USB Malware and WinFE

The recent release of USB malware, in which any USB device is suspect of being infected after plugging into an unknown-if-clean machine, makes a problem for bootable USB devices in forensic collection.  Some of the very scary claims to the USB malware are (

  • Alter files from thumb drives

  • Redirect Internet traffic

  • Tap and spy on USB-enabled smartphones

  • Hijack keyboards to type commands

  • Potentially inject malicious elements as files are being transferred

  • badusb


That is bad stuff for a forensic bootable USB device.   I've seen a few suggested solutions to the USB infection issue, but the fastest solution with WinFE is to burn to a CD/DVD instead of making a USB bootable.  Problem solved.

Building a WinFE is still very very very very easy.  Using the Mini-WinFE build, I just timed creating a WinFE DVD is less than 6 minutes.  That was a few minutes with Winbuilder and a few minutes burning the ISO to DVD, while taking my time in the short process.  If you haven't yet built a WinFE, the process is almost completely automated.  Just point Winbuilder to your Windows 7/8 source and press go.  Less than 5 minutes later, you have a forensically sound, bootable ISO/CD/DVD/or USB.

Granted, creating a WinFE CD/DVD in less than 10 minutes is not going to save you time compared to imaging a removed hard drive using a hardware imaging device.  But...if you have LOTS of machines to image, booting the machines to be seized to WinFE most likely will be faster than removing hard drives and sharing hardware imaging devices.  And for those pesky drives that won't come out, WinFE may be a good solution than fighting with an ultralight, can't-find-the-screws-to-remove-the-darn-hard-drive machines.

Rate this blog entry:
1946 Hits

New version of X-Tension

New version of X-Tension
-adds the functionality to create a picture/video library.
-adds the ability to extract pictures or movies that are type status of 'not confirmed'
(this was added as there are so many variations of avi formats, that even some valid working movies were not 'confirmed')
If the user does not want these files, they can be filtered out and the X-Tension run excluding filtered or excluded files

Rate this blog entry:
1236 Hits

XWF II and III...

...are a little late coming out due to an emergency...but will be published soon.  sorry for the delay.

Rate this blog entry:
1349 Hits

Forensic Training with WinFE. Cool.


Although, the WinFE module is like, last in the course...But, it's there!


Rate this blog entry:
1107 Hits

C4All X-Tension for CETS users

Re-posted with permission (more info at:

Default C4All X-Tension for CETS users

This is the same as version 3.5.12.k except adds the function to create a CETS manifest XML needed for those using CETS.

Arnold will post information for CETS users regarding changes needed to properly use the X-Tension.

C4All X-Tension CETS compatible version 3.5.13.a

For use with CETS:
1. This will provide a generic "CETS Media Manifest.xml" file

2. This generic file will not include the digital signature InvestigationID, ManifestID, or CategorizationID. However, the CategorizationID can be added manually.

3. With the CETS Media Uploader you can "re-sign" the manifest file if you use "adminmode" of the CETS Media Uploader.

To enter into Admin Mode:
1. Right Click on "CETSMediaUploader.exe"
2. Select: Sent To, Desktop (create shortcut)
3. Locate the shortcut on your desktop
4. Right Click on the shortcut and select : Properties
5. In the Target Field append to the end of the line(after the closing "): -adminmode
6. Double click the edited Short Cut

When you launch the CETS Media Uploader in Admin Mode you will a new button to "Sign Manifest" file.
Clicking on the button will bring up a dialogue window to manually select a user and the related investigation.

Keep in mind, that you must manually cut and paste your Categorization settings into the XML file.

Arnold Guerin
Canadian Police Centre for
Missing and Exploited Children.

Rate this blog entry:
898 Hits

WinFE Taught in Australia

Neat to see WinFE being taught everywhere, as in, everywhere by many.  Wish I could have been there for this presentation (mostly because I'd have to be in Australia to see it...).winfe

[slideshare id=37866964&doc=winfe-thealmostperfecttriagetool-140811062324-phpapp01]


Rate this blog entry:
1273 Hits

BlockHasher for XWF

Yet another cool XWF utility!



[caption id="attachment_630" align="aligncenter" width="700" class=" "]blockhash



BlockHasher helps you creating Block-HashSets for X-Ways Forensics

- Select Directory, directory-mode is atomatically activated
- Click 'with sub-folders' if you need recursive hashing
- Alternatively select some files, file-mode is atomatically activated
- you can switch everytime between both modes
- Choose your Entropy
- If you need to find a part of a single file use 'one input - one output' mode
- If you need to find a part of a bulk of files use 'all in one' mode
- Add 'MD5'-Header is necessary for X-Ways Forensics

Start hashing now. A Logfile ist automatically generated.

BlockHasher is Freeware.
If you need source send mail to This email address is being protected from spambots. You need JavaScript enabled to view it.


Rate this blog entry:
1109 Hits

X-Ways MD5 Hash Manipulator

Another cool utility for X-Ways!


X-Ways MD5 Hash Manipulator









A program to manipulate your Hash sets from X-Ways.
It will allow you to Add hashes, Remove hashes, Compare hashes and remove the duplicates, create hash set of excluded files, and be in the proper format to quickly import to X-Ways.



This will allow users to maintain their hash sets and create small diff files if needed to distribute when hashes are added/removed from database.
It works on the basis of add or removing records, indicating duplicates and also the '-' prefix implemented in X-ways. files with '-' prefix can be anywhere in set, not at the beginning.






Thanks to X-Tension author Steve Frawley (who is also the author of the C4All X-Tension) and thanks to beta tester Derek Frawley.











Rate this blog entry:
1633 Hits

SEARCH High-Tech Crime Trainers to Debut WinFE as a new topic

Super cool.  From SEARCH.

"The team will debut a new course topic in Dallas: Introduction to Windows Forensic Environment (WinFE). In this lab and lecture, investigators will learn how to create a bootable forensic environment on a thumb drive. Using this thumb drive, investigators can then conduct previews of suspect computers in the field, looking for information that indicates whether the computer contains potential evidence in a case. The ability to conduct on-scene triage such as this is very important to investigators, as it gives immediate information about suspects and their devices."


Rate this blog entry:
2087 Hits

Free WinFE course

WinFE course to be updatedwinfe

The WinFE online course will be updated sooner with a few neat things that are coming up with WinFE.  Until then, there have been over 2,000 registrations for the course and more every day.

I'm impressed that there are so many users interested in using WinFE, but then again, not really.   It's still a really neat tool to have in your toolbox alongside the Linux forensics boot OSs. If you haven't taken a look at WinFE, give it a try.  This course will remain online, free, and updated when there are updates to make.

I am checking out WTE and so far, WTE represents a great enhancement on making WinFE more user friendly in appearance and use.  I'll post my thoughts on WTE sometime in the future after I really take a look at WTE in more detail.


Advanced Internet Investigations Course with Google Hacks!

Speaking of online courses, if you regularly "google" people for investigations, backgrounds, pre-employment checks, internal investigations, or need to find someone as a witness (or suspect, or victim), take a look at my Advanced  Internet Investigations Course with Google Hacks.  If you register with this link (or this code: winfe50), you get 50% tuition.  The half off discount is for the first 50 people, then regular price of $195.  The course is a tad over 4.5 hours and covers enough information where you can practically find anyone online, and in the physical world.  Google operators, syntax, and hacks are covered including automated searching utilities (free software!).

[caption id="attachment_1262" align="alignleft" width="700"]AII Half price for the first 50 WinFE blog readers.


Rate this blog entry:
1173 Hits