The difference between ‘previewing‘ a drive and conducting a ‘triage‘ may have to be defined by the examiner (is there a big difference?), but in any case, the suspect drive can be viewed and searched while booted in the WinFE environment using any of the installed forensic applications. Given limited time and resources coupled with an important need to find important data, choices have to be made on which computers need to be imaged, examined, postponed, or altogether ignored. With this, WinFE can offer a substantial time savings while conducting a preview/triage in forensically sound manner.
Some of the manner functions that can be conducted include; examining the registry to extract relevant user data or computer information; keyword searches can be conducted to determine if the drive contains relevant data, graphic images can be viewed, and this can all include unallocated space.
Some programs, such as X-Ways Forensics (XWF), will allow for nearly a complete data carving, indexing, searching, viewing, and imaging capability in the WinFE environment.
Other tools, such as RegRipper, can target specific areas in the registry for review.
Items to consider when faced with a Triage/Preview Scenario are:
1) What are you looking for?
2) What are your resources (both in equipment and capable personnel)?
3) Do you have (un)limited time?
4) Are you to image all hard drives or just the drives found to have known evidence through previewing? Are you allowed to image at all?
With WinFE, it is possible to build a customized forensic boot disk, at no cost other than the tools you have at hand, which can accomplish nearly any level of triage/preview. With some scripting knowledge, you can even create automated scripts to extract desired data from the suspect machines.
A really neat capability with WinFE is that if you are only given 20 minutes or less to acquire pertinent data from a machine that is powered off, and you don’t want to leave any tell-tale traces you were there, booting to WinFE and running a script to pull the data you need can be done quickly, quietly, and effectively. I’d suppose that those with the need to surreptitiously grab criminal/terrorist related data (legally, of course) could really benefit from a collection ability such as this.
