Colin's Write Protect Application

Here it is, Colin Ramsden's WinFE write protect application!




Although long in waiting, it is finally here.   Colin worked diligently on making this work without making Microsoft unhappy.  Documentation is forthcoming on the use of his application, but as you can see, it is really easy to figure out how to manage your disks.

Other little features may be coming in the future, but for now, say so long to DiskPart.

You can download the WinBuilder script from the BoxNet on this site (to your right of the page) and it will also be made available on the www.reboot.pro website.  The file, "wp.script" needs to be placed in the "tweaks" folder in the WinBuilder folder structure.

For support on creating a WinFE ISO using WinBuilder, consult the forums at www.reboot.pro.
984 Hits

Building your WinFE Update

For those that have been using WinFE and wanting to know about recent updates, I have only a little news to mention.    WinFE is still just as good today as when Troy Larson first created it, so not much in the update area there.  WinFE still boots the same computer systems and you can do the same forensic work as before, not much has changed since then.   DiskPart is still the primary (only) method to toggle drives on/offline, which isn't difficult to do.  Still command line, but easy commands to use.

WinFE Batch File Building Method


And building WinFE is the same as before, no changes there either.  If you use the batch file method, you can write your own or you can download pre-made batch files using the Box.net widget on this site to the right.   Several to choose and modify to suit your preferences.

The location of the batch files on this blog looks like the below screenshot, so if you don't see it, you may need to have Java enabled in your browser.

All the batch files are in this zip file.


WinFE WinBuilder Building Method


If you are using WinBuilder (www.reboot.pro), there have been a continual update of the WinFE scripts by RoyM.  The reboot.pro site is also the best place for forum support directly with the script writers if you have problems building your WinFE.  RoyM (and others) has taken a great lead in the WinFE WinBuilder development.  My hat is off to all the contributors.

Other Forensic Boot Systems


The "other" forensic boot systems have had a few updates, some major.  I would highly recommend checking out Raptor, CAINE, and DEFT!  A major difference between WinFE and several of the Linux forensic boot systems is that many of the Linux systems are pre-made forensic OS's, with freeware/open source tools already installed.  WinFE requires you to add the apps you want to use, which may be freeware, open source, or commercial.    A more complete forensic G0-Bag Kit has all of them....just in case....

 
610 Hits

An update to a long awaited project

It's been awhile, a long while, since there has been anything added to the WinFE project, and the bad news is that nothing is new other than Microsoft not quite accepting of Colin Ramsden's write protect tool.   As that is not good news, both Troy and Colin are working toward an effort that may meet Microsoft's needs for an acceptable (to Microsoft...) write protect application other than DiskPart.

Sorry for the news on no news, but WinFE still works as it is, you just need to use the command line to toggle drives on/offline.
678 Hits

Sharing the love with WinFE

There have been numerous presentations showing how to build and use a WinFE boot disc around the world.  Most recently I see that IACIS has given a demo this year along with several HTCIA Chapters and a DOD conference as well.  A write up of Imaging a MacBook by Sean Morrissey shows just how easy WinFE is to use on a MacBook based on one demo at IACIS.

As simple as it is to use, it has become even easier to build using WinBuilder.  Probably the most significant difference when using WinBuilder rather than building via WAIK and the command line is the numerous options that can be automatically added, particularly in that of supporting more software able to run on WinFE.



Many examiners have already tried to build and use WinFE, but I know there are a few of you out there that just haven't sat down to give it a whirl.   If you can speak to anyone that uses WinFE, they will each tell you that it is well worth it!

The next coolest thing to be added to WinFE is Colin Ramsden's GUI currently being finalized.   Say goodbye to the DiskPart command line!

751 Hits

Friendly reminders are always nice

Always test your tools (this includes WinFE).  Considering that NIST recently discovered that some Ubuntu based forensic boot discs could make modifications to a booted suspect drive (modifies the $logfile upon booting....),  these sort of news breaks are a friendly reminder to test your tools.  Additionally, when 'bugs' are found in forensic tools, it may help to review any cases that may be affected by a past use of a tool.  Even Guidance Software just released a firmware update to a hardware physical write blocker in which writes to the evidence drive were not protected.  How's that for reassurance with hardware write blockers being known as the absolute write protection tool?

You can't rely upon someone else's work, you can't even rely upon the label of a box of something you buy.  You just have to spend the time to test it personally.

If you've not tested a tool that you used and later find that there was a problem with it, how long will you worry about one of those times you relied upon it to come back to haunt you in a past case?

Better that you tested it ("I know it works because I tested it") rather than rely on someone else to test it ("But the company/website/brochure said it worked..."). 
559 Hits

How easy (or difficult) is it to build a WinFE with WinBuilder?

An easy quickstart guide to build your WinFE ISO...


1) Extract WinBuilder to the root of your C:/ drive

2) Run WinBuilder

3) Click 3 buttons and you are done.

If you want more features, such as additional programs, network support, audio, more drivers, customized wallpaper, create a bootable WinFE flashdrive, etc..., then you just need to push a few more buttons.  Download and read the write up (Users Guide to WinFE) for details on adding features.  It's just as easy as pushing the 3 buttons.

These screenshots show all that is needed.  Now, after looking at what is needed to create your WinFE, what is the reason you haven't started yet?.....




1659 Hits

Triage Notes and WinFE

One of the biggest benefits (besides imaging storage media) of WinFE is the ability to create a customized triage system at virtually no cost.  Purchasing a pre-made system may not be an issue when only one or a few systems are needed, but when outfitting an entire unit or perhaps an entire police department, bulk purchases of software to be issued individually most likely may not happen.  Completing disregarding the ability to triage due to cost does not benefit the community or country.  Finding solutions does.

With a WinFE "triage system", the cost can be minimal due to the multitude of freely available software available.  Not to be confused with shareware, pirated software, or other questionable software, there are plenty available at no cost that are effective and easy to use (and did I mention the keyword "free"?).

So, when contemplating purchasing a pre-built system, consider that a customized system can be simply created that fits the needs and budget of your organization or your case.

There are several tools of worthy mention, but plenty more that are just as viable for triage and forensic quality software.

For law enforcement and military, there is the excellent (and free!) search tool "Field Search".  Field Search is a tool initially developed to run on a live machine to scan for images, internet history, and other items of evidential value.



Field Search can also run under a WinFE booted system, giving it the capability of being "forensic" in that instead of running on the suspect machine and altering the system, it can now be run without altering the system.   Field Search is an extremely quick and easy program to use for First Responders and those in combat zones.  The use of this program in a forensic environment just doubled its potential.

The only limits to the software that will run on WinFE are those that depend upon the dependent files.  As an example, the Microsoft .NET framework is needed to run ChromeAnalysis and FoxAnalysis.   .NET is installed in the WinFE with the check of a box when using WinBuilder to build a WinFE ISO.  With that,  both FoxAnalysis and ChromeAnalysis from www.forensic-software.co.uk run in the WinFE booted system giving more options in triage.  Both of these tools provide an intensive internet history capability in any forensic examination, and can be easily used in a triage/preview situation.  

Other types of forensic software can also be used to target specifically desired information.  RegRipper can be used to run against an entire drive and output specific results to a text file.  RegRipper (freely available!) can be modified in a multitude to ways to target what may be needed in a given scenario, either by using pre-made plugins or writing a unique plugin based on what is needed.

 

WinFE allows you to customize a triage booting system based on several factors other than just a budget.  As an example, a police department can have a WinFE customized for First Responders with a bare minimal selection of triage tools, Field Search being a prime example.   Investigators could have additional tools (with some additional training) that can go beyond the First Responders' needs.  With this type of system, by the time a forensic examiner is given evidence to examine, the evidence has been prioritized by the First Responder and case investigator to best determine how resources should be spent.  Compared to literally dumping multiple computers onto an examiner's desk and asking for "everything", triage can be conducted for more effective results and quicker turnaround.  This can be applied to non-LE work as well.

 

 

Since WinFE can boot virtually any intel based computer, (this also includes Macs and *nix machines), the majority of situations can be handled with it.   Forensic Linux boot discs can be used in the same fashion as WinFE, using Linux software, however, I would hazard a guess to opin that most computer users are using the Windows Operating System.  Giving an unfamiliar operating system to a First Responder may be creating a problem due to mistakes being made by not knowing 'which buttons to push' to find the evidence...Those with more experience with Linux should not have that problem.  Given the option to outfit a battalion of combat troops with this capability...I'd probably lean heavily toward a Windows based system...


Fairly soon, if not already in some jurisdictions, the days of giving the forensic examiner dozens of hard drives that have not been previewed or triaged in some fashion by someone, will be over.   A WinFE triage system can be configured to find basic information (user accounts, internet history, graphics, etc...) which can be used to prioritize, or even eliminate, media to be examined.  Some information that can be gleaned onsite during triage could substantially affect the outcome of the situation (combat arena?  searching for victims related to an electronic crime scene? or other scenarios where an extensive examination will yield results that may be useless months later?).

Using a triage system can save more hours than you may initially realize.  If just one computer hard drive is triaged, and determined not to be of importance (as compared to the other 10 in the investigation...), then it need not be imaged (saving hours) and need not be examined (saving days).   It's very easy to determine the ROI or manhours saved with one hard drive, extrapolate that to dozens or more hard drives.  How's that for cutting down the workload?

 

Tags:
669 Hits

OSForensics

Giving more usability to WinFE, OSForensics has several features that I can see being beneficial in triage of a system with OSForensics.  OSForensics can be run on a live system (not the optimal decision in most cases), a mounted image, or in a forensically booted WinFE system.



The program's interface is simple and encompasses quite a bit of the basic forensic processes (searching, indexing, hashing, etc...).  Of particular interest is that some of these standard forensic processes can easily be used in a WinFE booted system for basic triage.

As an example, a scan of images of the suspect computer can be conducted with OSForensics.    This type of triage may certainly help determine which computer systems contain illicit images and need forensic analysis.

Another feature that can benefit cases is that of indexing.  OSForensics allows for indexing of files, including email (pst, mbox.msg,eml, and dbx), for keyword searches.    Searches can also be restricted by date ranges.

Although OSForensics doesn't appear to be as powerful as a tool such as X-Ways Forensics, I definitely foresee a place where it can used, particularly in a First Responder role.
587 Hits

WinFE Demo Online

I'll be giving a demo of WinFE to www.ctin.org on March 10 (online).  I'll be showing some neat developments in the work as well as discuss solving build problems.



There are a few spots left and you have to be a CTIN member to view the presentation.  But maybe it is something worthwhile to join anyway as most all the training is free to members.

Tags:
573 Hits

But does it do Mac?



Just to clear up any questions on whether WinFE can 'do a Mac', well...it can.  And Linux too.  And of course it can do Windows as well.   As long as the machine can be booted to a WinFE CD or USB, then you can image the hard drive.  Actually, you can do a whole lot more than just image it...you can triage it, preview it, search it, or just copy files and folders from it.  If the drive is encrypted and you have the key, you can access the drive.  And what about VSS (Volume Shadow Service/Copies)....you can access those too, all through WinFE.

I can promise that as soon as you build a WinFE CD or bootable USB, you will regret not having done it months or years earlier (it's been around since 2008....).  And if building a forensic boot OS makes you hesitate at all, there is no need because if you use WinBuilder, it is as simple as pointing and clicking to fully customize your Windows FE CD or bootable USB.
Tags:
719 Hits