Brett's Blog

Just some ramblings.

WinFE Taught in Australia

Neat to see WinFE being taught everywhere, as in, everywhere by many.  Wish I could have been there for this presentation (mostly because I'd have to be in Australia to see it...).winfe

[slideshare id=37866964&doc=winfe-thealmostperfecttriagetool-140811062324-phpapp01]

 

Tags:
648 Hits
1 Comment

BlockHasher for XWF

Yet another cool XWF utility!

 

BlockHasher

 

 

http://d-forensik.de/download/

[caption id="attachment_630" align="aligncenter" width="700" class=" "]blockhash

 

 

...
Continue reading
452 Hits
0 Comments

X-Ways MD5 Hash Manipulator

Another cool utility for X-Ways!

 

X-Ways MD5 Hash Manipulator

 

 

hash

 

 

...
Continue reading
733 Hits
0 Comments

SEARCH High-Tech Crime Trainers to Debut WinFE as a new topic

Super cool.  From SEARCH.


"The team will debut a new course topic in Dallas: Introduction to Windows Forensic Environment (WinFE). In this lab and lecture, investigators will learn how to create a bootable forensic environment on a thumb drive. Using this thumb drive, investigators can then conduct previews of suspect computers in the field, looking for information that indicates whether the computer contains potential evidence in a case. The ability to conduct on-scene triage such as this is very important to investigators, as it gives immediate information about suspects and their devices."

 

Tags:
1397 Hits
0 Comments

Free WinFE course

WinFE course to be updatedwinfe


The WinFE online course will be updated sooner with a few neat things that are coming up with WinFE.  Until then, there have been over 2,000 registrations for the course and more every day.

I'm impressed that there are so many users interested in using WinFE, but then again, not really.   It's still a really neat tool to have in your toolbox alongside the Linux forensics boot OSs. If you haven't taken a look at WinFE, give it a try.  This course will remain online, free, and updated when there are updates to make.

I am checking out WTE and so far, WTE represents a great enhancement on making WinFE more user friendly in appearance and use.  I'll post my thoughts on WTE sometime in the future after I really take a look at WTE in more detail.

 

Advanced Internet Investigations Course with Google Hacks!


Speaking of online courses, if you regularly "google" people for investigations, backgrounds, pre-employment checks, internal investigations, or need to find someone as a witness (or suspect, or victim), take a look at my Advanced  Internet Investigations Course with Google Hacks.  If you register with this link (or this code: winfe50), you get 50% tuition.  The half off discount is for the first 50 people, then regular price of $195.  The course is a tad over 4.5 hours and covers enough information where you can practically find anyone online, and in the physical world.  Google operators, syntax, and hacks are covered including automated searching utilities (free software!).

[caption id="attachment_1262" align="alignleft" width="700"]AII Half price for the first 50 WinFE blog readers.

 

Tags:
544 Hits
0 Comments

Cool work at the Windows Triage Environment

Oh my.   This is very pretty and impressive.  Take a look at the Windows Triage Environment if you haven't done so yet.  It is nice to see work continually being done to improve upon WinFE.

WTE

 

 

WTE

Tags:
549 Hits
0 Comments

Last day of discounted X-Ways Forensics online course

I'm sure there are a few more people left to register for the X-Ways Forensics online course (XWF I) with the discount code of "xwf1". That's 25% off, plus includes free tuition to the X-Ways Forensics II online course. XWF I is introductory, XWF II is more indepth, quite a bit longer, and will be released in August. XWF III, a shorter course will be released sometime after August.

Everyone registering by midnight tonight (Pacific time) for XWF I, gets access to XWF II and XWF III when published without cost. Otherwise, it's a separate tuition payment for each course.  From July 18, the XWF I is back to $195, XWF II will be $299, and XWF III will be $75.   Each class is lifetime access, on demand training, including updates to the courses when XWF is substantially updated (should be a course update once a year).

Details on XWF II are here: http://xwaysforensics.wordpress.com/2014/07/05/x-ways-forensics-practitioners-guide-online-ii/

Register for X-Ways Forensics Practitioner's Guide online course here:  http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide

xwfii
654 Hits
0 Comments

Thanks to Ken Pryor for his kind review of the WinFE online course

Ken Pryor wrote a kind review of the WinFE online course.  Take a look at his blog for details..  http://digiforensics.blogspot.com/2014/07/windows-forensic-environment-training.html

Don't forget, the WinFE online course is just like WinFE...it's FREE!

review

Tags:
1190 Hits
0 Comments

X-Ways Forensics Practitioner's Guide Online II

For all  XWF I registrations prior to July 17, 2014, you will receive a code for 100% off the XWF II course shown below at the email you registered.  The deadline to register in order to receive the 100% discount code for XWF II is July 17, 2014, after which, the course is available for purchase without a discount.

These are on-demand courses and you have lifetime access to both courses (XWF I and XWF II).  There will be an XWF III course released during the summer, all who register before July 17, 2014 will receive another 100% off discount code for XWF III.  So, for the purchase of XWF I by July 17, you will have lifetime access to XWF I, XWF II and XWF III.

XWF II will be released after the discount codes currently given have expired in a few weeks.  The general discount code for 25% off is:   xwf1

Members of HTCC, IACIS, and CTIN have received a 30% discount code in their e-mail.  If you are a member and did not receive the code, check your e-mail, it should be there.  If you belong to a high tech crime group not listed, This email address is being protected from spambots. You need JavaScript enabled to view it. and I can send a 30% code to your association.  Otherwise, feel free to use the 25% discount code.

xwfii

698 Hits
0 Comments

Mini-WinFE has been updated

Misty has updated Mini-WinFE.  There are a few very neat updates, like UEFI support!  Don't forget to sign up for free WinFE online training: http://courses.dfironlinetraining.com/windows-forensic-environment

Thanks to Misty!

 

miniwinfe

 

2014.07.03

==========



* SysWOW64 support added when building from Windows 7/7(SP1)/8/8.1/8.1 

  Update 1 sources (should also work with some Windows Server 2008/2012 

  sources). The 5-Wow64 script was used as a base to identify file and 

  registry dependencies. Credit therefore goes to everyone involved in 

  the 5-Wow64.script (including JFX, Lancelot, 2aCD, ChrisR and "...to 

  everybody on the BootLand forums for helping on the debuggind and 

  improvement of this script."). Select 4] SysWOW64 in the main project 

  script options to add SysWOW64. 



* UEFI support has been added.



* CloneDisk script added



* Virtual Keyboard (FreeVK) script added.



* A number of changes have been made to the core script - wimlib-imagex now 

  uses file lists when extracting dependencies from install.wim/boot.wim. 

  This significantly improves build time, but has meant that any program 

  scripts containing paths for file dependencies has required editing 

  due to wimlib preserving directory structure (when extracting from file 

  lists).   



* Fixed a bug when x64 local sources are used (in Create a cache from WinRE 

  and the ADK scripts). Due to the way in which SysWOW64 redirects to the 

  \Windows\SysWOW64 directory when running WinBuilder on a 64-bit system the 

  file dependencies were being cached from \Windows\SysWOW64 instead of 

  \Windows\System32



* Wimlib updated to 1.7.0. The amended update add command 

  significantly reduces build time when the INJECT method is used.



* Create ISO script updated. It now contains several options 

  including Flat Boot and RAM Boot or multiboot RAM and Flat boot. 

  It's also possible to create a BIOS or UEFI bootable ISO - or

  BIOS and UEFI bootable.



* Create USB updated to include the option to RAM Boot or Flat Boot

  or multiboot RAM and Flat boot. UEFI support is also included. This 

  script will not work if running WinBuilder on a Windows 2000/XP/2003

  system. 



* Create USB (GPT UEFI) script added. This script will not work if

  running WinBuilder on a Windows 2000/XP/2003 system. Only fixed type 

  disks are supported. 



* Added error check to the ADK For Win 8 (and 8.1) scripts - these 

  cannot be executed if running WinBuilder on a Windows 2000/XP/2003

  system. 



* Project.Settings.ini is added to the build listing all programs

  and project settings used in the current build. 



* Project documentation updated - minor updates throughout and two

  new sections added (MultiBoot WinPE and UEFI, BIOS, GPT and MBR)



A special thanks to alacran for requesting UEFI and SysWOW64 support 

in MistyPE and for beta testing and feedback to actually get them

working. 



Due to the number of changes made in this build it is entirely possible 

that errors may have unintentionally crept in. Please report any issues 

(or positive feedback) on the support topic at reboot.pro - 



	http://reboot.pro/topic/19036-mini-winfe/







2014.04.26

==========



* Added a number of additional options in the core script - 

  these are all enabled by default. The new options will 

  remove a number of unsupported options from the right-click 

  context menu. Thanks to reboot.pro forum member farda for

  these suggestions.



* Added "Open with" workaround for WinPE 4.0/5.0. See -

  http://reboot.pro/topic/19732-help-with-open-with-in-winpe-4050/



* WinFE settings are now seperate to the Shell script - but are 

  still mandatory. They have been moved to a new script 

  \Programs.winfe.script



* Option to use either SANPolicy 3 or 4 (in new WinFE script) -

  SANPolicy 3 is automatically used with WinPE 2.*/3.* sources as

  SANPolicy 4 is only supported in WinPE 4.0/5.0.



* File dependencies (to be extracted from install.wim or

  copied from the host Operating System) are handled in one

  (hidden) script -  Core\required.files.script. This will 

  make it simpler to implement any future file dependencies. 



* Added a script to copy files and folders from a local 

  directory - allowing the easy addition of third party files. 

  A menu entry will open the directory these files were copied 

  to. 



* Added Tools\Create USB script - it's now possible to 

  create a MistyPE bootable UFD during the build process.

  Use with caution - see documentation for more details. 

  Tested with Windows 7 (SP1) and Windows 8.1.



* Added ADK For Win 8 (and 8.1) scripts. Refer to documents.

  NOTE - this has only been tested using Windows 7 (SP1) 

  and Windows 8.1.



* Wallpaper support (.jpg) added for all builds - this 

  feature was not previously working with WinPE 4/5. See

  Programs\Wallpaper script.



* Wimlib-ImageX updated to version 1.6.2



* Added build 6.3.9600 (Windows 8.1 - Final) to the list  

  of tested/working sources.



* Added the following scripts -

	- WinHex

	- DMDE

	- Opera - 64-bit support added.

	- Keyboardlayouts



* Included FAU in the download. This is redistributed

  with the permission of the author (GMG Systems Inc) -

  refer to the project documentation.



* Program scripts now contain menu entries - this should

  make it easier to add new program scripts. Previously 

  all menu entries were contained in the shell script - 

  resulting in multiple script edits for any new programs 

  added.



* Various tweaks in core script 

	- "FileDelete,"%Cache%\temp\*.*" has been added to

	  to ensure that cached batch files and .ini files 

	  are deleted earlier in the build process. Without  

	  this fix there are errors in some very limited 

	  curcumstances.

	- Added verification check from registry files  

	  extracted from boot.wim - only used if the 

	  wimlib-imagex checks fail.



* Script structure has been changed for all Program scripts. 

  Hopefully results in better error checking for any missing 

  files.



* Browse for folder support is added by individual program 

  scripts even if this option is not selected in the Core 

  script. Resulting in a more modular approach (see 

  "http://reboot.pro/topic/19042-modular-apps-philosophy-for-winpe/"

  for the philosophy behind this approach).



* Documentation updated - added section on using the ADK 

  For Win 8.1. 



Tags:
1007 Hits
0 Comments