An imaging tool (CloneDisk) development project for WinFE...very cool...keep up with the thread and give your suggestions at http://reboot.pro/topic/19765-suggestions-for-a-winfe-imaging-tool-based-on-clonedisk/
An imaging tool (CloneDisk) development project for WinFE...very cool...keep up with the thread and give your suggestions at http://reboot.pro/topic/19765-suggestions-for-a-winfe-imaging-tool-based-on-clonedisk/
If you are interested in some behind-the-scenes efforts of developing WinFE, take a look at the www.reboot.pro forum threads. And if you want to give input on what you would like WinFE to do...the reboot.pro forum would be a good place to submit a suggestion or lend a hand in development.
If for nothing but curiosity, you can follow along in watching the developers of the WinFE discuss how they are working toward making the lightest, fastest, full-featured, minimal builds, multi-boot, easy-to-use, and cool forensic tool around.
I'll continue to post the latest links and download information on this blog, because I know that time is usually non-existent, deadlines are always minutes away, your laptop (while at the airport or onsite) has eight programs running while you are replying to ten emails, and you just need to know where to download that latest WinFE building information. So, that will be here. But for when you have time at the side of the pool, browse www.reboot.pro to watch these guys improve WinFE as it happens.
"Misty" has updated Mini-WinFE, the quick and easy build of the Windows Forensic Environment. There are some pretty neat updates to the build (listed below). So far, the best documentation I have seen on WinFE, specifically Mini-WinFE is here: http://mistype.reboot.pro/documents/WinFE/winfe.htm. This is the kind of stuff you want to read in order to really know as much about WinFE as possible. Another really good source of info on mistype is at http://mistype.reboot.pro/mistype.docs/readme.html.
Before I get any complaints about "WinFE is not perfect" or "WinFE can't do everything", let me that yes that is correct. It is not perfect and cannot do everything. In the world of forensically booting evidence machines, some Linux bootable environments work very well too. Some machines can't be booted forensically, that is true as well. But for the marjority of systems that can be booted forensically, WinFE has its place. For the average and above-average examiner needing to boot the evidence machine, there are few options available that make it super-easy to add drivers on the fly or use your Windows based apps from the office rather than Linux based you hardly (if ever) use.
If you haven't checked out WinFE, you should. Everyone else is already on board :)
Some tidbits in the Mini-WinFE include:
[caption id="attachment_1177" align="aligncenter" width="806"] You gotta download the new version and check it out. It's plain cool. http://reboot.pro/files/file/375-mini-winfe/
2014.04.26 ========== * Added a number of additional options in the core script - these are all enabled by default. The new options will remove a number of unsupported options from the right-click context menu. Thanks to reboot.pro forum member farda for these suggestions. * Added "Open with" workaround for WinPE 4.0/5.0. See - http://reboot.pro/topic/19732-help-with-open-with-in-winpe-4050/ * WinFE settings are now separate to the Shell script - but are still mandatory. They have been moved to a new script \Programs.winfe.script * Option to use either SANPolicy 3 or 4 (in new WinFE script) - SANPolicy 3 is automatically used with WinPE 2.*/3.* sources as SANPolicy 4 is only supported in WinPE 4.0/5.0. * File dependencies (to be extracted from install.wim or copied from the host Operating System) are handled in one (hidden) script - Core\required.files.script. This will make it simpler to implement any future file dependencies. * Added a script to copy files and folders from a local directory - allowing the easy addition of third party files. A menu entry will open the directory these files were copied to. * Added Tools\Create USB script - it's now possible to create a MistyPE bootable UFD during the build process. Use with caution - see documentation for more details. Tested with Windows 7 (SP1) and Windows 8.1. * Added ADK For Win 8 (and 8.1) scripts. Refer to documents. NOTE - this has only been tested using Windows 7 (SP1) and Windows 8.1. * Wallpaper support (.jpg) added for all builds - this feature was not previously working with WinPE 4/5. See Programs\Wallpaper script. * Wimlib-ImageX updated to version 1.6.2 * Added build 6.3.9600 (Windows 8.1 - Final) to the list of tested/working sources. * Added the following scripts - - WinHex - DMDE - Opera - 64-bit support added. - Keyboardlayouts * Included FAU in the download. This is redistributed with the permission of the author (GMG Systems Inc) - refer to the project documentation. * Program scripts now contain menu entries - this should make it easier to add new program scripts. Previously all menu entries were contained in the shell script - resulting in multiple script edits for any new programs added. * Various tweaks in core script - "FileDelete,"%Cache%\temp\*.*" has been added to to ensure that cached batch files and .ini files are deleted earlier in the build process. Without this fix there are errors in some very limited curcumstances. - Added verification check from registry files extracted from boot.wim - only used if the wimlib-imagex checks fail. * Script structure has been changed for all Program scripts. Hopefully results in better error checking for any missing files. * Browse for folder support is added by individual program scripts even if this option is not selected in the Core script. Resulting in a more modular approach (see "http://reboot.pro/topic/19042-modular-apps-philosophy-for-winpe/" for the philosophy behind this approach). * Documentation updated - added section on using the ADK For Win 8.1.
I get a few stories of how WinFE saved the day and a few of these heroes let me retell their story. This is one of them. The ‘detective’ wishes to be unnamed, but for sake of argument, I know who he is…
A detective from a California law enforcement agency that had attended the SEARCH “Network Investigation and Digital Triage” course contacted the instructors with assistance in building a WinFE based on Windows 8.1. The detective was given guidance and links to the various resources needed to create the WinFE8.1SE. The detective was further given assistance in adding in the utilities he would need and finally validating the build to insure that it was forensically sound.
In a follow up call, the detective indicated that the he had obtained the duplicate images he needed, with one minor modification. He found that one of the target drives was mounted through an add-in card and was not initially recognized by WinFE8.1SE. Noting that Colin Ramsden’s write protect utility allowed for adding drivers to the system, the detective located the add-in card drivers and added them to the system. WinFE8.1SE and Colin’s WP utility then recognized the additional drive and allowed mounting it read only. The detective then successfully obtained duplicate images of both target drives.
Taking WinFE to even another level on a multiboot thumbdrive. Very cool, but I spread this word to you because there are few things in life neater than a forensically bootable CD/USB with X-Ways Forensics.
A faster WinFE build is available on http://winfe.wordpress.com/ that includes a script to add XWF to the build. Of course, you have to have a license for XWF for the script to add it to the build. As of now, it includes FTK Imager and dd tools, with more on the way to add. The build method is a beta only because more apps are being added that need to be tested. Other than that, it works great with FTK Imager, XWF, and a few other small apps. The goal is to put several imaging options on it for user preference.
Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD with XWF installed on it.
There is no difference between the write protection in this faster build as it uses Colin Ramsden's write protection application, but the main difference is that you can build a WinFE ISO file in less than 5 minutes, start to finish. You can burn it to a CD or make a bootable USB within 5 more minutes, giving you a WinFE in about 10 minutes time, starting from pushing the button and having a WinFE CD/DVD/USB in your hand.
Although this is meant to be the fastest method to build an acquisition boot OS, with X-Ways, you can still do a heck of a lot more than just imaging with WinFE. And just because it only takes 10 minutes doesn't mean WinFE is a minor forensic tool. With XWF, WinFE is way more than just something you can throw together to image. It's really neat.
One of the biggest benefits (besides imaging storage media) of WinFE is the ability to create a customized triage system at virtually no cost. Purchasing a pre-made system may not be an issue when only one or a few systems are needed, but when outfitting an entire unit or perhaps an entire police department, bulk purchases of software to be issued individually most likely may not happen. Completing disregarding the ability to triage due to cost does not benefit the community or country. Finding solutions does.
With a WinFE "triage system", the cost can be minimal due to the multitude of freely available software available. Not to be confused with shareware, pirated software, or other questionable software, there are plenty available at no cost that are effective and easy to use (and did I mention the keyword "free"?).
So, when contemplating purchasing a pre-built system, consider that a customized system can be simply created that fits the needs and budget of your organization or your case.
There are several tools of worthy mention, but plenty more that are just as viable for triage and forensic quality software.
For law enforcement and military, there is the excellent (and free!) search tool "Field Search". Field Search is a tool initially developed to run on a live machine to scan for images, internet history, and other items of evidential value.
Field Search can also run under a WinFE booted system, giving it the capability of being "forensic" in that instead of running on the suspect machine and altering the system, it can now be run without altering the system. Field Search is an extremely quick and easy program to use for First Responders and those in combat zones. The use of this program in a forensic environment just doubled its potential.
The only limits to the software that will run on WinFE are those that depend upon the dependent files. As an example, the Microsoft .NET framework is needed to run ChromeAnalysis and FoxAnalysis. .NET is installed in the WinFE with the check of a box when using WinBuilder to build a WinFE ISO. With that, both FoxAnalysis and ChromeAnalysis from www.forensic-software.co.uk run in the WinFE booted system giving more options in triage. Both of these tools provide an intensive internet history capability in any forensic examination, and can be easily used in a triage/preview situation.
Other types of forensic software can also be used to target specifically desired information. RegRipper can be used to run against an entire drive and output specific results to a text file. RegRipper (freely available!) can be modified in a multitude to ways to target what may be needed in a given scenario, either by using pre-made plugins or writing a unique plugin based on what is needed.
WinFE allows you to customize a triage booting system based on several factors other than just a budget. As an example, a police department can have a WinFE customized for First Responders with a bare minimal selection of triage tools, Field Search being a prime example. Investigators could have additional tools (with some additional training) that can go beyond the First Responders' needs. With this type of system, by the time a forensic examiner is given evidence to examine, the evidence has been prioritized by the First Responder and case investigator to best determine how resources should be spent. Compared to literally dumping multiple computers onto an examiner's desk and asking for "everything", triage can be conducted for more effective results and quicker turnaround. This can be applied to non-LE work as well.
I'll be giving a demo of WinFE to www.ctin.org on March 10 (online). I'll be showing some neat developments in the work as well as discuss solving build problems.
There are a few spots left and you have to be a CTIN member to view the presentation. But maybe it is something worthwhile to join anyway as most all the training is free to members.
You can now download the WinFE WinBuilder. Thanks to everyone that helped support this effort, it was well worth it.
As to a guide on how to use WinFE, it probably isn't really needed since WinFE is simply a forensic boot disc. So, you might not need any help in putting WinFE to good use. However...there may be a few things you didn't know you could do with WinFE that could be of interest. Since that might be the case, here is a quick guide on tips on using WinFE as well as tips for building with WinBuilder.
Users Guide to WinFE
For support on how to use WinBuilder (troubleshooting, advanced features), check out the WinBuilder website at http://reboot.pro.
To reiterate some points about WinFE (and to hopefully prevent 'hate mail' coming to me from commercial products...), WinFE is an addition to your forensic toolkit. It doesn't replace any tools, only supplements what you are using anyway. Commercial products that do the same thing that WinFE does work too, keep buying those if you want, you don't have to use WinFE. And for the Linux lovers out there (Hey, I'm one of you guys too!), there is time and place for everything, sometimes WinFE is best, another time CAINE or DEFT or ???*nix may be best.
As far as anyone making a profit out of WinFE, no need to ask, because no one is; it is a community project of customizing a Windows PE to fit your needs.
And yes, there are even some more neat things to be added to WinFE in the future...but as of now, you have access to a solid forensic environment.
For additional credits to this project;
Jad Saliba (of JadSoftware.com) has released an update to his Internet Evidence Finder/IEF in a portable version. Now this sounds really good to have the ability to plug in a USB drive into a running machine to gather the information that IEF does. But, to take it a step further, I tried IEF within a booted WinFE system. And the result....it works perfectly!
To make sure you can get the full grasp of how neat this is, you can boot to WinFE and run IEF across the physical drive, without making any changes to the evidence. This could be of real importance in an investigation such as a missing person case where internet/chat/webmail may be of immediate intelligence value. Rather than imaging the hard drive to search for this data from the image, or booting the machine to its operating system and potentially overwriting pertinent data, you can boot to WinFE and run IEF on the write protected drive. Of course, in a missing person case where chat is involved, it may also be most important to capture the volatile data FIRST before turning off the computer.
In civil case matters, this can be a fairly quick method of obtaining data relevant to the case matter onsite if imaging the hard drive is not allowed.
Although IEF doesn't run on Mac or Linux....if you boot a Mac or Linux machine with WinFE, IEF will run against that Mac or Linux hard drive ;)
If you haven't seen Marc Remmert's video on creating a WinFE ISO, here is his video. Although the WinBuilder method greatly simplifies what Marc shows in his video, it certainly recommended to see what is actually happening to a Win"P"E to make it into a Win"F"E, no matter the process used, at least understand the changes being made, the reason for the changes, and the validation of the changes. And for those that insist that WinFE is not WinFE and that it is WinPE...well, you are sorta correct. WinFE is the 'forensic' modification of a WinPE, so it really is something different.
On the WinBuilder topic, a great group of beta testers have started to put WinBuilder through its paces. Again, although the end result is that you will be able to create a WinFE ISO with a few clicks, it is best to know what is happening behind the scenes and Marc's video gives you that insight.
Just before the latest WinBuilder WinFE gets released, would you like to take it on a test run first before the rest of the world gets it? There are some neat features (Bitlocker support, DiskPart batch file, plus others), but the main concern is testing to see if anything needs to be fixed, corrected, added, or taken away from the build.
Here is a neat and FREE app to test your Live CDs. Not sure how I missed this one, but instead of creating an entire virtual machine to boot a ISO for testing, you can just run the ISO with MobaLiveCD (http://mobalivecd.mobatek.net/en/). QEMU opens a virtual machine window that much faster on your screen.
This may just cut down the number of cup mats I usually make when burning CDs...
On the subject of triage, I have some thoughts which some companies may not like to hear (at least companies selling triage software or 'triage computer systems'...).
Here are some problems I see with several triage systems available;
-Any triage tool that is marketed that anyone can plug it in and capture all responsive data and even create a forensic image, without having any knowledge of computers is a tool I would keep at a safe distance from custodians of data...Plug n' Play to capture evidence or triage a system? How many problems? Let me count the ways...
-Any triage tool that is restricted to run on a specific computer is one that has just limited itself out of the market. Since when do you want a tool that can only run on a specific computer you must buy? Sorta useless if something happens to that computer.
-Any triage tool that professes to magically find all relevant data, even in the hands of untrained persons...wow. Are you sure its finding what you need?
Why not triage a computer like everyone did in the old days. Boot to a forensic OS (pick your flavor of OS) and use a tool you always use to find what you need to find. Every case is different, so every triage is bound to be different. On one computer, you may need to see the registry, whereas on another, you need to see the images.
And untrained persons triaging machines? Good luck. Emergency rooms don't use non-medical staff to triage patients, why would anyone use non-computer trained persons to triage computers?
As for a pretty good system for triage, build a WinFE disc (it's free, you don't need to buy anything other than a CD) and put your favorite forensic tools on it, the ones you use all the time. Now you have a triage system. No, more than that, you have a complete Windows Forensic Environment to look for exactly the things you need to look for. Done right the first time.
So the next time you see a "Triage System" that is plug n'play simple, that decides what data you need to be collected, and that you just sit back and let it work, think about it a little more. As for me, I want to push the buttons and triage based on what I need and what I see when I am looking at the data.
By now, most everyone involved with forensics knows about the latest release of FTK Imager 3.0. In my opinion, this is perhaps the best release ever of FTK Imager and probably one of the top releases of software this year because of one of the newest features and the price (FREE and MOUNTS IMAGES!). Given other expensive software, or free software that doesn't work as expected, or difficult to manage manual procedures to mount images, to now have FTK Imager 3.0 quickly and neatly mount an image is a nice addition to my Start Menu.
So the bigger deal with FTK Imager 3.0....it runs in WinFE. With FTK Imager 3.0, you can mount images in WinFE and conduct analysis in the Windows Forensic Environment with any other tool that runs in WinFE, such as X-Ways Forensics, ProDiscover, or Encase.
Now I know what you are probably thinking. FTK Imager "Lite" 2.9 will run in WinFE and that version doesn't support image mounting. FTK Imager 3.0 needs to be installed, which is problematic in WinFE. Well, right and wrong. FTK Imager 3.0 only needs to be installed on any system, then copy the program folder onto WinFE to run as if it were installed. Voila! No need for the Lite version when you can have the full meal deal.
Now how's that for having a completely self-contained Windows Forensic Environment, running minimal processes on just about any system...technically, this is called, "Niiiccceee...."
And yet another use for WinFE.
This year, at the University of Washington's Digital Forensics Certificate Program, I am having each student create their own Windows Forensic Environment with as many forensic applications as we can fit on a USB drive. This fulfills several objectives that any school or training program can incorporate at virtually no cost.
Students in forensic programs can learn to create a forensically sound bootable media and validate it through testing (how's that for a takehome assignment?). Since WinFE can be used as a forensic platform on almost any computer (for those students without a 'forensic machine' at home), this bootable media may be more than enough to practice and do homework assignments on their home computer (...they can image...they can run forensic tools against an image or hard drive...they can do quite a bit). Forensic software developers...consider making your applications run in a portable mode and VOILA, you just reached a second use (and market) for your application/s. Anything that runs on WinFE is a tool I want and so far, only X-Ways Forensics fits that bill as a full fledged, portable forensic suite.
And yes, a Linux forensic environment can do many of these things as well, so why not do both? The cost of a Linux CD...same as WinFE :)