[caption id="attachment_1218" align="aligncenter" width="708"] My personal favorite....Placing the Suspect Behind the Keyboard...it's the first and only writing on the subject manner incorporating investigative methods in and out of the (computer) box.
One of the interesting things I have found online related to WinFE as I create a lesson plan for WinFE is "WTE" or "Windows Triage Environment". Before you get excited about this project, apparently, unless you work in government, you can't have it. Per the website, "WTE is released as freeware only for Law Enforcement or Government Agencies uses." Well darn it. From what I can tell, it is WinFE with some software, including Colin Ramsden's write protection application,but no super-secret-LE-only programs.
The good news is that in the upcoming tutorial on All Things WinFE, you will be able to make your own WinFE or whatever you want to call it, for free, whether you are a government employee or not.
Arsenal Image Mounter (AIM) is a new image-mounting tool from Arsenal Recon. Not only is it free, but the folks at Arsenal have been gracious in lending support. AIM employs a special SCSI driver that lets us mount image files of various types so that Windows Disk Manager can see our mounted image (a pseudo disk, as I like to call it) as an actual disk. This innovation allows us to access shadow volumes in a completely new way and avoid converting images to, for example, VHD files. AIM also can mount our image as write protected or as writable. I won’t go into more depth on AIM’s features, as you can visit the web site to learn more and acquire a copy.
Heretofore, Windows would not enumerate shadow volumes on images mounted with the most popular tools, e.g., FTK Imager, Mount Image Pro, etc. A notable exception is a Windows virtual disk file (VHD), which is not used to an appreciable extent, if at all, as the target of a disk image file in computer forensics. I’ve explained before how to work with these virtual disks with respect to the Window 7 variety (VHD). Windows 8 brings a new format, which is the VHDX file, which I’ll mention again later. For now, suffice it to say that there no longer is a need to convert a dd image to a VHD if your goal is access shadow volumes on your host system. As I’ve demonstrated in my VHD post, the conversion required the addition of data to the end of your dd image. While that made an easily reversible change to an original image file, some folks were not comfortable doing so and chose to create a spare dd file.
Let’s take a closer look at AIM and how it can help us get to shadow volumes very handily. I’m going to work with a dd image of a Windows 7 system, though there is no difference with an E01. In the following screenshot, I’ve opened AIM and navigated to my image file (001).
Next, we’ll see the window that AIM presents after I select the image. I’m going to maintain the default options, which the screenshot depicts. Typically, we don’t have to ask AIM to fake (cache) a disk signature, which AIM allows because Windows won’t mount a disk if it does not have a signature. I’ve seen only one case in which a disk signature was absent, and it concerned a VHD file created by Windows 7’s system image feature. Note than AIM handles 4KB (and other) sectors.
After I click OK, AIM presents the mounted disk as Drive 10 in my system (above and in next screenshot), which we then can find in Explorer as well as in Disk Manager. Note that Disk Manager reports the pseudo disk as it does every other disk, but indicates that it is read only. In case you haven’t looked or noticed it before, mount an image with another tool and compare Disk Manager’s findings with an AIM-mounted image.
Next, let’s access shadow volumes without using virtual machines or any other steps outside of our host system (mine is Windows 8). As you’ve seen in one of the screenshots, our mounted image’s system volume was mapped to Drive M. The next demo is a video, which presents how we can enumerate the shadow volumes on Drive M.
Again, you can try that with another image mounter to see the distinction. Now, we’ll map one of the shadow volumes with Dan Mares’s VSS, which is a tool that I’ve mentioned frequently in my blog. The basics of VSS can be found here, among other posts. You can pick up VSS free at http://www.maresware.com/. The next video demonstrates VSS.
At this point, we can work with Drive P as we can with any logical volume. We can open the volume in most forensics tools or image the logical volume if we wish. Remember, too, that an alternative to mapping a shadow volume to a drive letter is to create a symbolic link to the volume. The next screenshot shows how this is done. We’ll create a link to Shadow Volume 13 in the aaa directory. Remember to add the trailing backslash in the syntax, after the ShadowCopy number.
While I’m talking about Symlinks, it’s important to note that Windows uses them in various places on our systems. For example, \Users\All Users is a SymLink to \Program Data on the active system partition. If, for example, we open Users\All Users on our mapped shadow volume (P) and open Program Data on our host system, we can see that their contents are the same:
This will happen whether you map the shadow volume to a drive letter or create a SymLink. Needless to say, this can lead to some misinterpretations during an exam. However, if you open the mapped shadow volume in a forensic tool, at least with X-Ways Forensics, the SymLink issue will be ignored.
Now, let’s return to VHDX files briefly. At this time, a number of forensic tools can’t access that file format. If you encounter one, it likely will be a system image backup on a Win 8 image. To give most tools access to your VHDX file, mount the Win 8 image file in a Win 8 host with AIM. The next video follows the process:
Note that this works when you mount your VHDX-host image with AIM. It likely will not work with other imagers that don’t allow Disk Manager to have access to the mounted image. While you can copy the VHDX from your image to a Win 8 host, it’s unnecessary if you have AIM. Another option is to create a VM from your Win 8 image, mount the VHDX therein, and access the mounted VHDX file with X-Ways Forensics from a thumb drive. When you’re done, right-click the mounted VHDX in Disk Manager and opt to detach the disk. Bear in mind that Win 7 will not mount a VHDX file.
I have a multi-part E01 file and no matter what way i try to mount it with AIM, raw or multi-part raw, I get a virtual drive of 4GB in size. This coincidentally is the size of the E0 segments. The E0 files were created with compression and i wonder if this is the issue.
Think we are cross wires somewhere. I cannot get AIM to recognize any disk image with an E0 format. I have now tried several and the resultant disk offered as mounted is only the size of the first E0 file either 2GB or 4GB dependent on how the original image was taken. When I check the mounted drive in disk management the disk is unallocated and uninitialized and is specified at the same 2GB or 4GB size. I’m not sure i get your comment about VM’s as I am not running one. The article above seemed to be about accessing an image without any mention of VM’s.
Said it was a bad day. I have now found the additional libewf libraries to get the mount to work properly and disk management now functioning. For anyone else having the same mounting problem the link you need is
Thanks Mr Weg for your very interesting posts and work.
Thanks to you, I discover two great tools to work with VSS. Strangely, when I mounted the VSS with “vss.exe” it didn’t appear in explorer or X-ways like a new hard drive. I Tried with a volume image, i’ll try with a real disk image to see if that makes a difference.
If you’re running VSS correctly, it will identify the volume letter that it assigned to the SV. Hence, the SV will have mounted and be visible in Explorer/XWF. I’m guessing that you’re not actually mounting the SV.
Thanks for the post Jimmy! I was looking forward to trying this out. However, I didn’t get very far…
I am able to use AIM to mount my E01 image (although the volumes appear as “Removable Drives” for some reason). But, when I try to list the shadow copies with vss, I get a message stating “No items found that satisfy the query” and no shadow volumes are listed. I can see from the image file that the volume contains shadow copies. I’ve tried it with 3 different image files now, all with the same results.
Does this have anything to do with a permissions issue in Windows 7?
I’m sure that I’m doing something wrong, but I’m kind of stuck here…
Thanks for writing, Meghan. I think it’s a permissions issue. Are you running vssadmin as Admin? You should. I’m not sure what you mean by the mounted image appearing as a removable drive. It should show up in Disk Manager as a physical disk with volumes.
Thanks for the quick reply. I am running vssadmin as Administrator. The volumes are mapped in Disk Management. For what it’s worth, when I use the command to “List Volumes,” it only shows me my local volumes (not the newly mounted volumes). But, I can’t even list the shadow volumes for my local drives either.
Just to be sure we’re on the same page, the syntax is “vssadmin list shadows \for=:” where “x” if the logical volume that contains the target SVs. Are you sure that the SVs on your target are existing files, and not previously existing files that your forensic tool reports (but Windows would not)?
Using the syntax vssadmin list shadows /for=. The SVs on the target are existing files, although there are some previously existing files as well. I also ran my 3 images through IEF and it recovered data from the SVs.
Well, I’m not sure what’s up at this point. Can you enumerate SVs on your own system with vssadmin? If there are none (system protection off), turn on system protection, create one, and run a test. The “No items found that satisfy the query” usually means none exist or maybe no permission.
Thanks Jimmy. Getting closer. I was able to create one on my system and subsequently see it using vssadmin. But for some reason, I can’t see any from my mounted images. I also don’t see any when I choose the option to ‘Restore previous versions’ from the right-click menu in Windows, even though I see there are shadow copies. Not sure what’s going on…
Are you logged on as Admin to your host machine? I know that you are running vssadmin as Admin. If you have a VM of a Win 7 system (SEAT), add the mounted disk to that VM as a physical disk (there’s instructions on the blog). Then run vssadmin in the VM, targeting the added disk’s volume. It’s also possible that your SV structure is corrupt. Have you tried other mounted image files? If the issue arises in more than the one image, I think that the issue has to be with your system.
Thanks for the great post and for all you’ve given to the community over the years. I’ve been lurking your posts and attempting to learn from them for a long time now. BTW, the hyperlink for AIM is printed properly in your article, but it is missing a colon when you click on it, in case that was not intentional.
Thanks again for all that you do.
~bina computationem pro justitia
thanks for the post, very usefull for me;
Yesterday I tried the extraction operations, but not all goes right.
1) Mounting with arsenal imager was OK;
2) Automounting with vss.exe was OK;
3) but, when I used FTK imager for ramdisk extraction, it has been stopped by “windows defender” while trying extraction a probable malware.
So, FTK imager has been stopped by “windows defender” and I assume that for a total extraction, I nedd to use a VM without any protections
Thanks for writing, Luigi. I’ve disabled Windows Defender, and I think that you should do so. I don’t think it’s necessary for what you’re doing. Maybe you can write an exception for FTKI in Defender. I know that my antivirus doesn’t affect this operation.
I'm making a detailed tutorial on WinFE that I hope to finish in the upcoming week. Virtually everything you need to know about WinFE will be in the tutorial, with demonstrations and instructions on everything you need to know. I'm covering the basics to the advanced, different building methods, commercial and free/open source software to add to WinFE, how to use it in different situations, and how to prevent errors. This means using it in forensic acquisitions, covert acquisitions, electronic discovery, triage, and preview. You name it, I'm covering it.
The length will be about an hour (maybe a little more, maybe a little less) and will include a real test to take if you choose to go the entire route. The purpose is to give you, the professional examiner, a complete training program in WinFE with a test to validate your knowledge. For those that already see the intention of the test and online training, let me explain to others that might be missing the point.
Although I'm not going to proctor your test, look over your shoulder, or have you scan your fingerprint to make sure it was you that took the test, I am providing the test for your benefit. As you know, training and experience is everything. It's everything on your resume. It's everything when you testify. It's everything when you are doing your job. With that, I will give you a solid training in WinFE that you can take to the bank (in a manner of speaking...).
So, if you want formal training in WinFE, as much as an online class can be, stand by, it's coming pretty darn soon. Pass the info along. We can all benefit when more examiners use WinFE. Plus, I'd rather be the expert that had training in WinFE when going against someone that didn't have any training with it...
On a different topic, some discussion on distribution licenses of WinFE has been going on at forensicfocus.com. One of the takeaway points of the discussion is that you shouldn't be giving away or selling WinFE (or PE) ISO files....that will violate the Microsoft EULA. Since WinFE is most typically used in legal cases, using a tool that you violated the EULA could cause serious issues with the evidence you collected. So if you didn't build it, don't use it. That is the very bad news.
The very good news is that you can make your own WinFE, free, in just a few minutes, without violating the EULA.
I assume that one of the reasons Microsoft has such a restrictive EULA prohibiting distribution is so that the core files of WinPE (and FE) remain solid. Downloading or using any 3rd party tool or something "a friend" sends you could contain anything hidden inside, like malware. By using Microsoft's files, the odds are much lower that this will happen, meaning that when you build a WinFE, it is most malware free that can be expected.
After that discussion on forensicfocus slowed down, I had emails about WinFE regarding how to build it. Not that I created the thing...but I will make a fairly detailed and easy to follow video on building a WinFE and everything you should know about it. After all, if ever asked about your data collection tool, it's better to look like you know what you doing rather than say, "I downloaded this ISO file, booted the system and imaged with it, and don't really know much else about it." Perhaps better to say, "I personally built and tested the imaging environment using industry best practices. I used core files from the Microsoft company as allowed by its licensing agreement."
When the tutorial video is finished, I'll post the link.
If you are interested in some behind-the-scenes efforts of developing WinFE, take a look at the www.reboot.pro forum threads. And if you want to give input on what you would like WinFE to do...the reboot.pro forum would be a good place to submit a suggestion or lend a hand in development.
If for nothing but curiosity, you can follow along in watching the developers of the WinFE discuss how they are working toward making the lightest, fastest, full-featured, minimal builds, multi-boot, easy-to-use, and cool forensic tool around.
I'll continue to post the latest links and download information on this blog, because I know that time is usually non-existent, deadlines are always minutes away, your laptop (while at the airport or onsite) has eight programs running while you are replying to ten emails, and you just need to know where to download that latest WinFE building information. So, that will be here. But for when you have time at the side of the pool, browse www.reboot.pro to watch these guys improve WinFE as it happens.
Before I get any complaints about "WinFE is not perfect" or "WinFE can't do everything", let me that yes that is correct. It is not perfect and cannot do everything. In the world of forensically booting evidence machines, some Linux bootable environments work very well too. Some machines can't be booted forensically, that is true as well. But for the marjority of systems that can be booted forensically, WinFE has its place. For the average and above-average examiner needing to boot the evidence machine, there are few options available that make it super-easy to add drivers on the fly or use your Windows based apps from the office rather than Linux based you hardly (if ever) use.
If you haven't checked out WinFE, you should. Everyone else is already on board :)
* Added a number of additional options in the core script -
these are all enabled by default. The new options will
remove a number of unsupported options from the right-click
context menu. Thanks to reboot.pro forum member farda for
* Added "Open with" workaround for WinPE 4.0/5.0. See -
* WinFE settings are now separate to the Shell script - but are
still mandatory. They have been moved to a new script
* Option to use either SANPolicy 3 or 4 (in new WinFE script) -
SANPolicy 3 is automatically used with WinPE 2.*/3.* sources as
SANPolicy 4 is only supported in WinPE 4.0/5.0.
* File dependencies (to be extracted from install.wim or
copied from the host Operating System) are handled in one
(hidden) script - Core\required.files.script. This will
make it simpler to implement any future file dependencies.
* Added a script to copy files and folders from a local
directory - allowing the easy addition of third party files.
A menu entry will open the directory these files were copied
* Added Tools\Create USB script - it's now possible to
create a MistyPE bootable UFD during the build process.
Use with caution - see documentation for more details.
Tested with Windows 7 (SP1) and Windows 8.1.
* Added ADK For Win 8 (and 8.1) scripts. Refer to documents.
NOTE - this has only been tested using Windows 7 (SP1)
and Windows 8.1.
* Wallpaper support (.jpg) added for all builds - this
feature was not previously working with WinPE 4/5. See
* Wimlib-ImageX updated to version 1.6.2
* Added build 6.3.9600 (Windows 8.1 - Final) to the list
of tested/working sources.
* Added the following scripts -
- Opera - 64-bit support added.
* Included FAU in the download. This is redistributed
with the permission of the author (GMG Systems Inc) -
refer to the project documentation.
* Program scripts now contain menu entries - this should
make it easier to add new program scripts. Previously
all menu entries were contained in the shell script -
resulting in multiple script edits for any new programs
* Various tweaks in core script
- "FileDelete,"%Cache%\temp\*.*" has been added to
to ensure that cached batch files and .ini files
are deleted earlier in the build process. Without
this fix there are errors in some very limited
- Added verification check from registry files
extracted from boot.wim - only used if the
wimlib-imagex checks fail.
* Script structure has been changed for all Program scripts.
Hopefully results in better error checking for any missing
* Browse for folder support is added by individual program
scripts even if this option is not selected in the Core
script. Resulting in a more modular approach (see
for the philosophy behind this approach).
* Documentation updated - added section on using the ADK
For Win 8.1.
Do you teach cybercrime/forensics and use "Placing the Suspect Behind the Keyboard"? Maybe you are considering using this book in your course? How would you like to have ready-made PowerPoints for the chapters with additional student materials to go along with the book in your course?
I will be starting on the materials now and will give access to any instructors that want to lend a hand and get early drafts for use right away. The materials will be freely available for instructors to use and modify in their coursework. As someone that has taught forensics for a few years, it is very very helpful to have class materials available rather than reinventing the wheel every class...
I get a few stories of how WinFE saved the day and a few of these heroes let me retell their story. This is one of them. The ‘detective’ wishes to be unnamed, but for sake of argument, I know who he is…
A detective from a California law enforcement agency that had attended the SEARCH “Network Investigation and Digital Triage” course contacted the instructors with assistance in building a WinFE based on Windows 8.1. The detective was given guidance and links to the various resources needed to create the WinFE8.1SE. The detective was further given assistance in adding in the utilities he would need and finally validating the build to insure that it was forensically sound.
In a follow up call, the detective indicated that the he had obtained the duplicate images he needed, with one minor modification. He found that one of the target drives was mounted through an add-in card and was not initially recognized by WinFE8.1SE. Noting that Colin Ramsden’s write protect utility allowed for adding drivers to the system, the detective located the add-in card drivers and added them to the system. WinFE8.1SE and Colin’s WP utility then recognized the additional drive and allowed mounting it read only. The detective then successfully obtained duplicate images of both target drives.
As a side note, consider that WinFE started with Troy Larson typing out a 2-page Microsoft Word document on changing registry values in a winPe to get a winFe. That little idea is now taught at local, state, and federal agencies as well as public/private education and training courses. Basically, it’s is use by many. This success story is neat because it shows how easy it is to add a driver on-the-fly. You don’t need much technical experience to use Colin’s app to add drivers or toggle hard drives. We beat it up pretty good to get it right; Colin is one of those extremely competent software writers and I am glad he helped out the WinFE project.
Got a success story? Send it to me and I’ll share the word.