Brett's Blog

Just some ramblings.

X-Ways Online Training Course

X-Ways Online Training Course


I will be publishing an X-Ways Forensics Online Training Course on June 30, 2014.  The course is based off the X-Ways Practitioner's Guide, the X-Ways manual, and a decade of experience using X-Ways...it is not the official X-Ways training course, but it also does not come with the price tag of the official course.   From Monday, the X-Ways course will be $195 but I will publish a discount code good for two weeks (through July 14) for 25% off.

I'll send out a reminder on June 30 through twitter and the XWF blog, so follow the blog or twitter account to catch the discount code.

The manner in which I made the X-Ways course is so that you can follow along with XWF in learning how to work a case with X-Ways Forensics.  The course describes the options and buttons in XWF, but also shows how to simply work a case.  There are literally so many features in X-Ways, that without training, you will be missing about 50% of what you should be doing.  I found that even the most current version of the X-Ways manual does not list features in XWF...lots of information to keep up with, tons of features to consider, easy to miss something that you should not miss for such a powerful forensic tool.

If you want to be notified of the coupon code, be sure to follow the X-Ways blog at http://xwaysforensics.wordpress.com/ or the twitter account at https://twitter.com/XWaysGuide.

 

 

Windows Forensic Environment Online Training Course


I also have just released an online course on the Windows Forensic Environment (WinFE).   I have videos of most build methods, tips and tricks, pro's and con's, and aspects of WinFE that you may find important.  I also included every bit of downloadable swag in the course too (batch files, wallpaper, scripts, etc...).

All in all, this is probably the best source of WinFE you will find.  I encourage you to share it and use it, after all, this is a free tool and this course is free.  If anyone has suggestions on making the course better, let me know and I can try to squeeze in some improvements.

[caption id="attachment_1231" align="aligncenter" width="700"]winfe http://courses.dfironlinetraining.com/windows-forensic-environment

 

2082 Hits
0 Comments

Is it worth the time to figure out WinFE?

Yes, no question about it.

WinFE is one of those things in forensics you hear about and move on to something else because you don't want to spend the time to "build an ISO" (maybe you've not
439 Hits
0 Comments

More on Autopsy and WInFE

I was right.  This is cool.

Using Autopsy on WinFE Lite worked as expected; however, I wanted to test it with a WinBuilder build of WinFE to address limitations found on WinFE Lite (notably, the inability to view videos or inside zip files).

In short, the WinBuilder build allowed viewing of videos and accessing zip files with Autopsy.  There were a few other customizations that I made for appearance and ease of use that you may find helpful in presenting training on WinFE (if you do that) or in creating your own WinFE for onsite preview/triage.

2013-07-15-17-33-1247
Add Autopsy to the WinFE start menu.

Basically, with Autopsy, any first responder or parole supervisor can triage/preview an evidence machine, onsite, without cost of software or hardware.  You just need a CD, DVD, or USB with WinFE and Autopsy.  For the first responders who are not forensic examiners, a WinFE boot disc/USB can be made with Autopsy clearly presented on the desktop and start menu.  I would suggest that other forensic tools be included in the event they may be needed by a forensic analyst.  An example would be a first responder finding evidence on a machine during a triage/preview and the machine needs to be imaged.  Either the first responder can image the machine or preferably, a trained person should be called to image the machine.  Having the apps pre-installed eliminates the need to reboot the machine to another build of WinFE, or plugging in additional drives with programs, and so forth.

In order to get you in gear with the potential of a completely free WinFE and software (you need a license for Windows to build it…but otherwise, it’s all free), I’ve posted the steps below.  Before you ask for help with WinBuilder, go to www.reboot.pro and read the help forums.  There is as much documentation you need for directions on how to download and run WinBuilder along with as many scripts (added features) as you could ever need.

The steps:

1)      Download Autopsy and install to your workstation.

2)      Download Winbuilder

3)      Download the WinFE write protection script (place in the WinBuilder tweaks folder)

4)      Build your WinFE

Step 1

2013-07-15-17-34-1250
It's free!

Download and install Autopsy to your workstation. http://sleuthkit.org/autopsy/

Step 2

2013-07-15-17-34-1251
It's free!

Download and install WinBuilder (go to www.reboot.pro on how the program works).  This is based on the Win7PE_SE project.

Step 3

2013-07-15-17-34-1252
Guess what? This is free too.

Download the WinFE write protect script.  http://winfe.wordpress.com

Place the write protect script (WP.script) in the Tweaks folder of WinBuilder

2013-07-15-17-34-1253
Without this one little thing (wp.script), you only making a "PE", not a "FE" build.

Step 4

2013-07-15-17-35-1254

Run WinBuilder.  Read my previous write up on how to do this to save time in trying to figure it out.  I’ve already spent more than a few hours which you don’t have to go through.  Be prepared, you will have errors and builds that don’t work.  But once you get it right and see how it works, you will have a tool which will provide invaluable use for years.  Trust me on this; you will not regret spending the time.  The only regret you will ever have is waiting to try it out.

2581 Hits
0 Comments

Another Discount on the XWF Guide at $37.96

Amazon reduced the price, grab it while you can before it goes up (again).

 

334 Hits
0 Comments

C4All X-tension update

Update November 14, 2014

Download link to version 3.6.2.d https://www.dropbox.com/s/zewn7myskf...6.2.d.zip?dl=0
This update changes the way the video stills are treated when extracting movies.
-now video stills are extracted if the parent movie is extracted, regardless of whehter
the video still has been type verified.

 

 

 

 

That is for version 3.6.2.d that fixes a few issues with C4All not handling some characters.

 

 

 
 
 
Videos and links to updated guides.
 
 
 
Steps for c4all X-tension updated November 2014.doc
www.dropbox.com/s/sfd3...4.doc?dl=0

Steps to prepare and run C4All X november 2014.doc
www.dropbox.com/s/23ts...4.doc?dl=0

I recommend downloading both guides. ***both Udpated November 2014***

Links to Youtube videos to run X-Tension
www.youtube.com/watch?v=HP6DTzpG0KI - part 1 of 3
www.youtube.com/watch?v=zCIcrA9CldI - part 2 of 3
www.youtube.com/watch?v=53cLlcogr40 - part 3 of 3

 

640 Hits
0 Comments

Barely any updates to WinFE :(

winfeUnfortunately there are so few updates nowadays to WinFE, that this blog is woefully neglected...on a positive note, since WinFE practically needs no updates, there is hardly a need to keep up on WinFE once you have mastered building it.

The best and most current source of all-things-WinFE is from a free online course at http://courses.dfironlinetraining.com/windows-forensic-environment so other than taking the course, this blog will not have additional information building WinFE.

The course includes downloads and links to downloads to build every publicly known version and build type of WinFE, from the basic WinFE, WinFE Lite, WTE WinFE, Mini-WinFE, and WinBuilder WinFE.

The WinFE wordpress blog will be used only for sporadic WinFE updates and related information since WinFE has practically reached the best it can be at current software standards (Windows 8).  The only posts that may be original from here on out would be case examples, but that quickly grows old (I booted a machine to WinFE and imaged it...).  A few instances are very neat, like imaging a Surface Pro, and for those interesting cases, I'll post them as I come across them or am sent information about them.

At its foundation, WinFE is a strong forensic OS platform, built on the latest Windows operating system, which can run most types of forensic software.  That's about it.  Simple, but amazingly effective at a forensic boot platform.  Since it is so very simple, the updates to the WinFE blog become less and less.  Therefore, the free webinar course covers everything you need to learn about WinFE along with every download needed, plus tips on building, using, and testifying to the use of WinFE.

After you view the course and build a few WinFEs, you'll see that WinFE is only a forensic boot OS.  But you will also see that because it is a Windows boot OS, you can do so many things with it that you can not do with a Linux forensic OS or with a hardware writeblocker.  That is the beauty of WinFE.  Simple. Ingenious. Hard to improve upon (at this point...).

You have my permission to use the WinFE course and its materials in a manner that benefits WinFE at no cost.  That means you can use information from the course to teach WinFE at conferences or any training session.  WinFE is free (technically, you need a Windows OS license...but otherwise its free), and I've made the course free as well.  When teaching or writing about WinFE related to the source and you choose to attribute to the source, that's nice of you, but not necessary if you don't want.

Take a run at the WinFE course.  Watch all the videos or only the videos of interest. They are broken down by build types and how-to videos.  The most important benefit you can get out of the course (other than learning how to build/use WInFE) is getting some formalized training in front of you about WinFE.  It's one thing to spend hours (days?) figuring out something but quite another when you can get the meat-and-potatoes of what you need to know in the shortest period of time.  I'd reckon that even if you attend a presentation on WinFE, you will get so much more out of the online course that you won't regret the time spent.

I've also said a few times, that once you build and use a WinFE, you will regret not having done so years earlier.  Don't forget, WinFE has been around since 2008...it works even better now than back then.

outline

Tags:
897 Hits
1 Comment

Updates to X-tension and Hash File Manipultator

Hashbrown program 64 bit version only http://1drv.ms/1tLsNnG updated October 10 2014

instructions http://1drv.ms/XNdgeJ
-New Version that handles many duplicates and many unsorted more efficiently posted.

 

 

 

 

X-tension

 

 

Update October 19 2014
download link to version 3.6.2.c http://1drv.ms/1prWU2h
-Fixed issue with extended character support of UTF-16 in XML. should show all but those 0xD800 – 0xDFFF characters.
-Adds the functions of 3.5.12.k as well as option to create a Picture/video library based on MD5 hash value as name and the option to include not confirmed files when extracting pictures and movies. (before the file had to have a type status of Confirmed or newly identified. see post from 27 September in this thread for more details)
- 3.5.12.k
option to include or not include metadata in XML
-The option to run against multiple evidence objects and better naming of folders in c4all folder tree.
-CETS users have toggle to create a CETS XML or not.

 

562 Hits
0 Comments

Image a Surface Pro using bootable UEFI WinFE

surfaceproCool WInFE work done by Jeffrey A. Cunningham, Sr Digital Forensic Examiner, US Army (ChiefCham), on imaging a Surface Pro using a bootable UEFI WinFE.  It is certainly neat to see this type of testing and research done on ANY forensic tool where the results can be shared with everyone.

Thanks ChiefCham!

Image a Surface Pro using bootable UEFI WINFE

Tags:
2499 Hits
2 Comments

USB Malware and WinFE

The recent release of USB malware, in which any USB device is suspect of being infected after plugging into an unknown-if-clean machine, makes a problem for bootable USB devices in forensic collection.  Some of the very scary claims to the USB malware are (http://news.discovery.com/tech/gear-and-gadgets/warning-usb-malware-code-unleashed-141006.htm):


  • Alter files from thumb drives

  • Redirect Internet traffic

  • Tap and spy on USB-enabled smartphones

  • Hijack keyboards to type commands

  • Potentially inject malicious elements as files are being transferred

  • badusb


  •  


That is bad stuff for a forensic bootable USB device.   I've seen a few suggested solutions to the USB infection issue, but the fastest solution with WinFE is to burn to a CD/DVD instead of making a USB bootable.  Problem solved.

Building a WinFE is still very very very very easy.  Using the Mini-WinFE build, I just timed creating a WinFE DVD is less than 6 minutes.  That was a few minutes with Winbuilder and a few minutes burning the ISO to DVD, while taking my time in the short process.  If you haven't yet built a WinFE, the process is almost completely automated.  Just point Winbuilder to your Windows 7/8 source and press go.  Less than 5 minutes later, you have a forensically sound, bootable ISO/CD/DVD/or USB.

Granted, creating a WinFE CD/DVD in less than 10 minutes is not going to save you time compared to imaging a removed hard drive using a hardware imaging device.  But...if you have LOTS of machines to image, booting the machines to be seized to WinFE most likely will be faster than removing hard drives and sharing hardware imaging devices.  And for those pesky drives that won't come out, WinFE may be a good solution than fighting with an ultralight, can't-find-the-screws-to-remove-the-darn-hard-drive machines.

Tags:
1241 Hits
0 Comments

New version of X-Tension

New version of X-Tension
3.6.2.a http://1drv.ms/1rrCJ7s
Changes
-adds the functionality to create a picture/video library.
-adds the ability to extract pictures or movies that are type status of 'not confirmed'
(this was added as there are so many variations of avi formats, that even some valid working movies were not 'confirmed')
If the user does not want these files, they can be filtered out and the X-Tension run excluding filtered or excluded files

630 Hits
0 Comments