, the cost can be minimal due to the multitude of freely available software available.  Not to be confused with shareware, pirated software, or other questionable software, there are plenty available at no cost that are effective and easy to use (and did I mention the keyword “free“?).

So, when contemplating purchasing a pre-built system, consider that a customized system can be simply created that fits the needs and budget of your organization or your case.

There are several tools of worthy mention, but plenty more that are just as viable for triage and forensic quality software.

For law enforcement and military, there is the excellent (and free!) search tool “Field Search“.  Field Search is a tool initially developed to run on a live machine to scan for images, internet history, and other items of evidential value.

Field Search can also run under a WinFE booted system, giving it the capability of being “forensic” in that instead of running on the suspect machine and altering the system, it can now be run without altering the system.   Field Search is an extremely quick and easy program to use for First Responders and those in combat zones.  The use of this program in a forensic environment just doubled its potential.

The only limits to the software that will run on WinFE are those that depend upon the dependent files.  As an example, the Microsoft .NET framework is needed to run ChromeAnalysis and FoxAnalysis.   .NET is installed in the WinFE with the check of a box when using WinBuilder to build a WinFE ISO.  With that,  both FoxAnalysis and ChromeAnalysis from www.forensic-software.co.uk run in the WinFE booted system giving more options in triage.  Both of these tools provide an intensive internet history capability in any forensic examination, and can be easily used in a triage/preview situation.  

Other types of forensic software can also be used to target specifically desired information.  RegRipper can be used to run against an entire drive and output specific results to a text file.  RegRipper (freely available!) can be modified in a multitude to ways to target what may be needed in a given scenario, either by using pre-made plugins or writing a unique plugin based on what is needed.

WinFE allows you to customize a triage booting system based on several factors other than just a budget.  As an example, a police department can have a WinFE customized for First Responders with a bare minimal selection of triage tools, Field Search being a prime example.   Investigators could have additional tools (with some additional training) that can go beyond the First Responders’ needs.  With this type of system, by the time a forensic examiner is given evidence to examine, the evidence has been prioritized by the First Responder and case investigator to best determine how resources should be spent.  Compared to literally dumping multiple computers onto an examiner’s desk and asking for “everything”, triage can be conducted for more effective results and quicker turnaround.  This can be applied to non-LE work as well.

Since WinFE can boot virtually any intel based computer, (this also includes Macs and *nix machines), the majority of situations can be handled with it.   Forensic Linux boot discs can be used in the same fashion as WinFE, using Linux software, however, I would hazard a guess to opin that most computer users are using the Windows Operating System.  Giving an unfamiliar operating system to a First Responder may be creating a problem due to mistakes being made by not knowing ‘which buttons to push’ to find the evidence…Those with more experience with Linux should not have that problem.  Given the option to outfit a battalion of combat troops with this capability…I’d probably lean heavily toward a Windows based system…

Fairly soon, if not already in some jurisdictions, the days of giving the forensic examiner dozens of hard drives that have not been previewed or triaged in some fashion by someone, will be over.   A WinFE triage system can be configured to find basic information (user accounts, internet history, graphics, etc…) which can be used to prioritize, or even eliminate, media to be examined.  Some information that can be gleaned onsite during triage could substantially affect the outcome of the situation (combat arena?  searching for victims related to an electronic crime scene? or other scenarios where an extensive examination will yield results that may be useless months later?).

Using a triage system can save more hours than you may initially realize.  If just one computer hard drive is triaged, and determined not to be of importance (as compared to the other 10 in the investigation…), then it need not be imaged (saving hours) and need not be examined (saving days).   It’s very easy to determine the ROI or manhours saved with one hard drive, extrapolate that to dozens or more hard drives.  How’s that for cutting down the workload?

OSForensics

Giving more usability to WinFE, OSForensics has several features that I can see being beneficial in triage of a system with OSForensics.  OSForensics can be run on a live system (not the optimal decision in most cases), a mounted image, or in a forensically booted WinFE system.

The program’s interface is simple and encompasses quite a bit of the basic forensic processes (searching, indexing, hashing, etc…).  Of particular interest is that some of these standard forensic processes can easily be used in a WinFE booted system for basic triage.

As an example, a scan of images of the suspect computer can be conducted with OSForensics.    This type of triage may certainly help determine which computer systems contain illicit images and need forensic analysis.

Another feature that can benefit cases is that of indexing.  OSForensics allows for indexing of files, including email (pst, mbox.msg,eml, and dbx), for keyword searches.    Searches can also be restricted by date ranges.

Although OSForensics doesn’t appear to be as powerful as a tool such as X-Ways Forensics, I definitely foresee a place where it can used, particularly in a First Responder role.

WinFE Demo Online

I’ll be giving a demo of WinFE to www.ctin.org on March 10 (online).  I’ll be showing some neat developments in the work as well as discuss solving build problems.

There are a few spots left and you have to be a CTIN member to view the presentation.  But maybe it is something worthwhile to join anyway as most all the training is free to members.

But does it do Mac?

Just to clear up any questions on whether WinFE can ‘do a Mac’, well…it can.  And Linux too.  And of course it can do Windows as well.   As long as the machine can be booted to a WinFE CD or USB, then you can image the hard drive.  Actually, you can do a whole lot more than just image it…you can triage it, preview it, search it, or just copy files and folders from it.  If the drive is encrypted and you have the key, you can access the drive.  And what about VSS (Volume Shadow Service/Copies)….you can access those too, all through WinFE.

I can promise that as soon as you build a WinFE CD or bootable USB, you will regret not having done it months or years earlier (it’s been around since 2008….).  And if building a forensic boot OS makes you hesitate at all, there is no need because if you use WinBuilder, it is as simple as pointing and clicking to fully customize your Windows FE CD or bootable USB.

It’s time to build your WinFE!

You can now download the WinFE WinBuilder.  Thanks to everyone that helped support this effort, it was well worth it.

Before you put this off any longer, download the WinFE WinBuilder and try out the Windows Forensic Environment.  As to a guide on how to use WinFE, it probably isn’t really needed since WinFE is simply a forensic boot disc.  So, you might not need any help in putting WinFE to good use.  However…there may be a few things you didn’t know you could do with WinFE that could be of interest.   Since that might be the case, here is a quick guide on tips on using WinFE as well as tips for building with WinBuilder.

Users Guide to WinFE

For support on how to use WinBuilder (troubleshooting, advanced features), check out the WinBuilder website at http://reboot.pro.

To reiterate some points about WinFE (and to hopefully prevent ‘hate mail’ coming to me from commercial products…), WinFE is an addition to your forensic toolkit. It doesn’t replace any tools, only supplements what you are using anyway.   Commercial products that do the same thing that WinFE does work too, keep buying those if you want, you don’t have to use WinFE.  And for the Linux lovers out there (Hey, I’m one of you guys too!), there is time and place for everything, sometimes WinFE is best, another time CAINE or DEFT or ???*nix may be best.

As far as anyone making a profit out of WinFE, no need to ask, because no one is;  it is a community project of customizing a Windows PE to fit your needs.

And yes, there are even some more neat things to be added to WinFE in the future…but as of now, you have access to a solid forensic environment.

For additional credits to this project;

This project uses the project Win7PE_SE as Base building, thank’s to ChrisR for his great work ( Win7PE_SE http://reboot.pro/12427/).  Also, thanks to theYahoouk , JFX, Altorian, Lancelot, and RuiPaz with the Win7PE project on which this WinFE WinBuilder is based.

Portable Internet Evidence Finder and WinFE

Jad Saliba (of JadSoftware.com) has released an update to his Internet Evidence Finder/IEF in a portable version.  Now this sounds really good to have the ability to plug in a USB drive into a running machine to gather the information that IEF does.   But, to take it a step further, I tried IEF within a booted WinFE system.   And the result….it works perfectly!

To make sure you can get the full grasp of how neat this is, you can boot to WinFE and run IEF across the physical drive, without making any changes to the evidence.  This could be of real importance in an investigation such as a missing person case where internet/chat/webmail may be of immediate intelligence value.  Rather than imaging the hard drive to search for this data from the image, or booting the machine to its operating system and potentially overwriting pertinent data, you can boot to WinFE and run IEF on the write protected drive.   Of course, in a missing person case where chat is involved, it may also be most important to capture the volatile data FIRST before turning off the computer.

In civil case matters, this can be a fairly quick method of obtaining data relevant to the case matter onsite if imaging the hard drive is not allowed.

Although IEF doesn’t run on Mac or Linux….if you boot a Mac or Linux machine with WinFE, IEF will run against that Mac or Linux hard drive

Updated video and other things

If you haven’t seen Marc Remmert’s video on creating a WinFE ISO, here is his video.  Although the WinBuilder method greatly simplifies what Marc shows in his video, it certainly recommended to see what is actually happening to a Win”P“E to make it into a Win”F“E, no matter the process used, at least understand the changes being made, the reason for the changes, and the validation of the changes.  And for those that insist that WinFE is not WinFE and that it is WinPE…well, you are sorta correct.  WinFE is the ‘forensic’ modification of a WinPE, so it really is something different.

On the WinBuilder topic, a great group of beta testers have started to put WinBuilder through its paces.  Again, although the end result is that you will be able to create a WinFE ISO with a few clicks, it is best to know what is happening behind the scenes and Marc’s video gives you that insight.

Do you wanna be a beta tester for WinFE?

Just before the latest WinBuilder WinFE gets released, would you like to take it on a test run first before the rest of the world gets it?  There are some neat features (Bitlocker support, DiskPart batch file, plus others), but the main concern is testing to see if anything needs to be fixed, corrected, added, or taken away from the build.

If you have the time to make a build or two and run it against your computer, send me an email and I’ll send you the build (not the ISO, you have to build that, but you get the Winbuilder app to build it).  I’d appreciate any comments, good-bad-or indifferent.   I’ll cut off the number of beta testers as soon as a decent number can reply to this request by email to; bshavers@gmail.com.  So give me your email to get your beta!

WinBuilder Revisited

A big thanks to Royal Meier for providing  a script to modify the registry with a WinBuilder Win7PE build.   What I thought would be a difficult task of using WinBuilder to build a WinFE ISO, is turning out to be quite simple, at least for Royal Meier (he makes it look simple anyway).

I am planning that “the” WinFE WinBuilder will be available before Christmas, for Christmas.  So far, it works wonderfully, but there are a few tweaks to be added to make it really able to create the Super WinFE ISO without having to spend any time running batch files or typing in commands in a DOS shell.

There are a few other things to be added after the New Year, like Colin Ramsden’s work, but that is coming up as well.  So, if you have procrastinated all this time to build a WinFE CD/USB, the wait is nearly over.

How cool is it to build your own custom forensically sound boot CD (in a Windows OS…) with a few clicks?  It is just plain cool.   This is quick and easy, quite super actually.

MobaLiveCD

Here is a neat and FREE app to test your Live CDs.  Not sure how I missed this one, but instead of creating an entire virtual machine to boot a ISO for testing, you can just run the ISO with MobaLiveCD (http://mobalivecd.mobatek.net/en/).  QEMU opens a virtual machine window that much faster on your screen.

This may just cut down the number of cup mats I usually make when burning CDs…

WinFE and Triage

On the subject of triage, I have some thoughts which some companies may not like to hear (at least companies selling triage software or ‘triage computer systems’…).

Here are some problems I see with several triage systems available;

-Any triage tool that is marketed that anyone can plug it in and capture all responsive data and even create a forensic image, without having any knowledge of computers is a tool I would keep at a safe distance from custodians of data…Plug n’ Play to capture evidence or triage a system?  How many problems? Let me count the ways…

-Any triage tool that is restricted to run on a specific computer is one that has just limited itself out of the market.  Since when do you want a tool that can only run on a specific computer you must buy?  Sorta useless if something happens to that computer.

-Any triage tool that professes to magically find all relevant data, even in the hands of untrained persons…wow.    Are you sure its finding what you need?

Why not triage a computer like everyone did in the old days.  Boot to a forensic OS (pick your flavor of OS) and use a tool you always use to find what you need to find.  Every case is different, so every triage is bound to be different.   On one computer, you may need to see the registry, whereas on another, you need to see the images.

And untrained persons triaging machines?  Good luck.  Emergency rooms don’t use non-medical staff to triage patients, why would anyone use non-computer trained persons to triage computers?

As for a pretty good system for triage, build a WinFE disc (it’s free, you don’t need to buy anything other than a CD) and put your favorite forensic tools on it, the ones you use all the time.  Now you have a triage system.   No, more than that, you have a complete Windows Forensic Environment to look for exactly the things you need to look for.   Done right the first time.

So the next time you see a “Triage System” that is plug n’play simple, that decides what data you need to be collected, and that you just sit back and let it work, think about it a little more.  As for me, I want to push the buttons and triage based on what I need and what I see when I am looking at the data.

A complete forensic OS in my pocket

So there I was, in a meeting for trial prep with no gear on hand.  The only thing with me was a USB flashdrive with WinFE (it’s on my keychain….).    During the meeting, I get an ‘emergency call’ asking if I can image a drive, like right now, as in, before it leaves the office.

Stopping by to buy an external USB drive, I made it within 30 minutes to the new case, booted the custodian machine with WinFE and imaged to the external drive.  No hardware write blockers, no running back to the lab, no asking someone to meet me with gear.  It was all in my pocket.  Of course, if WinFE didn’t work for some reason, it would not have worked out at all.  But in this case, it was like magic.

WinBuilder

After having several emails with the developer of WinBuilder (http://www.boot-land.net/), the WinFE build process will have a working project on the WinBuilder website.  This is good news for anyone not comfortable with using the command line to build their WinFE ISO and good news for having more Windows features included with the WinFE build.

So what does this mean?

The build process remains the same with using batch files as detailed on this website.  The use of WinFE remains the same as described as well.  However, a GUI build process will be developed using WinBuilder, which will give you an option to choose between using a CLI batch file or a GUI program to build your WinFE.   It also gives access to the WinFE project to several THOUSAND more users.

WinBuilder provides for many many features in a WinFE build that I believe will be the primary method of building your WinFE ISO.  Colin Ramsden’s work is expected to also be part of the WinFE WinBuilder build, so the best of everything in one GUI.  Bitlocker and VSS easy access, disk management (ReadOnly/ReadWrite), etc…

For all things related to WinFE, insofar as updates, use and information, this site will still exist, but for the build process using WinBuilder, there will be a forum setup specifically for WinFE on the WinBuilder site.

What makes WinFE better/different than other forensic boot discs?

I’ve been asked on occasion, “What makes WinFE better or different than any other boot disc?”.

WinFE is Windows based, not Linux.  For someone not experienced in Linux, the Windows environment may be easier to use due to familiarity with Windows.

Additionally, WinFE allows you to use your Windows based forensic applications in a forensically booted environment.  Rather than using a Linux CD and image with Linen, you can use a Windows CD and image with the full version of Encase or FTK Imager or X-Ways Forensics or other Windows based tool.

If your lab is Linux based, then WinFE may not be as comfortable as using a Linux based tool, but still may be an option to keep on hand (the opposite still remains true, if you focus on using Windows based tools, have some Linux options on hand as well).

Lastly, WinFE is updated by YOU, when YOU need it updated.  There is no need to wait for a distro to be upgraded every 6 months or longer before you can download it.  Current Linux ISO’s available online still may have older versions of software that are outdated.  With WinFE, if any tool is updated/upgraded, you can do it immediately and always have the latest apps.

Other than that, its just user preference.

SecureWorldExpo

Here is the powerpoint from the presentation from the SecureWorldExpo in Bellevue, WA.  Quite the turnout and I hope everyone got something out of it (like getting motivated to build a WinFE ISO!).

I want to stress that I do not advocate working with only one forensic boot disc, but to have a stockpile of different types, Linux, Windows, DOS.  Sometimes, for any reason, your best CD works on one computer one day and doesn’t work on another computer the next.  Easiest thing to do is toss in a standby rather than try to spend hours figuring out the issue.