“Remote” Collections with WinFE, a neat trick

In civil litigation, the procedures for data collection are a little more relaxed as compared to criminal investigations, but cost is a huge factor.  Typically, criminal suspects lose custody of their seized systems and won’t necessarily cooperate with the seizure of electronic evidence.  Civil litigants on the other hand, will usually maintain custody of their systems and cooperate with the data collection.   With the costs of travel to simply image a hard drive or copy a folder, one hard drive can cost a client thousands of dollars in expenses.

But here is a neat trick.

1)  Ship the custodian a customized WinFE CD and an external drive.

2)  Over a phone call, walk the custodian (or IT staff) in booting the system to WinFE and plugging in the external USB hard drive.

3) Access the forensically booted drive remotely to image directly to the supplied USB external drive.

The external drive can be shipped back to you overnight. You can accomplish in minutes what would take hours and thousands of dollars (air-ground travel, meals, lodging), all without leaving the office.

There is more than one method of accessing the booted WinFE system remotely, either through Remote Desktop, VNC, or any number of commercial applications such as TeamViewer.   Any of these methods allow for you to take control of the custodian system (in the WinFE OS), and run just about any Windows based forensic application to forensically image the custodian hard drive to the USB external drive.  Or you could create containers of targeted files/folders.  Or you can triage the computer to determine if it needs to be collected.

Should you decide to save your client or company thousands of dollars per case, here are some tips when using this WinFE “remote” collections method:

1)  Build your WinFE with the forensic apps you need (FTK Imager, Encase, etc..).

2)  Have a one-click connect icon on the desktop for the custodian to start the remote connection.

3)  Run a system information application on the custodian machine (WinAudit) to identify the hardware in the system.  Maybe even have the custodian or IT email you a photo of the system being imaged.  Store the hardware scan with the image file.

3)  Create two images (one to be shipped, one to be maintained at the premise in case the shipped image is lost in transit).

In practice, you can connect to as many WinFE booted computers as needing to be imaged, one after another, all imaging to external hard drives.

Of course, not everything always works out as planned.

Custodian machines may not have a CD drive – ship a WinFE CD and WinFE USB together,  just in case….

Hard drives may be bitlocked-you can still access the drive for imaging through WinFE.   Other encrypted drives may be accessed too, depends on the setup of the system.

Custodian machine may be broken – might have to ship the entire machine or hard drive/s, but that’s still cheaper than travel expenses.

No internet access for the custodian machine - you need this for this method to work….you could always ship a wireless card with the WinFE CD and external drive.

If volatile memory is required to be captured, like RAM, this isn’t your best option or even a good option.  In fact, this is not the best ‘live response’ method at all.

And yes, this can also be done with many of the Linux forensic boot discs.  But is certainly much easier for the majority of custodians to use a Windows FE OS if their everyday systems are also Windows.  Plus, you can use just about any of your everyday Windows forensics applications.

Well, you may miss out on traveling on the client’s dime, but your client will be happy (that’s the goal anyway, isn’t?).

This may not be good news for anyone wanting to make easy money with travel, but in the long run, your clients (and boss perhaps) will appreciate the savings and speed at which this can be done.  You’ll also be to get more done in a shorter period of time.  That is a good thing.

About these ads

6 thoughts on ““Remote” Collections with WinFE, a neat trick

  1. If you were to use something like Teamviewer, would this have to be installed on your WinFE setup?

    • Not installed, only copied into the build or run from an external device. There are scripts on the reboot.pro website for Teamviewer, but the easiest method I’ve found is copying the Teamviewer.exe to the Pstart folder and running it from there (you can place an icon on the desktop to make it easier for the custodian to find).

      Bad news with Teamviewer is that v7 will not work in a PE/FE. You’ll have to use v6 or older, which works fine.

      There are other ways too, like the remote desktop scripts for Winbuilder.

      • Hi Brett,
        So I’ve tried running Teamviewer 5, 6 & 7 from a USB drive once booted into WinFE – both the portable and Quick support versions – and none of them work. I keep getting the error message that “The program can’t start because AVICAP32.dll is missing from your computer. Try re-installing the program to fix this problem.” I’ve tried copying that file from my Windows install over to the \X\\Windows\System32 folder but that didn’t work. I also get an error that CRTDLL.DLL is missing. Any ideas? Also, where is the “Pstart” folder you mention above? I can’t seem to locate it. Thanks. – Jason

        • If you are building a 64bit, that may be part of the problem. I’m not sure which method you are using to build, but Winbuilder most likely build WinFE with the required files. Version 5 and 6 work, v7 not so much (I couldn’t get v7 to work without using workarounds, which I don’t like to do). I’ve never had the quick support app for TeamViewer work.

          The Pstart folder is located under your “C:\winbuilder\Projects\Win7PESE\Apps\Portable” folder. This folder is simply copied onto your build, so any programs in this folder aren’t installed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s