Vote for the best book right away!

The deadline for the Forensic 4:cast Digital Forensics Book of the Year has been changed.

https://forensic4cast.com/forensic-4cast-awards/

 

[caption id="attachment_1218" align="aligncenter" width="708"] My personal favorite....Placing the Suspect Behind the Keyboard...it's the first and only writing on the subject manner incorporating investigative methods in and out of the (computer) box.


 
 

Xways-Cover http://amzn.to/1g5sfSX

 

]Placing the Suspect Behind the Keyboard http://amzn.to/1owuRmr


 

479 Hits

Some Interesting WinFE Related Stuff I Found Online

[caption id="attachment_1206" align="alignright" width="300"]
wte http://pedrogilberto.net/wte/Factsheet.htm


One of the interesting things I have found online related to WinFE as I create a lesson plan for WinFE is  "WTE" or "Windows Triage Environment".  Before you get excited about this project, apparently, unless  you work in government, you can't have it.  Per the website,  "WTE is released as freeware only for Law Enforcement or Government Agencies uses."  Well darn it.  From what I can tell, it is WinFE with some software, including Colin Ramsden's write protection application,but no super-secret-LE-only programs.

The good news is that in the upcoming tutorial on All Things WinFE, you will be able to make your own WinFE or whatever you want to call it, for free, whether you are a government employee or not.

Another interesting thing I found was that the commercial version of WinFE from ForensicSoft.com is no longer available.  From the website, " Due to recent licensing changes by Microsoft, SAFE is no longer commercially available" and  "No longer commercially available, SAFE (System Acquisition Forensic Environment) was the first and only forensically sound Windows boot disk."
I don't know when ForensicSoft stopped selling their WinFE (or "SAFE"), but  it is no longer. However, I respectfully disagree on SAFE being the first and only forensically sound Windows boot disk....

Stand-by for the WinFE  class.  It's getting close to being done  I do have a trusty tech-editor to review it prior to release :)

 

Tags:
685 Hits

Coming Soon, Online WinFE Training Program

I'm making a detailed tutorial on WinFE that I hope to finish in the upcoming week.  Virtually everything you need to know about WinFE will be in the tutorial, with demonstrations and instructions on everything you need to know.  I'm covering the basics to the advanced, different building methods, commercial and free/open source software to add to WinFE, how to use it in different situations, and how to prevent errors.  This means using it in forensic acquisitions, covert acquisitions, electronic discovery, triage, and preview.  You name it, I'm covering it.

The length will be about an hour (maybe a little more, maybe a little less) and will include a real test to take if you choose to go the entire route.  The purpose is to give you, the professional examiner, a complete training program in WinFE with a test to validate your knowledge.  For those that already see the intention of the test and online training, let me explain to others that might be missing the point.

Although I'm not going to proctor your test, look over your shoulder, or have you scan your fingerprint to make sure it was you that took the test, I am providing the test for your benefit.  As you know, training and experience is everything.  It's everything on your resume.  It's everything when you testify.  It's everything when you are doing your job.  With that, I will give you a solid training in WinFE that you can take to the bank (in a manner of speaking...).

So, if you want formal training in WinFE, as much as an online class can be, stand by, it's coming pretty darn soon.  Pass the info along.  We can all benefit when more examiners use WinFE.  Plus, I'd rather be the expert that had training in WinFE when going against someone that didn't have any training with it...

winfe2

Tags:
705 Hits

"Based upon the test results it is possible to run all versions of WinPE on a system with only 128 MB of system RAM"

winpeTake a gander at Misty's latest tests of WinFE/PE regarding RAM requirements and imaging speed...very nicely done with some impressive numbers.

http://mistype.reboot.pro/documents/WinPE.RAM/winpe.ram.usage.htm

On a different topic, some discussion on distribution licenses of WinFE has been going on at forensicfocus.com.  One of the takeaway points of the discussion is that you shouldn't be giving away or selling WinFE (or PE) ISO files....that will violate the Microsoft EULA.  Since WinFE is most typically used in legal cases, using a tool that you violated the EULA could cause serious issues with the evidence you collected.  So if you didn't build it, don't use it.  That is the very bad news.

The very good news is that you can make your own WinFE, free, in just a few minutes, without violating the EULA.

http://www.forensicfocus.com/Forums/viewtopic/t=11704/

I assume that one of the reasons Microsoft has such a restrictive EULA prohibiting distribution is so that the core files of WinPE (and FE) remain solid.  Downloading or using any 3rd party tool or something "a friend" sends you could contain anything hidden inside, like malware.  By using Microsoft's files, the odds are much lower that this will happen, meaning that when you build a WinFE, it is most malware free that can be expected.

After that discussion on forensicfocus slowed down, I had emails about WinFE regarding how to build it.  Not that I created the thing...but I will make a fairly detailed and easy to follow video on building a WinFE and everything you should know about it.  After all, if ever asked about your data collection tool, it's better to look like you know what you doing rather than say, "I downloaded this ISO file, booted the system and imaged with it, and don't really know much else about it."  Perhaps better to say, "I personally built and tested the imaging environment using industry best practices.  I used core files from the Microsoft company as allowed by its licensing agreement."

When the tutorial video is finished, I'll post the link.

 

 

 

Tags:
765 Hits

Suggestions for a WinFE Imaging Tool Based on Clonedisk?

An imaging tool (CloneDisk) development project for WinFE...very cool...keep up with the thread and give your suggestions at http://reboot.pro/topic/19765-suggestions-for-a-winfe-imaging-tool-based-on-clonedisk/

Image

Tags:
598 Hits

www.reboot.pro discussion | DMDE - Basic Disk Imaging Test (and results)

If you are interested in some behind-the-scenes efforts of developing WinFE, take a look at the www.reboot.pro forum threads.  And if you want to give input on what you would like WinFE to do...the reboot.pro forum would be a good place to submit a suggestion or lend a hand in development.

If for nothing but curiosity, you can follow along in watching the developers of the WinFE discuss how they are working toward making the lightest, fastest, full-featured, minimal builds, multi-boot, easy-to-use,  and cool forensic tool around.

I'll continue to post the latest links and download information on this blog, because I know that time is usually non-existent, deadlines are always minutes away, your laptop (while at the airport or onsite) has eight programs running while you are replying to ten emails, and you just need to know where to download that latest WinFE building information.  So, that will be here.  But for when you have time at the side of the pool, browse www.reboot.pro to watch these guys improve WinFE as it happens.

Tags:
519 Hits

Mini-WinFE Updated

"Misty" has updated Mini-WinFE, the quick and easy build of the Windows Forensic Environment.  There are some pretty neat updates to the build (listed below).  So far, the best documentation I have seen on WinFE, specifically Mini-WinFE is here: http://mistype.reboot.pro/documents/WinFE/winfe.htm. This is the kind of stuff you want to read in order to really know as much about WinFE as possible.  Another really good source of info on mistype is at http://mistype.reboot.pro/mistype.docs/readme.html.

Before I get any complaints about "WinFE is not perfect" or "WinFE can't do everything", let me that yes that is correct. It is not perfect and cannot do everything.  In the world of forensically booting evidence machines, some Linux bootable environments work very well too.  Some machines can't be booted forensically, that is true as well.  But for the marjority of systems that can be booted forensically, WinFE has its place.  For the average and above-average examiner needing to boot the evidence machine, there are few options available that make it super-easy to add drivers on the fly or use your Windows based apps from the office rather than Linux based you hardly (if ever) use.

If you haven't checked out WinFE, you should.  Everyone else is already on board :)

Some tidbits in the Mini-WinFE include:


  • DMDE (included)

  • Forensic Acquisition Utilities (downloaded automatically)

  • FTK Imager (copied from local install)

  • HWiNFO (included)

  • LinuxReader (downloaded automatically)

  • MW Snap (included)

  • NT Password Edit (included)

  • Opera (included)

  • Sumatra PDF Reader (included)

  • X-Ways Forensics (copied from local install)

  • Write Protect Tool (included)


  •  


[caption id="attachment_1177" align="aligncenter" width="806"]WINFE You gotta download the new version and check it out. It's plain cool. http://reboot.pro/files/file/375-mini-winfe/


 

 

2014.04.26

==========



* Added a number of additional options in the core script - 

  these are all enabled by default. The new options will 

  remove a number of unsupported options from the right-click 

  context menu. Thanks to reboot.pro forum member farda for

  these suggestions.



* Added "Open with" workaround for WinPE 4.0/5.0. See -

  http://reboot.pro/topic/19732-help-with-open-with-in-winpe-4050/



* WinFE settings are now separate to the Shell script - but are 

  still mandatory. They have been moved to a new script 

  \Programs.winfe.script



* Option to use either SANPolicy 3 or 4 (in new WinFE script) -

  SANPolicy 3 is automatically used with WinPE 2.*/3.* sources as

  SANPolicy 4 is only supported in WinPE 4.0/5.0.



* File dependencies (to be extracted from install.wim or

  copied from the host Operating System) are handled in one

  (hidden) script -  Core\required.files.script. This will 

  make it simpler to implement any future file dependencies. 



* Added a script to copy files and folders from a local 

  directory - allowing the easy addition of third party files. 

  A menu entry will open the directory these files were copied 

  to. 



* Added Tools\Create USB script - it's now possible to 

  create a MistyPE bootable UFD during the build process.

  Use with caution - see documentation for more details. 

  Tested with Windows 7 (SP1) and Windows 8.1.



* Added ADK For Win 8 (and 8.1) scripts. Refer to documents.

  NOTE - this has only been tested using Windows 7 (SP1) 

  and Windows 8.1.



* Wallpaper support (.jpg) added for all builds - this 

  feature was not previously working with WinPE 4/5. See

  Programs\Wallpaper script.



* Wimlib-ImageX updated to version 1.6.2



* Added build 6.3.9600 (Windows 8.1 - Final) to the list  

  of tested/working sources.



* Added the following scripts -

	- WinHex

	- DMDE

	- Opera - 64-bit support added.

	- Keyboardlayouts



* Included FAU in the download. This is redistributed

  with the permission of the author (GMG Systems Inc) -

  refer to the project documentation.



* Program scripts now contain menu entries - this should

  make it easier to add new program scripts. Previously 

  all menu entries were contained in the shell script - 

  resulting in multiple script edits for any new programs 

  added.



* Various tweaks in core script 

	- "FileDelete,"%Cache%\temp\*.*" has been added to

	  to ensure that cached batch files and .ini files 

	  are deleted earlier in the build process. Without  

	  this fix there are errors in some very limited 

	  curcumstances.

	- Added verification check from registry files  

	  extracted from boot.wim - only used if the 

	  wimlib-imagex checks fail.



* Script structure has been changed for all Program scripts. 

  Hopefully results in better error checking for any missing 

  files.



* Browse for folder support is added by individual program 

  scripts even if this option is not selected in the Core 

  script. Resulting in a more modular approach (see 

  "http://reboot.pro/topic/19042-modular-apps-philosophy-for-winpe/"

  for the philosophy behind this approach).



* Documentation updated - added section on using the ADK 

  For Win 8.1. 

 

Tags:
945 Hits

Free Course Materials - Placing the Suspect Behind the Keyboard

Do you teach cybercrime/forensics and use "Placing the Suspect Behind the Keyboard"?  Maybe you are considering using this book in your course?  How would you like to have ready-made PowerPoints for the chapters with additional student materials to go along with the book in your course?  PSBK

I have had a few people tell me that this book is being used in their classes, but can't recall all of the colleges.  If you have used this book in a class, send me the instructor's name or have the instructorThis email address is being protected from spambots. You need JavaScript enabled to view it. so I can pass along information on materials for the class.

I will be starting on the materials now and will give access to any instructors that want to lend a hand and get early drafts for use right away.  The materials will be freely available for instructors to use and modify in their coursework.  As someone that has taught forensics for a few years, it is very very helpful to have class materials available rather than reinventing the wheel every class...

481 Hits

WinFE Success Story

I get a few stories of how WinFE saved the day and a few of these heroes let me retell their story. This is one of them. The ‘detective’ wishes to be unnamed, but for sake of argument, I know who he is…

------------------------------------------------------------------------------------------------------------------------


 A detective from a California law enforcement agency that had attended the SEARCH “Network Investigation and Digital Triage” course contacted the instructors with assistance in building a WinFE based on Windows 8.1. The detective was given guidance and links to the various resources needed to create the WinFE8.1SE. The detective was further given assistance in adding in the utilities he would need and finally validating the build to insure that it was forensically sound.

 In a follow up call, the detective indicated that the he had obtained the duplicate images he needed, with one minor modification. He found that one of the target drives was mounted through an add-in card and was not initially recognized by WinFE8.1SE. Noting that Colin Ramsden’s write protect utility allowed for adding drivers to the system, the detective located the add-in card drivers and added them to the system. WinFE8.1SE and Colin’s WP utility then recognized the additional drive and allowed mounting it read only. The detective then successfully obtained duplicate images of both target drives.

 

------------------------------------------------------------------------------------------------------------------------

 

 

Image


As a side note, consider that WinFE started with Troy Larson typing out a 2-page Microsoft Word document on changing registry values in a winPe to get a winFe. That little idea is now taught at local, state, and federal agencies as well as public/private education and training courses. Basically, it’s is use by many.   This success story is neat because it shows how easy it is to add a driver on-the-fly. You don’t need much technical experience to use Colin’s app to add drivers or toggle hard drives. We beat it up pretty good to get it right; Colin is one of those extremely competent software writers and I am glad he helped out the WinFE project.

Got a success story? Send it to me and I’ll share the word.

 

Tags:
428 Hits

Book Review: Windows Forensic Analysis Toolkit, 4th Edition

WFAI’ve been waiting until I received the hard copy of this book to write the review. I had the fortune of being the tech editor for this book and enjoyed every minute of it. Although I do not have an ongoing financial interest in this book, I do have a vested personal interest based on the reasons Harlan Carvey lays out in many chapters. I’ll get to my personal interest later in this review.  Also, Harlan has a post on updated book contents here: http://regripper.wordpress.com/2014/04/14/regripper-download-2/

Without reading any reviews, those analysts who buy Harlan’s books will keep buying his books with the full expectation of having a well-written (as in easy-to-read) book on Windows OS forensics. There is no need to read any further in this review if you fit in this category. This is Harlan’s new book. That is all you really need to know. But if you just want my opinion, read on…

The topics in the 4th Edition of WFA are all eye-catching. Volume shadow copies, file analysis, registry, malware, timelines, tracking user activity, and more.   Every topic detailed in all the chapters, is relevant to everyone that touches a Windows system to examine. The difference between Harlan’s books and others is the guidance given. For example, rather than reading a discourse on some technology, Harlan gives practical advice, suggestions, and real-life stories that relate to the points in the book. Since we have all made mistake (or will make mistakes, or have made mistakes but just don’t know it yet), having guidance that reduces mistakes in the way of stories and plain talk is well worthwhile to read.

The book has too much information to be covered in a review. There is more information on accessing volume shadow copies using several different methods than I want to review. The same can be said for file analysis, registry analysis, timelines, and every other topic. Harlan gives several options to accomplish the same task, using different software.   Although I wrote a book on one software (X-Ways Practitioners Guide), I obviously use more than just one software. Any forensic book, other than a manual or software guide, that does not give options with various types of software does not give the reader options to solve problems.

Another facet of Harlan’s book is his never-ending harping of asking everyone to ‘share information’. That sentence may sound negative, but truthfully, I don’t know how Harlan has the energy to push the sharing of information for so long. The book is sprinkled with this tone and I echo the importance of sharing information. I did my best to keep up with Harlan’s book as I tech edited it, working his suggestions. Some of the methods he wrote were new to me, which I would not have found on my own without happening upon the method in a blog..maybe.

Those examiners who conduct investigations, not just an analysis of a machine, will enjoy the guidance on tracking user activity, writing reports, drawing conclusions, correlating data, and making inferences.  Those topics are my personal favorites.

Harlan writes in this book that sharing helps us to know what is possible. That makes sense, because how can you know what you don’t know.

I can say unequivocally that writing a digital forensics book is primarily, if not solely, to share information. Few (no one?) gets rich writing a computer technical book in the niche of digital forensics. The market for a digital forensic book is probably a fraction of a fraction of a fraction when compared to a Tom Clancy or JK Rowling book. With that, consider that when Harlan says he writes to share, he really means that he writes to share, just like all other forensic book writers.

The personal risk to sharing, which everyone knows, is that you could be totally wrong, slightly inaccurate, poorly written, disproved later, or maybe you “discovered” something that everyone else already knew. This risk of sharing keeps the majority of examiners quiet and makes it seem that there are only a few examiners that share information. That is why we see the same names popping up online and conferences through the years. But in the audiences listening to these same names, there are smarter people, better examiners, and great investigators. They just don’t speak up or share information.  (nudge..nudge...feel free to share...no one will bite you).

That is one of Harlan’s premises to keep going and he reiterates it in the book and his blog and when he speaks. We all get ‘smarter’ when we share. None of us move forward when we don’t share.   To share is to take a risk of being wrong and embarrassed. Worse still is the fear to be wrong and get attacked online. However, for all those that share, either by asking questions, giving suggestions, or describing methods you have created or use, my hat goes off to you. It takes guts to put yourself out there, knowing that the sharks are circling and sniffing for blood.

Back to my personal interest in this book. When I have found a method or tool that I like, I want everyone to use it. I don’t hold it close to my chest or hide it. I share it. I become an evangelist to that tool or method to get the word out. The reason? The more examiners in the field that use it, the more chance the method/tool becomes an industry standard. Then it gets improved upon, further developed, “court accepted” in that the results obtained by that tool/method are accepted into a court, and I get to use the tool/method more.

The best personal example I can give to prove this point is with WinFE (http://winfe.wordpress.com). From a two-page Word document typed by Troy Larson of Microsoft, I marketed that little ingenious tool as if I was making a million bucks off it. It’s now in use by every country that does forensics and in just about every agency or company in those countries. It’s even taught in forensic training programs in both the public and private sector. So now, anyone can create and use WinFE without worry of using a non-industry accepted tool. This happened only because those that used WinFE, shared the knowledge of how to use and when to use it. Imagine if we did that with every “new” effective method or tool.

The key point in the prior two paragraphs is that Harlan’s book has lots of those types of ideas that he has shared. He gives credit to ideas created by others along with sharing his own ideas.

My only negative words on WFA/4 is…maybe X-Ways Forensics could have been put in it...but that's what we have the XWF Guide for..

My suggestion on WFA/4…buy the book. You will not regret it.  My other favorite books are here http://winfe.wordpress.com/books/.

 

 
374 Hits