Massive Government Surveillance - Not a new thing

I'm close to wrapping up my latest book, Hiding Behind the Keyboard. One of the more interesting things I found while researching the electronic surveillance chapter is a historical note of massive electronic surveillance...way back in the early  1890s

Considering that government surveillance is one of the hottest topics today, no doubt brought into the spotlight by Edward Snowden, I found this one historical bit of surveillance in New York to be a reminder that electronic surveillance has been around much longer than what the average person may know.

Before getting into the New York Police massive surveillance story, you should know that wiretapping has been around as long as communicating electronically has existed.  For example, as soon as the telegraph was used, the telegraph communications were intercepted. During the Civil War, a "wire tapper" was an actual job in the war to intercept telegraphs!  But that's not what I mean in regards to mass goverment surveillance. The New York Police Department's history with wiretaps is what I found to be really interesting, even more interesting than the NSA surveillance disclosures

In short, back in the late 1800s, New York made wiretapping a felony but the NYPD believed they were above this law. They tapped people at whim and without warrants, including tapping Catholic priests.

In fact, NYPD quickly discovered that they could tap into any phone line of the New York Telephone Company, at anytime  to listen to any person on the line. They even tapped into hotels to listen to hotel any guest.

Obviously, this free-wheeling phone tapping ended after the Supreme Court decided that the Fourth Ammendent protected "intangles" such as communications when it was previously believed that only "tangibles" were protected against unreasonable search and seizure. However, the NYPD experience shows that when  given unfettered access to monitoring and surveillance, government can go too far with good or bad intentions.

The solution to prevent going too far is simple. Get a warrant. Smart government employees know that a warrant protects the people and the employee's career. For anyone to say warrants are difficult, impossible, or too burdonsome simply has not written an affidavit for a warrant or just doesn't have the probable cause in the first place (or may be lazy....).  Warrants are easy to write if you have probable cause.  In fact, some warrants don't even need to be written for approval as a recorded phone call to a judge can get you a telephonic warrant approved in less than half an hour or faster.

For those against any government surveillance, such as wiretaps or pen registers, as long as there is a warrant, there really isn't any problem.  The Constitution and state or federal  laws that approve wiretaps require that the searches not be unreasonable or unnecessary (meaning, there must be cause).  Technically, it is almost as easy as flipping a switch, but practically, it takes takes an investigation to develop probable cause that a crime exists in the first place.  No crime = no probable cause = no warrant.

As a disclaimer to my personal experiences, I have initiated and supported dozens of wiretaps, pen registers, trap and traces, hidden cameras, GPS installations, body wires, and bugs during my time in criminal investigations. I've had probable cause every single time, so much so, that PC dripped out of my investigation binders. And with that, I'm not a fan of unfettered, massive government surveillance without cause...

1502 Hits

Libraries and the Tor Browser

Libraries and the Tor Browser

A few weeks ago, I was asked by a librarian for my opinion on library patrons using Tor in public libraries. My initial reaction, based upon having done more than a few cybercrime cases, is that Tor in public libraries is a bad idea. How can law enforcement track criminals who use library computers when the Tor browser is being used?  And libraries are government entities! Tax dollars would be spent helping criminals commit crimes on the Internet and remain anonymous. By all means, NO! Don’t do it!

From a law enforcement perspective (which I have not lost since my days in law enforcement), the Tor browser makes cybercrime investigations practically impossible to identify the user for 99% of cyber detectives and this is a major problem for investigators.  The remaining 1% of cyber analyts have access to supercomputers and virtually unlimited budgets that is beyond the scope and reach of the regular police detective.   Since the Tor network is so effective in providing anonymity to Internet users and police are practically powerless against it, why support it since criminals are using it?

About a half second later, my opinion changed.

The public library protects freedoms more than most people will ever know (except for librarians…they know about freedom protections). Sure, police protect freedoms by protecting Constitutions (state and federal versions) but law enforcement has a dilemma. On one hand, they swear to protect freedoms and on the other, the freedoms restrict their ability to protect.  Using the First Amendment as an example;

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Taking the freedom of speech as an example, people have a right to express themselves and that not only includes speaking, but also reading, and communicating (assembly) with other people. Libraries provide access to information and support intellectual freedom.  And of course, people abuse freedoms and commit crimes, such as harassment where free speech goes too far and intrudes on someone else’s rights. Maybe it's easier to protect speech by getting rid of it? Nope. That doesn't work...

Many (all?) public libraries today in the United States provide Internet access with WiFi and public terminals. Complete freedom to browse the Internet and communicate with people around the world certainly meets freedom of speech criteria.  You can’t get much more supportive in providing access to information than that. As a government entity, the public library supports the First Amendment more than any other entitity.

Here comes Tor.

Without getting into too much detail about “Tor” (The Onion Router: http://www.torproject.org), let’s just say that Tor can be looked at simply as an Internet browser that hides the Internet Protocol (IP) address of the computer user. That means that a computer user can be practically anonymous online when using the Tor browser.  The Internet history cannot be tracked, the physical location of the user cannot be tracked, and users can feel secure that they have privacy online without interference from government or other persons.

Internet privacy is important. Not only is government tracking of Internet users invasive, but so is corporate intrusions into personal privacy. Every person has different tastes, likes, interests, and beliefs. The founding principle of privacy is…privacy. Tor provides that privacy when it is used appropriately.

Running the Tor browser is simple enough since it is just an Internet browser (basically anyway). For a library to support Tor use, IT staff just need to download the browser to the public computers and put the icon on the desktop.  That’s all there is to it to give library patrons access to Internet privacy.

During a recent conversation with a librarian, I was told that the library (in the Seattle area), does not monitor, track, record, or even look at patron Internet history and useage. After explaining that the library certainly has the technology to do so, by default in their network system, and that every patron’s Internet history can be viewed, tracked, recorded, logged, and be required to be produced to law enforcement by court order, the conversation changed quite a bit. Obviously, if a crime has been committed and a search warrant is obtained, providing any information to investigate and prosecute criminals is a good thing for society as a whole.  The drawback is Internet history being logged or viewed for all patrons, in any manner, for general purpose or for later historical analysis. That negates privacy and goes against intellectual freedoms for which the public library stands.

With Tor, patrons can generally be assured their Internet use is private (barring screen capture software, keyloggers, compromised systems, etc…). This is a good thing for patrons to have as a choice. Tor is not perfect and has drawbacks to the ‘normal’ Internet browsers, but for the most part, if privacy is a concern, the Tor browser relieves the concerns.

As an investigative point, if a criminal wants to remain anonymous and use Tor to commit crimes, the library probably isn’t the best place to do it. Although most libraries do not have video surveillance cameras, some do.  There are libraries (the East Baton Rouge Parish Library as one example) that hire police officers as security! For a criminal to use a library computer to commit a crime may make it easier to get caught.

Tor relays: it’s Tor, but a little bit different topic. One of the methods that Tor is effective is that when using the Tor browser, computer relays (“Tor relays”) are being used to route the computer user’s traffic around the world.

http://www.torproject.org 

Anyone can volunteer to be a Tor exit relay, where Internet traffic running through the Tor network will ‘exit’ from your system. By being a volunteer, you help world-wide Internet anonymity by providing a Tor exit relay. For the most part, nothing bad happens, but occasionally, the Internet traffic leaving your relay could be criminal in some aspect, such as child pornography. You won’t see it, nor have anything to do with it, but your IP address will be tied to it since your relay is the last relay to receive/send it.

Not that this makes you a criminal, or that you facilitated a crime any more than if you sold a Ford that was used in a bank robbery as a getaway car, but it can happen. Today, law enforcement is more aware that Tor exit relays are not the source of crime, and the person running the relay is not the criminal they are looking for.

https://www.propublica.org/article/library-support-anonymous-internet-browsing-effort-stops-after-dhs-email

So it was strange to find an article where law enforcement pressured a library to not volunteer as a Tor relay. Tor relays exist world-wide. There are literally thousands of relays, everywhere. Shutting down every relay is virtually impossible. So why push libraries to not volunteer when it is the public library standing for the freedoms in the first place?

As a business consideration, my opinion on public libraries being Tor exit routers depends upon the cost required to set up and maintain it since public libraries are funded by the public with taxes. Other than that, if the public supports it and libraries can do it, why not? A public library can do little more for intellectual freedom than not only providing use of the Tor browser, but also operating a Tor relay.

Restricting or eliminating use of the Tor network would be like shutting down Toyota dealerships because the Toyota Camry is used for bank robbery getaway cars.

For the investigators worried about rampant crime in the library because of Tor…you can still catch the cybercriminals.  And for libraries worried that they will facilitate crime, don’t worry about that either. Tor users can’t choose the Tor exit relays.  It won’t be like cybercriminals will be able to pick a library Tor exit relay and commit crimes.  I give an entire chapter on beating Tor in my next book, at least as much as Tor can be beaten.

 

 

 

Tags:
4876 Hits

Teaching Digital Forensics at the University of Washington

Teaching Digital Forensics at the University of Washington

Several years ago, I taught at the UW Digital Forensics Continuing Education program before taking a break. Now I'm back at it.  A new course with new material, including mobile device forensics.  A change in the program is that the course is offered online as well (not on demand, as the classroom will be broadcast in real-time).

A continual theme in the program is case development.  From the smallest piece of evidence through gathering more evidence, broad analysis to specific targeting focus, to search warrants, and putting an entire case together; that is the goal of the course.

My primary purpose is teaching how to do an actual digital forensic case as I firmly believe that a certification without competence is not useful in the least bit.

A potpourri of software is used throughout the program to show that there are many ways to get to the answer using different tools.  In fact, the tool is not the focus as much as running a case is.  Using software tools gets the information you need to further your case development through case closure.

Consider registrating for the course, it'll be lots of work, but lots of fun to work cases along the way.

b2ap3_thumbnail_UW.JPGhttp://www.pce.uw.edu/certificates/digital-forensics.html

1895 Hits

A little update coming for Mini-WinFE

A little update coming for Mini-WinFE
b2ap3_thumbnail_misty.jpg b2ap3_thumbnail_miniwinfe.JPG    The developer of Mini-WinFE will be adding a script that will install EnCase Forensic Imager into Mini-WinFE. Misty is a little busy right now, but in a few weeks, should be a reality.  So, you'll have another imaging tool option in WinFE that is freely available to use.    You'll notice that WinFE hasn't had much of any updates  for some time and when the updates do happen, they are little tweaks if much else. That is because there isn't too much more that can be added to WinFE. It's quick and easy to build, easy to use, and fills a niche when and where needed.    If you haven't built a WinFE yet...why not? To date, there have been over 8,000 downloads of Mini-WinFE alone, not counting thousands of downloads of Winbuilder to build WinFEs, and thousands of builds using the command line.    Lastly, since WinFE is rarely updated, I've imported the free wordpress blog to mine for simplicity of keeping up with WinFE updates and posts. To keep up with WinFE updates, follow me on Twitter
Tags:
3743 Hits

Tor is perfect! (except for the user....)

Tor is perfect!  (except for the user....)

I have been spending so much time with the Tor browser over the past months that I have forgotten just how seamlessly it uses a complex network of global servers, and encryption to provide a near perfect level of online anonymity. The Tor browser is extremely effective in providing near 100% anonymity that if not for one little flaw, it would be perfect, and I found that flaw.

The flaw is the user. Yes, every physical device and software application has the same flaw, but with Tor, it is a flaw that can completely negate using Tor for anonymity with misuse. Something as simple as a user not updating the Tor browser when prompted in bold print is enough to break anonymity. The Tor browser can only do so much to warn users to update the browser...

On one hand, criminals using the Tor browser who are lazy, too busy, or not accepting the danger of using outdated Tor browsers run the risk of getting busted.  On the other hand, legitimate users, such as those living under oppressive governments, can be discovered and imprisoned (or worse!) for exercising speech online.  Both situations generally require the user to be the weak link.

FBI Uses Spyware to Catch Tor-Based Child Pornography Suspect - Softpedia News

http://news.google.com Thu, 01 Oct 2015 02:46:49 GMT

http://t1.gstatic.com/images?q=tbn:ANd9GcQxYPXiaO7F03zDfLzy9fCeiyj7obMA0G6jj8US0UWF_LBSKY7Tuq7WFLZykSGdtdYjjBoDZl4Softpedia NewsFBI Uses Spyware to Catch Tor-Based Child Pornography If you were wondering, the Flash plugin comes turned off by default in all Tor Web browsers. For this particular reason, if you ever read a tutorial on how to pr ...

Read more ...

I have been known to have the superpower of being able to break steel balls while locked in a rubber room, so trying to break Tor seemed possible. With more than a few personal tests, I found Tor works well.  Reading through dozens of white papers written by computer scientists (waaaayyyy smarter than me) only confirmed that Tor works...very well.  It is just the user, either by using outdated Tor browser bundles or other user-created accidents that are easily led to their front door.  In my current book, Hiding Behind the Keyboard, I have written a chapter solely dedicated to the Tor browser and included some methods where investigators can force a user error to identify criminals. In short, for investigators it is a game of chance when Tor is involved in an investigation.

Writing about Tor is a bit touchy. Generally, individual countries create and enforce laws for that country. Some countries allow near unfettered freedom of speech and others less so. Some countries go to extreme measures to identify and punish anyone speaking out against their government or government officials.  Technically, the methods to uncover Tor users in both types of countries are the same.  Some countries go so far as to shut down the entire Internet to prevent any use at all by its citizens. The touchy part is that the methods to go after criminals are the same methods used to go after legimiate users (whistleblowers, activists, etc...).   

China tightens noose on Internet as anti-censorship tools suddenly shutter - Washington Times

http://news.google.com Wed, 26 Aug 2015 20:29:28 GMT

http://t3.gstatic.com/images?q=tbn:ANd9GcQ4S__sARQwUCjQj6xlXikkzYxHZMr-5dgXdzJOKPjG_VEKcHE0UIUw5bD8w0DKowAhIVMKwiJ4Washington TimesChina tightens noose on Internet as anti-censorship tools suddenly shutter. Censorship circumvention tools designed to bypass Internet restrictions are again under attack in China as software meant to let users around th ...

Read more ...

Which brings me to the many news articles and NSA/Snowden leaks about Tor. Nearly all are based on exploiting the user and not Tor. Sure, high-tech spyware has been used to infect Tor browsers to uncover IP addresses and such, but the only reason this has been working is because the user has failed to use the most current version of Tor. And much like a house of cards will fall with one card pulled out, an entire criminal organization using Tor to commit crimes will fall when one thing (the user) is exploited through user errors or forced errors.

Tor is not perfect, and certainly not best for all Internet use, but it has its place when needed. As one example, whistleblowers have a legitimate need for anonymity to report violations. Another would be anyone using a public computer (library, hotel, etc...) and would like the Internet provider see everything they are doing online, not for criminal activity, but simple personal privacy.

For forensic analysts, the biggest takeaway I can give is that if you are not looking for Tor use in your cases, you may be missing LOTS of evidence. Think back to the last time you even searched for Tor remnants in an analysis. How about the last time you even thought about looking for Tor in an examination.  Or better yet, have you ever even considered it? Examiners who conduct an "Internet Analysis" of a computer system is not being complete without including searching for remnants of the Tor browser.  The mere existence of the Tor browser can affect your analysis conclusions.

In two investigative/forensic books I have been working, Tor is a factor for analysts, but it is not the only factor. Tor is but one part of any person's overall communication strategy. Rare is communication based on a single method, but instead included many types of communication methods used in conjunction with other.  A cell phone text message can be a reply to an e-mail sent through Tor which was a reply to a face-to-face contact.  When uncovering covert communications, the goal is to find all the methods in order to put the entire communication threat together, without missing pieces. If you have not been looking at Tor, most likely, you have missing pieces.

Tags:
3485 Hits

I had a blast presenting for ICAC at Microsot

I had a blast presenting for ICAC at Microsot
b2ap3_thumbnail_ICAC.JPGI gave two presentations today at the NW ICAC conference hosted by Microsoft in Redmond, Washington on the same topic in two parts. I met some great folks in the field doing so really awesome work to protect children. Plus, I got to see some people that I have not seen in a long time. All the sponsors set up a great conference with Microsoft providing the venue. I was only there for the first day and I'm sure the next two days will be just as beneficial to attendees. b2ap3_thumbnail_book4.jpgThe first presentation (Part 1) was a broad overview of my first book, Placing the Suspect Behind the Keyboard. My primary goal was to give a ton of investigative tips in hopes that at least one will be able to save investigators hours (or weeks or months) of labor in their cases. I flew through the material like a firefighter putting out a house fire to make sure enough tips were given to fit as many investigators needed in their specific cases. Definitely covered a lot of ground in a short amount of time. Reading my book covers a lot more, but this was fun. http://brettshavers.cc/images/articleimages/book3.jpg      b2ap3_thumbnail_book3.jpgThe second presentation (Part 2) was a brief intro to one chapter in my upcoming third book, Hiding Behind the Keyboard. Probably the best tips came from how to identify Tor users along with how to explain Tor to the layperson, which is sometimes one of the hardest things to do in a courtroom setting. Both Part 1 and Part 2 presentations are independent of each other but the information is complimentary just like both books are. 

 If you are in law enforcement and would like a copy of both presentations, you can download them here for the next month or so before I update the presentations:

 

Placing the Suspect Behind the Keyboard-ICAC.  

Send me a message after you download the file and I'll e-mail you the password (the slidedeck will be available for short time).

950 Hits

Book Review: Windows Forensic Analysis Toolkit, 4th Edition

WFAI’ve been waiting until I received the hard copy of this book to write the review. I had the fortune of being the tech editor for this book and enjoyed every minute of it. Although I do not have an ongoing financial interest in this book, I do have a vested personal interest based on the reasons Harlan Carvey lays out in many chapters. I’ll get to my personal interest later in this review.  Also, Harlan has a post on updated book contents here: http://regripper.wordpress.com/2014/04/14/regripper-download-2/

Without reading any reviews, those analysts who buy Harlan’s books will keep buying his books with the full expectation of having a well-written (as in easy-to-read) book on Windows OS forensics. There is no need to read any further in this review if you fit in this category. This is Harlan’s new book. That is all you really need to know. But if you just want my opinion, read on…

The topics in the 4th Edition of WFA are all eye-catching. Volume shadow copies, file analysis, registry, malware, timelines, tracking user activity, and more.   Every topic detailed in all the chapters, is relevant to everyone that touches a Windows system to examine. The difference between Harlan’s books and others is the guidance given. For example, rather than reading a discourse on some technology, Harlan gives practical advice, suggestions, and real-life stories that relate to the points in the book. Since we have all made mistake (or will make mistakes, or have made mistakes but just don’t know it yet), having guidance that reduces mistakes in the way of stories and plain talk is well worthwhile to read.

The book has too much information to be covered in a review. There is more information on accessing volume shadow copies using several different methods than I want to review. The same can be said for file analysis, registry analysis, timelines, and every other topic. Harlan gives several options to accomplish the same task, using different software.   Although I wrote a book on one software (X-Ways Practitioners Guide), I obviously use more than just one software. Any forensic book, other than a manual or software guide, that does not give options with various types of software does not give the reader options to solve problems.

Another facet of Harlan’s book is his never-ending harping of asking everyone to ‘share information’. That sentence may sound negative, but truthfully, I don’t know how Harlan has the energy to push the sharing of information for so long. The book is sprinkled with this tone and I echo the importance of sharing information. I did my best to keep up with Harlan’s book as I tech edited it, working his suggestions. Some of the methods he wrote were new to me, which I would not have found on my own without happening upon the method in a blog..maybe.

Those examiners who conduct investigations, not just an analysis of a machine, will enjoy the guidance on tracking user activity, writing reports, drawing conclusions, correlating data, and making inferences.  Those topics are my personal favorites.

Harlan writes in this book that sharing helps us to know what is possible. That makes sense, because how can you know what you don’t know.

I can say unequivocally that writing a digital forensics book is primarily, if not solely, to share information. Few (no one?) gets rich writing a computer technical book in the niche of digital forensics. The market for a digital forensic book is probably a fraction of a fraction of a fraction when compared to a Tom Clancy or JK Rowling book. With that, consider that when Harlan says he writes to share, he really means that he writes to share, just like all other forensic book writers.

The personal risk to sharing, which everyone knows, is that you could be totally wrong, slightly inaccurate, poorly written, disproved later, or maybe you “discovered” something that everyone else already knew. This risk of sharing keeps the majority of examiners quiet and makes it seem that there are only a few examiners that share information. That is why we see the same names popping up online and conferences through the years. But in the audiences listening to these same names, there are smarter people, better examiners, and great investigators. They just don’t speak up or share information.  (nudge..nudge...feel free to share...no one will bite you).

That is one of Harlan’s premises to keep going and he reiterates it in the book and his blog and when he speaks. We all get ‘smarter’ when we share. None of us move forward when we don’t share.   To share is to take a risk of being wrong and embarrassed. Worse still is the fear to be wrong and get attacked online. However, for all those that share, either by asking questions, giving suggestions, or describing methods you have created or use, my hat goes off to you. It takes guts to put yourself out there, knowing that the sharks are circling and sniffing for blood.

Back to my personal interest in this book. When I have found a method or tool that I like, I want everyone to use it. I don’t hold it close to my chest or hide it. I share it. I become an evangelist to that tool or method to get the word out. The reason? The more examiners in the field that use it, the more chance the method/tool becomes an industry standard. Then it gets improved upon, further developed, “court accepted” in that the results obtained by that tool/method are accepted into a court, and I get to use the tool/method more.

The best personal example I can give to prove this point is with WinFE (http://winfe.wordpress.com). From a two-page Word document typed by Troy Larson of Microsoft, I marketed that little ingenious tool as if I was making a million bucks off it. It’s now in use by every country that does forensics and in just about every agency or company in those countries. It’s even taught in forensic training programs in both the public and private sector. So now, anyone can create and use WinFE without worry of using a non-industry accepted tool. This happened only because those that used WinFE, shared the knowledge of how to use and when to use it. Imagine if we did that with every “new” effective method or tool.

The key point in the prior two paragraphs is that Harlan’s book has lots of those types of ideas that he has shared. He gives credit to ideas created by others along with sharing his own ideas.

My only negative words on WFA/4 is…maybe X-Ways Forensics could have been put in it...but that's what we have the XWF Guide for..

My suggestion on WFA/4…buy the book. You will not regret it.  My other favorite books are here http://winfe.wordpress.com/books/.

 

Tags:
1060 Hits

X-Ways Online Training Course

X-Ways Online Training Course


I will be publishing an X-Ways Forensics Online Training Course on June 30, 2014.  The course is based off the X-Ways Practitioner's Guide, the X-Ways manual, and a decade of experience using X-Ways...it is not the official X-Ways training course, but it also does not come with the price tag of the official course.   From Monday, the X-Ways course will be $195 but I will publish a discount code good for two weeks (through July 14) for 25% off.

I'll send out a reminder on June 30 through twitter and the XWF blog, so follow the blog or twitter account to catch the discount code.

The manner in which I made the X-Ways course is so that you can follow along with XWF in learning how to work a case with X-Ways Forensics.  The course describes the options and buttons in XWF, but also shows how to simply work a case.  There are literally so many features in X-Ways, that without training, you will be missing about 50% of what you should be doing.  I found that even the most current version of the X-Ways manual does not list features in XWF...lots of information to keep up with, tons of features to consider, easy to miss something that you should not miss for such a powerful forensic tool.

If you want to be notified of the coupon code, be sure to follow the X-Ways blog at http://xwaysforensics.wordpress.com/ or the twitter account at https://twitter.com/XWaysGuide.

 

 

Windows Forensic Environment Online Training Course


I also have just released an online course on the Windows Forensic Environment (WinFE).   I have videos of most build methods, tips and tricks, pro's and con's, and aspects of WinFE that you may find important.  I also included every bit of downloadable swag in the course too (batch files, wallpaper, scripts, etc...).

All in all, this is probably the best source of WinFE you will find.  I encourage you to share it and use it, after all, this is a free tool and this course is free.  If anyone has suggestions on making the course better, let me know and I can try to squeeze in some improvements.

[caption id="attachment_1231" align="aligncenter" width="700"]winfe http://courses.dfironlinetraining.com/windows-forensic-environment

 

2812 Hits

Is it worth the time to figure out WinFE?

Yes, no question about it.

WinFE is one of those things in forensics you hear about and move on to something else because you don't want to spend the time to "build an ISO" (maybe you've not
646 Hits

More on Autopsy and WInFE

I was right.  This is cool.

Using Autopsy on WinFE Lite worked as expected; however, I wanted to test it with a WinBuilder build of WinFE to address limitations found on WinFE Lite (notably, the inability to view videos or inside zip files).

In short, the WinBuilder build allowed viewing of videos and accessing zip files with Autopsy.  There were a few other customizations that I made for appearance and ease of use that you may find helpful in presenting training on WinFE (if you do that) or in creating your own WinFE for onsite preview/triage.

2013-07-15-17-33-1247
Add Autopsy to the WinFE start menu.

Basically, with Autopsy, any first responder or parole supervisor can triage/preview an evidence machine, onsite, without cost of software or hardware.  You just need a CD, DVD, or USB with WinFE and Autopsy.  For the first responders who are not forensic examiners, a WinFE boot disc/USB can be made with Autopsy clearly presented on the desktop and start menu.  I would suggest that other forensic tools be included in the event they may be needed by a forensic analyst.  An example would be a first responder finding evidence on a machine during a triage/preview and the machine needs to be imaged.  Either the first responder can image the machine or preferably, a trained person should be called to image the machine.  Having the apps pre-installed eliminates the need to reboot the machine to another build of WinFE, or plugging in additional drives with programs, and so forth.

In order to get you in gear with the potential of a completely free WinFE and software (you need a license for Windows to build it…but otherwise, it’s all free), I’ve posted the steps below.  Before you ask for help with WinBuilder, go to www.reboot.pro and read the help forums.  There is as much documentation you need for directions on how to download and run WinBuilder along with as many scripts (added features) as you could ever need.

The steps:

1)      Download Autopsy and install to your workstation.

2)      Download Winbuilder

3)      Download the WinFE write protection script (place in the WinBuilder tweaks folder)

4)      Build your WinFE

Step 1

2013-07-15-17-34-1250
It's free!

Download and install Autopsy to your workstation. http://sleuthkit.org/autopsy/

Step 2

2013-07-15-17-34-1251
It's free!

Download and install WinBuilder (go to www.reboot.pro on how the program works).  This is based on the Win7PE_SE project.

Step 3

2013-07-15-17-34-1252
Guess what? This is free too.

Download the WinFE write protect script.  http://winfe.wordpress.com

Place the write protect script (WP.script) in the Tweaks folder of WinBuilder

2013-07-15-17-34-1253
Without this one little thing (wp.script), you only making a "PE", not a "FE" build.

Step 4

2013-07-15-17-35-1254

Run WinBuilder.  Read my previous write up on how to do this to save time in trying to figure it out.  I’ve already spent more than a few hours which you don’t have to go through.  Be prepared, you will have errors and builds that don’t work.  But once you get it right and see how it works, you will have a tool which will provide invaluable use for years.  Trust me on this; you will not regret spending the time.  The only regret you will ever have is waiting to try it out.

2863 Hits