BlockHasher for XWF

Yet another cool XWF utility!

 

BlockHasher

 

 

http://d-forensik.de/download/

[caption id="attachment_630" align="aligncenter" width="700" class=" "]blockhash

 

 

BlockHasher helps you creating Block-HashSets for X-Ways Forensics

- Select Directory, directory-mode is atomatically activated
- Click 'with sub-folders' if you need recursive hashing
- Alternatively select some files, file-mode is atomatically activated
- you can switch everytime between both modes
- Choose your Entropy
- If you need to find a part of a single file use 'one input - one output' mode
- If you need to find a part of a bulk of files use 'all in one' mode
- Add 'MD5'-Header is necessary for X-Ways Forensics

Start hashing now. A Logfile ist automatically generated.

BlockHasher is Freeware.
If you need source send mail to This email address is being protected from spambots. You need JavaScript enabled to view it.

 

0
  1188 Hits
  0 Comments

X-Ways MD5 Hash Manipulator

Another cool utility for X-Ways!

 

X-Ways MD5 Hash Manipulator

 

 

hash

 

 

 

 

 

A program to manipulate your Hash sets from X-Ways.
It will allow you to Add hashes, Remove hashes, Compare hashes and remove the duplicates, create hash set of excluded files, and be in the proper format to quickly import to X-Ways.

 

 

This will allow users to maintain their hash sets and create small diff files if needed to distribute when hashes are added/removed from database.
It works on the basis of add or removing records, indicating duplicates and also the '-' prefix implemented in X-ways. files with '-' prefix can be anywhere in set, not at the beginning.

 

 

 

 

 

Thanks to X-Tension author Steve Frawley (who is also the author of the C4All X-Tension) and thanks to beta tester Derek Frawley.

 

 

 

 

 

instructions

 

 

file

 

0
  1731 Hits
  0 Comments

SEARCH High-Tech Crime Trainers to Debut WinFE as a new topic

Super cool.  From SEARCH.


"The team will debut a new course topic in Dallas: Introduction to Windows Forensic Environment (WinFE). In this lab and lecture, investigators will learn how to create a bootable forensic environment on a thumb drive. Using this thumb drive, investigators can then conduct previews of suspect computers in the field, looking for information that indicates whether the computer contains potential evidence in a case. The ability to conduct on-scene triage such as this is very important to investigators, as it gives immediate information about suspects and their devices."

 

0
Tags:
  2156 Hits
  0 Comments

Free WinFE course

WinFE course to be updatedwinfe


The WinFE online course will be updated sooner with a few neat things that are coming up with WinFE.  Until then, there have been over 2,000 registrations for the course and more every day.

I'm impressed that there are so many users interested in using WinFE, but then again, not really.   It's still a really neat tool to have in your toolbox alongside the Linux forensics boot OSs. If you haven't taken a look at WinFE, give it a try.  This course will remain online, free, and updated when there are updates to make.

I am checking out WTE and so far, WTE represents a great enhancement on making WinFE more user friendly in appearance and use.  I'll post my thoughts on WTE sometime in the future after I really take a look at WTE in more detail.

 

Advanced Internet Investigations Course with Google Hacks!


Speaking of online courses, if you regularly "google" people for investigations, backgrounds, pre-employment checks, internal investigations, or need to find someone as a witness (or suspect, or victim), take a look at my Advanced  Internet Investigations Course with Google Hacks.  If you register with this link (or this code: winfe50), you get 50% tuition.  The half off discount is for the first 50 people, then regular price of $195.  The course is a tad over 4.5 hours and covers enough information where you can practically find anyone online, and in the physical world.  Google operators, syntax, and hacks are covered including automated searching utilities (free software!).

[caption id="attachment_1262" align="alignleft" width="700"]AII Half price for the first 50 WinFE blog readers.

 

0
Tags:
  1265 Hits
  0 Comments

Cool work at the Windows Triage Environment

Oh my.   This is very pretty and impressive.  Take a look at the Windows Triage Environment if you haven't done so yet.  It is nice to see work continually being done to improve upon WinFE.

WTE

 

 

WTE

0
Tags:
  1258 Hits
  0 Comments

Thanks to Ken Pryor for his kind review of the WinFE online course

Ken Pryor wrote a kind review of the WinFE online course.  Take a look at his blog for details..  http://digiforensics.blogspot.com/2014/07/windows-forensic-environment-training.html

Don't forget, the WinFE online course is just like WinFE...it's FREE!

review

0
Tags:
  1962 Hits
  0 Comments

Mini-WinFE has been updated

Misty has updated Mini-WinFE.  There are a few very neat updates, like UEFI support!  Don't forget to sign up for free WinFE online training: http://courses.dfironlinetraining.com/windows-forensic-environment

Thanks to Misty!

 

miniwinfe

 

2014.07.03

==========



* SysWOW64 support added when building from Windows 7/7(SP1)/8/8.1/8.1 

  Update 1 sources (should also work with some Windows Server 2008/2012 

  sources). The 5-Wow64 script was used as a base to identify file and 

  registry dependencies. Credit therefore goes to everyone involved in 

  the 5-Wow64.script (including JFX, Lancelot, 2aCD, ChrisR and "...to 

  everybody on the BootLand forums for helping on the debuggind and 

  improvement of this script."). Select 4] SysWOW64 in the main project 

  script options to add SysWOW64. 



* UEFI support has been added.



* CloneDisk script added



* Virtual Keyboard (FreeVK) script added.



* A number of changes have been made to the core script - wimlib-imagex now 

  uses file lists when extracting dependencies from install.wim/boot.wim. 

  This significantly improves build time, but has meant that any program 

  scripts containing paths for file dependencies has required editing 

  due to wimlib preserving directory structure (when extracting from file 

  lists).   



* Fixed a bug when x64 local sources are used (in Create a cache from WinRE 

  and the ADK scripts). Due to the way in which SysWOW64 redirects to the 

  \Windows\SysWOW64 directory when running WinBuilder on a 64-bit system the 

  file dependencies were being cached from \Windows\SysWOW64 instead of 

  \Windows\System32



* Wimlib updated to 1.7.0. The amended update add command 

  significantly reduces build time when the INJECT method is used.



* Create ISO script updated. It now contains several options 

  including Flat Boot and RAM Boot or multiboot RAM and Flat boot. 

  It's also possible to create a BIOS or UEFI bootable ISO - or

  BIOS and UEFI bootable.



* Create USB updated to include the option to RAM Boot or Flat Boot

  or multiboot RAM and Flat boot. UEFI support is also included. This 

  script will not work if running WinBuilder on a Windows 2000/XP/2003

  system. 



* Create USB (GPT UEFI) script added. This script will not work if

  running WinBuilder on a Windows 2000/XP/2003 system. Only fixed type 

  disks are supported. 



* Added error check to the ADK For Win 8 (and 8.1) scripts - these 

  cannot be executed if running WinBuilder on a Windows 2000/XP/2003

  system. 



* Project.Settings.ini is added to the build listing all programs

  and project settings used in the current build. 



* Project documentation updated - minor updates throughout and two

  new sections added (MultiBoot WinPE and UEFI, BIOS, GPT and MBR)



A special thanks to alacran for requesting UEFI and SysWOW64 support 

in MistyPE and for beta testing and feedback to actually get them

working. 



Due to the number of changes made in this build it is entirely possible 

that errors may have unintentionally crept in. Please report any issues 

(or positive feedback) on the support topic at reboot.pro - 



	http://reboot.pro/topic/19036-mini-winfe/







2014.04.26

==========



* Added a number of additional options in the core script - 

  these are all enabled by default. The new options will 

  remove a number of unsupported options from the right-click 

  context menu. Thanks to reboot.pro forum member farda for

  these suggestions.



* Added "Open with" workaround for WinPE 4.0/5.0. See -

  http://reboot.pro/topic/19732-help-with-open-with-in-winpe-4050/



* WinFE settings are now seperate to the Shell script - but are 

  still mandatory. They have been moved to a new script 

  \Programs.winfe.script



* Option to use either SANPolicy 3 or 4 (in new WinFE script) -

  SANPolicy 3 is automatically used with WinPE 2.*/3.* sources as

  SANPolicy 4 is only supported in WinPE 4.0/5.0.



* File dependencies (to be extracted from install.wim or

  copied from the host Operating System) are handled in one

  (hidden) script -  Core\required.files.script. This will 

  make it simpler to implement any future file dependencies. 



* Added a script to copy files and folders from a local 

  directory - allowing the easy addition of third party files. 

  A menu entry will open the directory these files were copied 

  to. 



* Added Tools\Create USB script - it's now possible to 

  create a MistyPE bootable UFD during the build process.

  Use with caution - see documentation for more details. 

  Tested with Windows 7 (SP1) and Windows 8.1.



* Added ADK For Win 8 (and 8.1) scripts. Refer to documents.

  NOTE - this has only been tested using Windows 7 (SP1) 

  and Windows 8.1.



* Wallpaper support (.jpg) added for all builds - this 

  feature was not previously working with WinPE 4/5. See

  Programs\Wallpaper script.



* Wimlib-ImageX updated to version 1.6.2



* Added build 6.3.9600 (Windows 8.1 - Final) to the list  

  of tested/working sources.



* Added the following scripts -

	- WinHex

	- DMDE

	- Opera - 64-bit support added.

	- Keyboardlayouts



* Included FAU in the download. This is redistributed

  with the permission of the author (GMG Systems Inc) -

  refer to the project documentation.



* Program scripts now contain menu entries - this should

  make it easier to add new program scripts. Previously 

  all menu entries were contained in the shell script - 

  resulting in multiple script edits for any new programs 

  added.



* Various tweaks in core script 

	- "FileDelete,"%Cache%\temp\*.*" has been added to

	  to ensure that cached batch files and .ini files 

	  are deleted earlier in the build process. Without  

	  this fix there are errors in some very limited 

	  curcumstances.

	- Added verification check from registry files  

	  extracted from boot.wim - only used if the 

	  wimlib-imagex checks fail.



* Script structure has been changed for all Program scripts. 

  Hopefully results in better error checking for any missing 

  files.



* Browse for folder support is added by individual program 

  scripts even if this option is not selected in the Core 

  script. Resulting in a more modular approach (see 

  "http://reboot.pro/topic/19042-modular-apps-philosophy-for-winpe/"

  for the philosophy behind this approach).



* Documentation updated - added section on using the ADK 

  For Win 8.1. 



0
Tags:
  2103 Hits
  0 Comments

X-Ways Forensics Online Training

I created an X-Ways Forensics online training course at http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide.  This course, X-Ways Forensics Practitioner's Guide Online I is introductory to using X-Ways Forensics, but it covers more than enough to cover most of the use of X-Ways in a case.

The XWF II course goes into great detail with more information on using XWF in different scenarios and some more highly specific functions.  Although the course is based on the book, it is not the book, nor is it the X-Ways Forensics classroom training.  It is however, the least expensive and fastest way to get up to speed on X-Ways Forensics :)

There is a 25% discount code you can use "xwf1" that is good until July 17.  Everyone that registers before July 17 receives a separate discount code of 100% for the XWF II online course that will be released as soon as this discount period ends.  Both courses are the same cost, but the discount is valid only until July 17.

If you can't attend the X-Ways AG classroom training due to cost or time, this online training fits both your pocketbook and daily schedule.

http://www.youtube.com/watch?v=EQ_wwSBD8gc

0
  1150 Hits
  0 Comments

Keep up with WinFE on Twitter

Over 100 viewers of the WinFE online course in the first 24 hours.   There have been a few improvements made based on suggestions from some viewers.  All comments have been positive.   The course will remain free, take your time to watch and don't forget, build your WinFE!  (TIP:  Build the Mini-WinFE.  It is the easiest, quickest, and least operater-error prone build available).

The X-Ways course has been delayed for a day for technical problems with video hosting...but, it's coming.  There is actually several X-Ways courses being posted online, from basic to advanced.  I have found that there are several updates in XWF that have not been incorporated in the XWF manual that I am adding in the courses.   Even my XWF book is slightly outdated by all the changes and updates....but that is a good thing.

[caption id="attachment_1246" align="aligncenter" width="700"]twitter https://twitter.com/WindowsFE

0
Tags:
  1072 Hits
  0 Comments

WinFE course snafu

The video provider corrected the course videos from being off-center this morning.  Thanks to  everyone letting me know about the problem.  I'm not surprised at how many viewers there are for the course as it shows how much WinFE is being used or at least how much it is known in the DF community.

Here is the Intro video, but you can watch the entire course at the course page  here: http://courses.dfironlinetraining.com/windows-forensic-environment

http://www.youtube.com/watch?v=npo-acVMU84

0
Tags:
  1179 Hits
  0 Comments

Windows Forensic Environment - WinFE Online Course Now Available

Ok, it took a while to get this done, mostly because of other projects.  But it is done.  I have videos of most build methods, tips and tricks, pro's and con's, and aspects of WinFE that you may find important.  I also included every bit of downloadable swag in the course too (batch files, wallpaper, scripts, etc...).

All in all, this is probably the best source of WinFE you will find.  I encourage you to share it and use it, after all, this is a free tool.  If anyone has suggestions on making the course better, let me know and I can try to squeeze in some improvements.

[caption id="attachment_1231" align="aligncenter" width="700"]winfe http://courses.dfironlinetraining.com/windows-forensic-environment


 

On another note, I am also releasing the first of several X-Ways Forensics online courses on Monday, June 30, 2014.  

 

I'll send out a reminder on June 30 through twitter and the XWF blog.  The XWF online course is not free like the WinFE course, but it is also not expensive.  From Monday, the X-Ways course will be $195 but I will publish a discount code good for two weeks (through July 14) for 25% off.


The WinFE course was lots of work, but certainly worth the time to watch. The X-Ways course is something else entirely. The manner in which I made the X-Ways course is so that you can follow along with XWF in learning how to work a case with X-Ways Forensics.  The course describes the options and buttons in XWF, but also shows how to simply work a case.  There are literally so many features in X-Ways, that without training, you will be missing about 50% of what you should be doing.  I found that even the most current version of the X-Ways manual does not list features in XWF...lots of information to keep up with, tons of features to consider, easy to miss something that you should not miss for such a powerful forensic tool.

If you want to be notified of the coupon code, be sure to follow the X-Ways blog at http://xwaysforensics.wordpress.com/ or the twitter account at https://twitter.com/XWaysGuide.

 

0
Tags:
  1376 Hits
  7 Comments

New X-Tension: Up to 30GB min speeds on SSD drives!

A new X-Tension, "C4All" is available for download (free) at http://www.x-ways.net/forensics/x-tensions/index.html.  C4All is used to categorize pictures and videos, processing skin tone and video stills.  Speeds up to 30GB min speeds on SSD drives have been observed.

free css template

If you are an X-Ways user, this is one of those cool "little" things that will make you excited.

0
  1027 Hits
  0 Comments

WinFE online is done, except for a few little things

As with everyone, when you think you have time and make plans, a dozen interruptions will delay even the most determined.  But, the WinFE online course is practically done except for:

1) latest build of Mini-WinFE being tested first to incorporate into the course (with UEFI support and a few other goodies)

2) reviewing the entire program (a volunteer is waiting for me to send him the link, after the Mini-WinFE testing is done..)

Not to say I got a little wild with this weekend project, but yeah, I got a little wild.  A short YouTube video intention evolved into a lot more.  In fact, every piece of downloadable WinFE related wallpaper, script, program, and links to anything I cannot personally distribute is in the program.

Until I push the button to release the course, it's vaporware, just like the write protect tool was vaporware before it was completed.  But the course sequence that is completed already is listed below.  If there is anything not listed that you have wondered about, speak up now or I will not know what may be missing.

I covered every major build method with videos (and downloadable guides when appropriate).

Introduction to the Course

WARNINGS!

I. Forensic Booting of Evidence Computers

II. Forensic Boot Operating Systems

Intro to Forensic Boot Systems

Linux Forensic Operating Systems

Windows Forensic Environment (Windows FE, WinFE)

III. WinFE Basics

Creation and development of WinFE

WinFE Write Protection Tool

Disk Management & DiskPart

WinFE and Your Forensic Software

IV. WinFE Validation

V. Building the Windows Forensic Environment

Building the Basic WinFE

Building WinFE with WinBuilder

Building WinFE Lite

Building Mini-WinFE

Building the Windows Triage Environment

Building a MultiBoot WinFE

VI. Using WinFE

Forensic Data Collection (file copying, disk imaging)

Triage and Preview

Remote Booting and Collections

Onsite Forensic Analysis

Covert Collections/Sneak and Peeks

WinFE as an Electronic Discovery Tool

WinFE and Disk Encryption

WinFE as an Educational OS

VII. Wrapping Up with WinFE

Summary

WinFE Qualification Exam

 

0
Tags:
  1086 Hits
  2 Comments

WinFE Course

I'm about halfway through the WinFE online course and then I'm sending it to a reviewer.  The topics and order of the curriculum are listed below.

I've added a multitude of build methods that will be documented and demonstrated in the online class.  It'll be recorded, so not a webinar where you have to close your door and tell the boss to stay out of your office during lunch. You will be able to watch it when you can and as much as you need.

imageIf you don't see something on the list that you would like to have added, now is the time to make the suggestion before I finish and upload the course.  I'm also uploading all the swag in form of batch files, white papers, wallpapers, applications, and anything else I have on WinFE for downloading.  Basically, everything you need will be in one place.

There is a test at the end of the course and you can take it if you like or not.  That is up to you to decide.  Personally, I'd take it just to say that I took coursework in a forensic tool that included an exam to test my knowledge.  This isn't a long course, but it is 'all things WinFE' wrapped up in one training program that you can take at home or during the lunch hour, about a forensic tool that anyone, and I mean literally anyone, can build on their laptop in Starbucks.  You don't need to be a programmer or software developer.  If you are a forensic examiner, you can build and use this tool.

WinFE doesn't do everything and doesn't work for every situation.  But for when you need to use forensically sound bootable environment, WinFE is pretty cool.

Curriculum

 

Introduction to the Course
Why take this course?
WARNINGS!

 

 

I. Forensic Booting of Evidence Computers
When, Why, How

 

 

II. Forensic Boot Operating Systems
Linux Forensic Operating Systems
Windows Forensic Environment (Windows FE, WinFE)

 

 

III. WinFE Basics
Creation and development of WinFE
WinFE Write Protection Tool
Disk Management & DiskPart
WinFE and Your Forensic Software


IV. Building the Windows Forensic Environment
Building the Basic WinFE
Building WinFE with WinBuilder
Building WinFE Lite
Building Mini-WinFE with Winbuilder
Building the Windows Triage Environment

 

 

V. Using WinFE
Forensic Data Collection (file copying, disk imaging)
Triage and Preview
Remote Booting and Collections
Onsite Forensic Analysis
Covert Collections/Sneak and Peeks
WinFE as a "Live" Tool
WinFE as an Electronic Discovery Tool
WinFE and Disk Encryption
Adding Drivers on the Fly

 

 

VI. Wrapping Up with WinFE
Summary

 

 

Exam
WinFE Qualification Exam

 

0
Tags:
  1296 Hits
  4 Comments

Some Interesting WinFE Related Stuff I Found Online

[caption id="attachment_1206" align="alignright" width="300"]
wte http://pedrogilberto.net/wte/Factsheet.htm


One of the interesting things I have found online related to WinFE as I create a lesson plan for WinFE is  "WTE" or "Windows Triage Environment".  Before you get excited about this project, apparently, unless  you work in government, you can't have it.  Per the website,  "WTE is released as freeware only for Law Enforcement or Government Agencies uses."  Well darn it.  From what I can tell, it is WinFE with some software, including Colin Ramsden's write protection application,but no super-secret-LE-only programs.

The good news is that in the upcoming tutorial on All Things WinFE, you will be able to make your own WinFE or whatever you want to call it, for free, whether you are a government employee or not.

Another interesting thing I found was that the commercial version of WinFE from ForensicSoft.com is no longer available.  From the website, " Due to recent licensing changes by Microsoft, SAFE is no longer commercially available" and  "No longer commercially available, SAFE (System Acquisition Forensic Environment) was the first and only forensically sound Windows boot disk."
I don't know when ForensicSoft stopped selling their WinFE (or "SAFE"), but  it is no longer. However, I respectfully disagree on SAFE being the first and only forensically sound Windows boot disk....

Stand-by for the WinFE  class.  It's getting close to being done  I do have a trusty tech-editor to review it prior to release :)

 

0
Tags:
  1216 Hits
  0 Comments

A Quicker Way to the Shadow Volumes and Dealing with Win 8 VHDXs

Arsenal Image Mounter (AIM) is a new image-mounting tool from Arsenal Recon.  Not only is it free, but the folks at Arsenal have been gracious in lending support.  AIM employs a special SCSI driver that lets us mount image files of various types so that Windows Disk Manager can see our mounted image (a pseudo disk, as I like to call it) as an actual disk. This innovation allows us to access shadow volumes in a completely new way and avoid converting images to, for example, VHD files.  AIM also can mount our image as write protected or as writable.  I won’t go into more depth on AIM’s features, as you can visit the web site to learn more and acquire a copy.

Heretofore, Windows would not enumerate shadow volumes on images mounted with the most popular tools, e.g., FTK Imager, Mount Image Pro, etc.  A notable exception is a Windows virtual disk file (VHD), which is not used to an appreciable extent, if at all, as the target of a disk image file in computer forensics.  I’ve explained before how to work with these virtual disks with respect to the Window 7 variety (VHD).  Windows 8 brings a new format, which is the VHDX file, which I’ll mention again later.  For now, suffice it to say that there no longer is a need to convert a dd image to a VHD if your goal is access shadow volumes on your host system.  As I’ve demonstrated in my VHD post, the conversion required the addition of data to the end of your dd image.  While that made an easily reversible change to an original image file, some folks were not comfortable doing so and chose to create a spare dd file.

Let’s take a closer look at AIM and how it can help us get to shadow volumes very handily.  I’m going to work with a dd image of a Windows 7 system, though there is no difference with an E01.  In the following screenshot, I’ve opened AIM and navigated to my image file (001).

AIM1

Next, we’ll see the window that AIM presents after I select the image.  I’m going to maintain the default options, which the screenshot depicts.  Typically, we don’t have to ask AIM to fake (cache) a disk signature, which AIM allows because Windows won’t mount a disk if it does not have a signature.  I’ve seen only one case in which a disk signature was absent, and it concerned a VHD file created by Windows 7’s system image feature.  Note than AIM handles 4KB (and other) sectors.

aim optionsAIM2a

After I click OK, AIM presents the mounted disk as Drive 10 in my system (above and in next screenshot), which we then can find in Explorer as well as in Disk Manager.  Note that Disk Manager reports the pseudo disk as it does every other disk, but indicates that it is read only.  In case you haven’t looked or noticed it before, mount an image with another tool and compare Disk Manager’s findings with an AIM-mounted image.

AIM3

Next, let’s access shadow volumes without using virtual machines or any other steps outside of our host system (mine is Windows 8).  As you’ve seen in one of the screenshots, our mounted image’s system volume was mapped to Drive M. The next demo is a video, which presents how we can enumerate the shadow volumes on Drive M.

 

Again, you can try that with another image mounter to see the distinction.  Now, we’ll map one of the shadow volumes with Dan Mares’s VSS, which is a tool that I’ve mentioned frequently in my blog. The basics of VSS can be found here, among other posts.  You can pick up VSS free at http://www.maresware.com/.  The next video demonstrates VSS.

▶

At this point, we can work with Drive P as we can with any logical volume.  We can open the volume in most forensics tools or image the logical volume if we wish.  Remember, too, that an alternative to mapping a shadow volume to a drive letter is to create a symbolic link to the volume.  The next screenshot shows how this is done.  We’ll create a link to Shadow Volume 13 in the aaa directory.  Remember to add the trailing backslash in the syntax, after the ShadowCopy number.

mklink

While I’m talking about Symlinks, it’s important to note that Windows uses them in various places on our systems.  For example, \Users\All Users is a SymLink to \Program Data on the active system partition.  If, for example, we open Users\All Users on our mapped shadow volume (P) and open Program Data on our host system, we can see that their contents are the same:

symlinks

This will happen whether you map the shadow volume to a drive letter or create a SymLink.  Needless to say, this can lead to some misinterpretations during an exam.  However, if you open the mapped shadow volume in a forensic tool, at least with X-Ways Forensics, the SymLink issue will be ignored.

Now, let’s return to VHDX files briefly.  At this time, a number of forensic tools can’t access that file format.  If you encounter one, it likely will be a system image backup on a Win 8 image.  To give most tools access to your VHDX file, mount the Win 8 image file in a Win 8 host with AIM.  The next video follows the process:

▶

Note that this works when you mount your VHDX-host image with AIM.  It likely will not work with other imagers that don’t allow Disk Manager to have access to the mounted image.  While you can copy the VHDX from your image to a Win 8 host, it’s unnecessary if you have AIM.  Another option is to create a VM from your Win 8 image, mount the VHDX therein, and access the mounted VHDX file with X-Ways Forensics from a thumb drive.  When you’re done, right-click the mounted VHDX in Disk Manager and opt to detach the disk.  Bear in mind that Win 7 will not mount a VHDX file.

  1. Dave Reid

    February 3, 2015 at 9:38 am

    Hi Jimmy,

    I have a multi-part E01 file and no matter what way i try to mount it with AIM, raw or multi-part raw, I get a virtual drive of 4GB in size. This coincidentally is the size of the E0 segments. The E0 files were created with compression and i wonder if this is the issue.

    dave

    Reply

    • jimmyweg

      February 3, 2015 at 9:48 am

      It’s not the compression. If you’re using AIM, can you not just get to the shadow volumes in your host system without a VM? Does the disk appear in Windows Disk Manager?

      Reply

      • Dave Reid

        February 3, 2015 at 10:19 am

        Jimmy,

        Think we are cross wires somewhere. I cannot get AIM to recognize any disk image with an E0 format. I have now tried several and the resultant disk offered as mounted is only the size of the first E0 file either 2GB or 4GB dependent on how the original image was taken. When I check the mounted drive in disk management the disk is unallocated and uninitialized and is specified at the same 2GB or 4GB size. I’m not sure i get your comment about VM’s as I am not running one. The article above seemed to be about accessing an image without any mention of VM’s.

        Sorry if I’m being a bit dense.

        Dave

        Reply

  2. Thierry_Fr

    July 7, 2014 at 1:09 pm

    Thanks Mr Weg for your very interesting posts and work.
    Thanks to you, I discover two great tools to work with VSS. Strangely, when I mounted the VSS with “vss.exe” it didn’t appear in explorer or X-ways like a new hard drive. I Tried with a volume image, i’ll try with a real disk image to see if that makes a difference.

    Reply

    • jimmyweg

      July 7, 2014 at 2:10 pm

      Thanks for writing. The mounted shadow volume will appear in Explorer and in X-Ways as a volume and not as a disk. You simply can add the mounted volume to XWF.

      Reply

      • Thierry_Fr

        July 8, 2014 at 11:54 am

        Thanks for your quick answer. In fact the VSS doesn’t appear at all. I will make a few more tests and make a return.

        Reply

        • jimmyweg

          July 8, 2014 at 2:27 pm

          If you’re running VSS correctly, it will identify the volume letter that it assigned to the SV. Hence, the SV will have mounted and be visible in Explorer/XWF. I’m guessing that you’re not actually mounting the SV.

          Reply

  3. MC

    June 25, 2014 at 10:01 am

    Thanks for the post Jimmy! I was looking forward to trying this out. However, I didn’t get very far…

    I am able to use AIM to mount my E01 image (although the volumes appear as “Removable Drives” for some reason). But, when I try to list the shadow copies with vss, I get a message stating “No items found that satisfy the query” and no shadow volumes are listed. I can see from the image file that the volume contains shadow copies. I’ve tried it with 3 different image files now, all with the same results.

    Does this have anything to do with a permissions issue in Windows 7?

    I’m sure that I’m doing something wrong, but I’m kind of stuck here…

    Thanks

    Reply

    • jimmyweg

      June 25, 2014 at 10:54 am

      Thanks for writing, Meghan. I think it’s a permissions issue. Are you running vssadmin as Admin? You should. I’m not sure what you mean by the mounted image appearing as a removable drive. It should show up in Disk Manager as a physical disk with volumes.

      Reply

      • MC

        June 25, 2014 at 11:33 am

        Jimmy,
        Thanks for the quick reply. I am running vssadmin as Administrator. The volumes are mapped in Disk Management. For what it’s worth, when I use the command to “List Volumes,” it only shows me my local volumes (not the newly mounted volumes). But, I can’t even list the shadow volumes for my local drives either.

        Thanks

        Reply

        • jimmyweg

          June 25, 2014 at 12:25 pm

          Just to be sure we’re on the same page, the syntax is “vssadmin list shadows \for=:” where “x” if the logical volume that contains the target SVs. Are you sure that the SVs on your target are existing files, and not previously existing files that your forensic tool reports (but Windows would not)?

          Reply

          • MC

            June 25, 2014 at 12:54 pm

            Using the syntax vssadmin list shadows /for=. The SVs on the target are existing files, although there are some previously existing files as well. I also ran my 3 images through IEF and it recovered data from the SVs.

          • jimmyweg

            June 25, 2014 at 2:53 pm

            Well, I’m not sure what’s up at this point. Can you enumerate SVs on your own system with vssadmin? If there are none (system protection off), turn on system protection, create one, and run a test. The “No items found that satisfy the query” usually means none exist or maybe no permission.

          • MC

            June 26, 2014 at 9:29 am

            Thanks Jimmy. Getting closer. I was able to create one on my system and subsequently see it using vssadmin. But for some reason, I can’t see any from my mounted images. I also don’t see any when I choose the option to ‘Restore previous versions’ from the right-click menu in Windows, even though I see there are shadow copies. Not sure what’s going on…

          • jimmyweg

            June 26, 2014 at 3:32 pm

            Are you logged on as Admin to your host machine? I know that you are running vssadmin as Admin. If you have a VM of a Win 7 system (SEAT), add the mounted disk to that VM as a physical disk (there’s instructions on the blog). Then run vssadmin in the VM, targeting the added disk’s volume. It’s also possible that your SV structure is corrupt. Have you tried other mounted image files? If the issue arises in more than the one image, I think that the issue has to be with your system.

  4. Preston Farley

    June 8, 2014 at 8:19 pm

    Jimmy,

    Thanks for the great post and for all you’ve given to the community over the years. I’ve been lurking your posts and attempting to learn from them for a long time now. BTW, the hyperlink for AIM is printed properly in your article, but it is missing a colon when you click on it, in case that was not intentional.

    Thanks again for all that you do.
    ~bina computationem pro justitia

    Reply

    • jimmyweg

      June 10, 2014 at 1:32 pm

      Thanks for your kind words, Preston. The link should have worked as it was, but I fixed it now with a TinyUrl.

      Reply

  5. Luigi Ranzato

    June 4, 2014 at 5:37 am

    Hi Jimmy,
    thanks for the post, very usefull for me;
    Yesterday I tried the extraction operations, but not all goes right.

    In particular:
    1) Mounting with arsenal imager was OK;
    2) Automounting with vss.exe was OK;
    3) but, when I used FTK imager for ramdisk extraction, it has been stopped by “windows defender” while trying extraction a probable malware.

    So, FTK imager has been stopped by “windows defender” and I assume that for a total extraction, I nedd to use a VM without any protections

    Reply

    • jimmyweg

      June 4, 2014 at 8:35 am

      Thanks for writing, Luigi. I’ve disabled Windows Defender, and I think that you should do so. I don’t think it’s necessary for what you’re doing. Maybe you can write an exception for FTKI in Defender. I know that my antivirus doesn’t affect this operation.

      Reply

0
  846 Hits
  0 Comments

Coming Soon, Online WinFE Training Program

I'm making a detailed tutorial on WinFE that I hope to finish in the upcoming week.  Virtually everything you need to know about WinFE will be in the tutorial, with demonstrations and instructions on everything you need to know.  I'm covering the basics to the advanced, different building methods, commercial and free/open source software to add to WinFE, how to use it in different situations, and how to prevent errors.  This means using it in forensic acquisitions, covert acquisitions, electronic discovery, triage, and preview.  You name it, I'm covering it.

The length will be about an hour (maybe a little more, maybe a little less) and will include a real test to take if you choose to go the entire route.  The purpose is to give you, the professional examiner, a complete training program in WinFE with a test to validate your knowledge.  For those that already see the intention of the test and online training, let me explain to others that might be missing the point.

Although I'm not going to proctor your test, look over your shoulder, or have you scan your fingerprint to make sure it was you that took the test, I am providing the test for your benefit.  As you know, training and experience is everything.  It's everything on your resume.  It's everything when you testify.  It's everything when you are doing your job.  With that, I will give you a solid training in WinFE that you can take to the bank (in a manner of speaking...).

So, if you want formal training in WinFE, as much as an online class can be, stand by, it's coming pretty darn soon.  Pass the info along.  We can all benefit when more examiners use WinFE.  Plus, I'd rather be the expert that had training in WinFE when going against someone that didn't have any training with it...

winfe2

0
Tags:
  1294 Hits
  4 Comments

"Based upon the test results it is possible to run all versions of WinPE on a system with only 128 MB of system RAM"

winpeTake a gander at Misty's latest tests of WinFE/PE regarding RAM requirements and imaging speed...very nicely done with some impressive numbers.

http://mistype.reboot.pro/documents/WinPE.RAM/winpe.ram.usage.htm

On a different topic, some discussion on distribution licenses of WinFE has been going on at forensicfocus.com.  One of the takeaway points of the discussion is that you shouldn't be giving away or selling WinFE (or PE) ISO files....that will violate the Microsoft EULA.  Since WinFE is most typically used in legal cases, using a tool that you violated the EULA could cause serious issues with the evidence you collected.  So if you didn't build it, don't use it.  That is the very bad news.

The very good news is that you can make your own WinFE, free, in just a few minutes, without violating the EULA.

http://www.forensicfocus.com/Forums/viewtopic/t=11704/

I assume that one of the reasons Microsoft has such a restrictive EULA prohibiting distribution is so that the core files of WinPE (and FE) remain solid.  Downloading or using any 3rd party tool or something "a friend" sends you could contain anything hidden inside, like malware.  By using Microsoft's files, the odds are much lower that this will happen, meaning that when you build a WinFE, it is most malware free that can be expected.

After that discussion on forensicfocus slowed down, I had emails about WinFE regarding how to build it.  Not that I created the thing...but I will make a fairly detailed and easy to follow video on building a WinFE and everything you should know about it.  After all, if ever asked about your data collection tool, it's better to look like you know what you doing rather than say, "I downloaded this ISO file, booted the system and imaged with it, and don't really know much else about it."  Perhaps better to say, "I personally built and tested the imaging environment using industry best practices.  I used core files from the Microsoft company as allowed by its licensing agreement."

When the tutorial video is finished, I'll post the link.

 

 

 

0
Tags:
  1211 Hits
  2 Comments

Suggestions for a WinFE Imaging Tool Based on Clonedisk?

An imaging tool (CloneDisk) development project for WinFE...very cool...keep up with the thread and give your suggestions at http://reboot.pro/topic/19765-suggestions-for-a-winfe-imaging-tool-based-on-clonedisk/

Image

0
Tags:
  1072 Hits
  0 Comments

www.reboot.pro discussion | DMDE - Basic Disk Imaging Test (and results)

If you are interested in some behind-the-scenes efforts of developing WinFE, take a look at the www.reboot.pro forum threads.  And if you want to give input on what you would like WinFE to do...the reboot.pro forum would be a good place to submit a suggestion or lend a hand in development.

If for nothing but curiosity, you can follow along in watching the developers of the WinFE discuss how they are working toward making the lightest, fastest, full-featured, minimal builds, multi-boot, easy-to-use,  and cool forensic tool around.

I'll continue to post the latest links and download information on this blog, because I know that time is usually non-existent, deadlines are always minutes away, your laptop (while at the airport or onsite) has eight programs running while you are replying to ten emails, and you just need to know where to download that latest WinFE building information.  So, that will be here.  But for when you have time at the side of the pool, browse www.reboot.pro to watch these guys improve WinFE as it happens.

0
Tags:
  1009 Hits
  0 Comments