This is a list of programs that work well in the WinFE environment. Some are forensic programs, others are portable applications that may be useful for different aspects of data collection/examination/reporting. And yes, you can easily run any program by typing in the exe into the command line, but since it’s Windows, why not have a GUI. Each program listed is developed and copyrighted by their respective company.
It is important to realize that booting into WinFE is not completely like booting into Windows. There are many aspects of Windows missing, such as the “Start” button and task bar. Also, applications, even Windows based applications cannot simply be installed into WinFE. For the most part, only portable applications work with some others working with some additional effort to configure. The programs listed on this page have been tested to work on WinFE, but I am always looking for more…(help me find more!). Other programs not listed but fit well in the use of WinFE? Please let me know so I can add them.
The X-Ways Forensics folder can be copied to your mounted WinFE tools folder without installing the program. The X-Ways dongle is still required to run, but the dongle does not require any installation either. X-Ways Forensics is perhaps the most full featured forensic application available that does not require intensive installation into WinFE (only needs to be copied) nor requires substantial system resources to run effectively. www.x-ways.net
Evidor is another forensic application from X-Ways, can also be copied onto WinFE (and does not require a dongle).Evidor can conduct keyword searches through a simplified interface, with the output in html format. www.x-ways.net
FTK Imager Lite can be copied directly to your mounted WinFE tools folder. However, a file, “oledlg.dll” needs to be copied (not injected) from your Windows host system to the mounted image for FTK Imager to run from a booted WinFE disk. Simply copy and paste it into the Windows\System32 folder of your mounted image. www.accessdata.com
The U3 version of ProDiscoverBasic will run without the need of installing any files. Change the .U3 extension to .zip and unzip all files to a folder. The folder can be copied to your WinFE tools folder. www.techpathways.com
If Encase has been installed on your C:\ drive, you can copy the entire folder (minus any files not needed) for Encase to function in WinFE. Encase will run in acquisition mode, without a dongle. It is possible to install Encase to be able to run fully, however, this requires additional steps. As WinFE runs off the “X” drive, you will need to replicate an “X” drive on your system, install Encase to the “X” drive, and then copy the Encase folder to your mounted WinFE tools folder. Additionally, you will need to install the hasp drivers. Hasp drivers are injected in the same manner as .inf drivers, such as the example below;
Peimg.exe /inf=C:\hasp.inf[hash]\hasp.inf C:\winFE\mount\Windows
F-Response also works in the WinFE environment, as the F-Response folder containing the executables only need to be copied onto the mounted image. Details on setting up F-Response on WinFE can be found at the F-Response website: www.f-response.com
RegRipper can run from its folder without any installation. www.regripper.net
AFSearch is an indexing application that requires minimal resources and can run without installation. It supports many file formats and can search using Boolean terms. http://www.afsearch.com/
The ability to use other portable applications is convenient to create an environment whereby you not only can image the drive, but also take screenshots of your activity, take notes, and create chain of custody reports to be saved onto your destination drive. There are many portable applications with word processors, screen capture, and spreadsheet capabilities, which are light on resources and space. The ‘neatness’ factor of portable applications on WinFE is that you can obtain information immediately whereas in traditional acquisitions, you may not have without resorting to imaging and using your lab forensic workstation. As there are too many portable applications to describe, I have chosen those that seem to be beneficial to a Triage/Preview scenario as well as for any imaging situation. The only limitation to the number of applications you can use is that of the space on your CD or USB drive… And the applications listed before are for the most part, free (one of them cost $1 for corporate use, free for personal use).
System Information
CPU-Z gathers information on the CPU (name, number, etc…), mainboard (vendor, model, BIOS, etc…), memory, and system information. Be sure to download the standalone zipped version, which does not need to be installed.
Screen Resolution
MultiRes adds point and click video resolution adjustment. Free for personal use, $1 for corporate use.
http://www.entechtaiwan.com/util/multires.shtm
Word Processing
Having a light word processor for notes on WinFE can be convenient as you can have a chain of custody report and notes created at each suspect/custodian machine. AbiWord is one of the lightest and easiest to use word processors that can run on WinFE without intallation. http://abisource.com/
Spreadsheets
A spreadsheet application, for when you have lots of data that is best entered in something other than a word processing document. http://portableapps.com/node/3956
Screen Capture
There are many good portable screen capture programs (and this is one of them). http://www.faststone.org/FSCaptureDetail.htm
PDF Viewer
Foxit Reader is lighter and faster than Adobe Reader, and portable. http://portableapps.com/apps/office/foxit_reader_portable
Video Player
VLC media player can play numerous types of video files, including those files with missing/broken information. If your suspect/custodian machine involves videos, the VLC player may be a good choice to add for previewing/triage.
Graphic Viewer
XnView is a quick and easy graphic viewer (can view about 400 different formats).
ISO Creator
Folder2Iso is a portable application that may be of interest if you want to make an ISO of a folder. A quick test of Folder2Iso showed that it maintained both creation/modification dates, but did not capture the last access dates. However, this may be an additional option of preserving a folder (other than a logical image or compressed copy of a folder).
Explorer Replacement
As WinFE does not have an explorer window, the FreeCommander alternative may do the trick. FreeCommander actually has more features than the Windows Explorer. http://www.freecommander.com/index.htm
GUI Start Menus
There are several freely available GUI start menus. The menus that require a taskbar (such as the PortableApps Task Bar) won’t work in WinFE, as there isn’t a task bar unless you add one.
Pstart can be used to access and run your GUI forensic programs with a GUI interface. The Pstart menu can work on both the bootable and live side of WinFE. www.pegtop.net
Another useful application is A43 File Management Utility, which is an Explorer replacement but also has a “quick start menu’ to access your programs. http://www.alterion.us/a43/
Additionally, there are other start menu modifications that more closely mimic the traditional Windows Start menu. Generally, the smaller, portable GUI menu applications are easier to update with your tools, require less disk space, and use less resources.
