3. Ability to boot on all x86 devices regardless of OS
Windows
Linux
OSX (requires optical drive)
RunsWindows compatible tools
The price is right
Cost ofWindows OS licence
Highly customisable
3
4. BartPE (2003)
Live version ofWindows based on XP/2003
UtilisedWindows Presinstallation Environment (PE)
http://www.nu2.nu/pebuilder/screenshots/
4
5. Microsoft (SysInternals) created first “official”
WinFE guide (2008)
Highly modified OS
▪ No GUI interface, CMD based only
▪ Registry keys modified to not mount devices by default
▪ Basic functionality, required batch scripts or plenty of
DOS commands
▪ Based onVista, compatible with Windows 7
5
7. WinBuilder -Windows PE building utility
WinFE script created by Brett Shavers that
modified the same registry keys as SysInternals
instructions (2010)
Retained GUI interface
Write ProtectTool Management Console
(replacement Disk Manager)
7
9. Microsoft Windows (32bit or 64bit) ISO
Provides the baseband core OS files
Windows Automated Installation Kit (AIK)
Provides Windows PE bootable image thatWinFE is based upon
WIM (Windows Image) mounting tools
WinBuilder withWinFE scripts
Provides advanced interface features ofWinFE (desktop GUI
support, etc)
9
10. Two modes for third-party applications:
Run from RAM
▪ Stops end-users modifying installed programs
▪ Takes up more RAM when booting (if working with low-
specced PCs)
Run from Disk
▪ Easier to update (no more recompiling the fullWIM)
10
12. Steps to compile your own version ofWinFE:
1. InstallWindows AIK
2. Mount Windows 7 ISO and remember the drive letter
3. InstallWinBuilder and point it to the drive letter of the mounted ISO
4. Configure the scripts required throughWinBuilder (includingTweaks
WinFE)
5. Prepare any third-party software you require on WinFE
6. Run the WinBuilder program and set desired options This should output a
WinFE ISO as well as the files necessary to copy to a USB dongle
7. Edit the Boot loader (BCD) to allow a maximum timeout and require user
input into selectingWinFE from a boot menu
8. Test the WinFE release to ensure that it is forensically sound
12
13. Slip streaming drivers intoWinFE requires 2 tools (AIK):
Imagex - used to mount WIM
located in C:Program FilesWindows AIKToolsx86Servicing
DISM - used to install drivers
located in C:Program FilesWindows AIKToolsx86Servicing
1. imagex /mountrw C:WinFETargetWin7PE_SEsourcesboot.wim 1 C:winFEmount
2. dism.exe /image:C:WinFEMount /add-driver /driver:"C:WinFEFiles to injectHaspHasp"
/recurse
3. imagex.exe /unmount /commit C:winFEmount
13
14. In order to copy the WinFE files to a USBThumb Drive you must first prepare the
thumb drive so that it is clean and bootable. Follow these steps:
1. Plug-in USB thumb drive into computer
2. Start CMD
3. Start Diskpart (type: diskpart)
4. Select the relevant USB thumb drive (to see available drives, type: list disk) (to select disk
type: select disk #) - where # is the relevant disk number
5. Clean the USB thumb drive (type: clean)
6. Create a primary partition (type: create partition primary)
7. Set the USB thumb drive as bootable (type: active)
8. Format the USB thumb drive (type: format fs=NTFS quick label="WinFE")
9. Exit Diskpart (type: exit)
14
15. Live:
The software onWinFE can also be run on a live system, w/o booting into
theWinFEOS (assuming portable apps).
Conducting an encryption test
Ability to image RAM, Disks, mounted encrypted partitions
Tools can all be updated on the fly
Booting:
Booting into theWinFE environment conforms to industry best practice
in that it maintains the forensic state of the hard drives within the
suspect’s computer.
15
16. EnCase - v6 & v7 (requires licence
dongle and slip-streaming HASP
drivers)
X-Ways /WinHex – all versions
(requires licence dongle)
TrueCrypt
FTK Imager
VirtualBox
Wireshark
RegistryBrowser
Volatility – standalone version
All Nirsoft tools
Many more
16
17. 1. Power down computer
2. InsertWinFE USB device into suspects computer
3. Power on computer and enter the BIOS or UEFI
While in the BIOS it is recommended to take note of the system’s date and time.
4. Once in the BIOS change the boot order to the WinFE USB device – this should
show up in the BIOS as a USB device (or choose the optical drive if booting
from CD)
5. Save the changes to the BIOS and let the computer reboot
6. The computer should now boot intoWinFE boot menu. 17
18. Write ProtectTool Management Console
Mount / unmount physical drives attached to the computer
as read-only or read-write.
Add custom drivers
(e.g. software RAID drivers)
18
22. WINDOWS OS – CryptHunter (LE only)
1. Plug in the WinFE USB thumb drive into the suspect's computer
2. The WinFE USB drive should now be visible in Explorer (My
Computer). Browse to the directory titled "CryptHunter" and
double-click on the file called "crypthunter". This will begin the
encryption test.
3. If anything of note is discovered a pop-up box will appear
warning that encryption may be present.
22
24. LINUX OSes – quick and dirty
Method 1 –Terminal
1. Open the terminal (console / konsole) and type
mount and hit enter (return)
2. This command will list all currently mounted drives
on the computer, look for the word "crypt“
24
26. MAC OSX – quick and dirty
Method 1 – Identify FileVault
1. Browse to "Computer" "Users". If the user
account has the following icon then "FileVault" is
enabled. FileVault encrypts all of the user's files.
26
27. Method 2 – Activity Monitor
1. Other 3rd part encryption tools are available for Mac OSX. In
order to check if these encryption programs are running. Browse
to "Applications“ "Utilities" "Activity Monitor“
2. Once the Activity Monitor is displayed use the drop-down menu
to select "All Processes“
3. Look for any process that includes the word "crypt". If any of the
processes mention the word "crypt" then it is likely that the
computer features encryption.
27
29. RAM:
DumpIt
Simple executable, puts output in same directory as EXE
Has some issues with RAM larger than 8GB
WinPMEM
CMD based
Supports RAM larger than 8GB
Supports RAW & Crashdump formats
FTK Imager
GUI version only
Supports RAW acquisition as well as Pagefile.sys & Hiberfil.sys
Larger footprint than DumpIt & WinPMEM
HD:
FTK Imager
29
31. RAM:
OSXPMEM
Supports up to and including 10.9.x
Creates kernel mirror driver (must be extracted onto local
machine to run or from HFS+/exFAT partition)
Supports Raw, Mach-O, and ELF formats
1. copy OSXPMem.tar.gz to local directory
2. tar xvf OSXPMem.tar.gz
3. ./osxpmem -h to give help
4. ./osxpmem memory.dump
31
32. HD:
FTK Imager for Mac
CLI only, no GUI
Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
Mac OSX Forensic Imager
Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
32
33. 1. Connect an external hard drive (via USB) to the
suspect's computer
2. Open "WinFEWrite ProtectTool Management
Console " and mount this new drive as read/write
NOTE – if this is the first drive you are mounting in WinFE it will
be given the drive letter “C”
This drive will now be visible inWindows Explorer
3. Open FTK Imager and image normally
33
34. Even w/o X-Ways or EnCase dongles there
are a number of tools to facilitate triage of
devices
Apple Bootcamp script allows HFS+
partitions to be seen throughWinFE w/o third
party tools
34
35. XnView:
Graphic files
Recursively look at directories
Tag files create reports
35
40. SQLite
SQLite DB Browser
SQLiteQ
Microsoft ESE/EDB/JET Blue DB files
Nirsoft ESEDatabaseView
40
41. Web browser history
Nirsoft BrowsingHistoryView
▪ IE (including 10/11), Firefox, Chrome, Safari
Windows Registry
LockAnd Code RegistryBrowser
▪ Mount the suspect's drive as read-only usingWrite Protect
Tool first
41
Very basic:
No write-protection of devices
No Windows Explorer
- all tools were 3rd party
No GUI but could run GUI software (for example FTK Imager or XWF)
Windows 8/8.1 WinFE require Windows Assessment and Deployment Kit (Windows ADK)
http://www.microsoft.com/en-us/download/details.aspx?id=39982&751be11f-ede8-5a0c-058c-2ee190a24fa6=True
Example of slip-streaming the HASP dongle drivers (for EnCase)
Dependant on host PC resources, there is the ability to boot the suspect’s PC as a forensically sound VM with VirtualBox (requires 64bit WinFE, lots of RAM and MIP to mount physical disk)
mount image write-cached function)
If this menu is not displayed then the computer is trying to boot into another OS pull the power cord!
If you are LE I recommend that you get access to the US CERT program CryptHunter (free):
Small footprint, able to detect many encryption programs as well as boot sector abnormalities
Supports: BestCrypt, DriveCrypt, Sophos SafeGaurd, Paragon Encrypted Disk, PGPDisk, TrueCrypt, BitLocker
If non-LE (or CryptHunter is not available) it is useful to check Task Manager for running processes
Can also look at running processes to determine if any encryption programs are running
Latest version of FileVault allows for full disk encryption and therefore the symbol may not be present on the user directory
Windows imaging HDs live, there is FTK Imager (including CLI), Cygwin DD, also EnCase acquisition / imager, XWF if dongle present
As well as Nirsoft Opera History View, cache view, etc