Overview of Windows Forensic Environment (WinFE)

1. The (Almost) PerfectTriageTool
Brent Muir – 2014 Version 1.0

2.  Benefits ofWinFE
 History ofWinFE
 BuildingWinFE
 “Live”Vs. Booting
 UsingWinFE:
 EncryptionTesting
 Imaging
▪ RAM
▪ HDs
 Triage
2

3.  Ability to boot on all x86 devices regardless of OS
 Windows
 Linux
 OSX (requires optical drive)
 RunsWindows compatible tools
 The price is right
 Cost ofWindows OS licence
 Highly customisable
3

4.  BartPE (2003)
 Live version ofWindows based on XP/2003
 UtilisedWindows Presinstallation Environment (PE)
http://www.nu2.nu/pebuilder/screenshots/
4

5.  Microsoft (SysInternals) created first “official”
WinFE guide (2008)
 Highly modified OS
▪ No GUI interface, CMD based only
▪ Registry keys modified to not mount devices by default
▪ Basic functionality, required batch scripts or plenty of
DOS commands
▪ Based onVista, compatible with Windows 7
5

6. Shavers, B. (2010)
6

7.  WinBuilder -Windows PE building utility
 WinFE script created by Brett Shavers that
modified the same registry keys as SysInternals
instructions (2010)
 Retained GUI interface
 Write ProtectTool Management Console
(replacement Disk Manager)
7

8. http://winbuilder.net/screenshots
8

9.  Microsoft Windows (32bit or 64bit) ISO
 Provides the baseband core OS files
 Windows Automated Installation Kit (AIK)
 Provides Windows PE bootable image thatWinFE is based upon
 WIM (Windows Image) mounting tools
 WinBuilder withWinFE scripts
 Provides advanced interface features ofWinFE (desktop GUI
support, etc)
9

10.  Two modes for third-party applications:
 Run from RAM
▪ Stops end-users modifying installed programs
▪ Takes up more RAM when booting (if working with low-
specced PCs)
 Run from Disk
▪ Easier to update (no more recompiling the fullWIM)
10

11. 11

12.  Steps to compile your own version ofWinFE:
1. InstallWindows AIK
2. Mount Windows 7 ISO and remember the drive letter
3. InstallWinBuilder and point it to the drive letter of the mounted ISO
4. Configure the scripts required throughWinBuilder (includingTweaks 
WinFE)
5. Prepare any third-party software you require on WinFE
6. Run the WinBuilder program and set desired options This should output a
WinFE ISO as well as the files necessary to copy to a USB dongle
7. Edit the Boot loader (BCD) to allow a maximum timeout and require user
input into selectingWinFE from a boot menu
8. Test the WinFE release to ensure that it is forensically sound
12

13. Slip streaming drivers intoWinFE requires 2 tools (AIK):
 Imagex - used to mount WIM
 located in C:Program FilesWindows AIKToolsx86Servicing
 DISM - used to install drivers
 located in C:Program FilesWindows AIKToolsx86Servicing
1. imagex /mountrw C:WinFETargetWin7PE_SEsourcesboot.wim 1 C:winFEmount
2. dism.exe /image:C:WinFEMount /add-driver /driver:"C:WinFEFiles to injectHaspHasp"
/recurse
3. imagex.exe /unmount /commit C:winFEmount
13

14.  In order to copy the WinFE files to a USBThumb Drive you must first prepare the
thumb drive so that it is clean and bootable. Follow these steps:
1. Plug-in USB thumb drive into computer
2. Start CMD
3. Start Diskpart (type: diskpart)
4. Select the relevant USB thumb drive (to see available drives, type: list disk) (to select disk
type: select disk #) - where # is the relevant disk number
5. Clean the USB thumb drive (type: clean)
6. Create a primary partition (type: create partition primary)
7. Set the USB thumb drive as bootable (type: active)
8. Format the USB thumb drive (type: format fs=NTFS quick label="WinFE")
9. Exit Diskpart (type: exit)
14

15. Live:
 The software onWinFE can also be run on a live system, w/o booting into
theWinFEOS (assuming portable apps).
 Conducting an encryption test
 Ability to image RAM, Disks, mounted encrypted partitions
 Tools can all be updated on the fly
Booting:
 Booting into theWinFE environment conforms to industry best practice
in that it maintains the forensic state of the hard drives within the
suspect’s computer.
15

16.  EnCase - v6 & v7 (requires licence
dongle and slip-streaming HASP
drivers)
 X-Ways /WinHex – all versions
(requires licence dongle)
 TrueCrypt
 FTK Imager
 VirtualBox
 Wireshark
 RegistryBrowser
 Volatility – standalone version
 All Nirsoft tools
 Many more
16

17. 1. Power down computer
2. InsertWinFE USB device into suspects computer
3. Power on computer and enter the BIOS or UEFI
 While in the BIOS it is recommended to take note of the system’s date and time.
4. Once in the BIOS change the boot order to the WinFE USB device – this should
show up in the BIOS as a USB device (or choose the optical drive if booting
from CD)
5. Save the changes to the BIOS and let the computer reboot
6. The computer should now boot intoWinFE boot menu. 17

18. Write ProtectTool Management Console
 Mount / unmount physical drives attached to the computer
as read-only or read-write.
 Add custom drivers
(e.g. software RAID drivers)
18

19. 19

20.  EncryptionTest
 HD / RAM Imaging
 Triage
20

21.  Windows
 Linux
 OSX
21

22. WINDOWS OS – CryptHunter (LE only)
1. Plug in the WinFE USB thumb drive into the suspect's computer
2. The WinFE USB drive should now be visible in Explorer (My
Computer). Browse to the directory titled "CryptHunter" and
double-click on the file called "crypthunter". This will begin the
encryption test.
3. If anything of note is discovered a pop-up box will appear
warning that encryption may be present.
22

23. 23

24. LINUX OSes – quick and dirty
 Method 1 –Terminal
1. Open the terminal (console / konsole) and type
mount and hit enter (return)
2. This command will list all currently mounted drives
on the computer, look for the word "crypt“
24

25.  Method 2 –
System Monitor
25

26. MAC OSX – quick and dirty
 Method 1 – Identify FileVault
1. Browse to "Computer"  "Users". If the user
account has the following icon then "FileVault" is
enabled. FileVault encrypts all of the user's files.
26

27.  Method 2 – Activity Monitor
1. Other 3rd part encryption tools are available for Mac OSX. In
order to check if these encryption programs are running. Browse
to "Applications“  "Utilities"  "Activity Monitor“
2. Once the Activity Monitor is displayed use the drop-down menu
to select "All Processes“
3. Look for any process that includes the word "crypt". If any of the
processes mention the word "crypt" then it is likely that the
computer features encryption.
27

28.  Method 2 –
Activity Monitor
28

29. RAM:
 DumpIt
 Simple executable, puts output in same directory as EXE
 Has some issues with RAM larger than 8GB
 WinPMEM
 CMD based
 Supports RAM larger than 8GB
 Supports RAW & Crashdump formats
 FTK Imager
 GUI version only
 Supports RAW acquisition as well as Pagefile.sys & Hiberfil.sys
 Larger footprint than DumpIt & WinPMEM
HD:
 FTK Imager
29

30. RAM:
 FMEM
 Creates kernel mirror driver
 Then use dd commands to capture
HD:
 DD
 Built-in
 FTK Imager CLI
 Debian
 Ubuntu (x32 & x64)
 Fedora (x32 & x64)
30

31. RAM:
 OSXPMEM
 Supports up to and including 10.9.x
 Creates kernel mirror driver (must be extracted onto local
machine to run or from HFS+/exFAT partition)
 Supports Raw, Mach-O, and ELF formats
1. copy OSXPMem.tar.gz to local directory
2. tar xvf OSXPMem.tar.gz
3. ./osxpmem -h to give help
4. ./osxpmem memory.dump
31

32. HD:
 FTK Imager for Mac
 CLI only, no GUI
 Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
 Mac OSX Forensic Imager
 Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
32

33. 1. Connect an external hard drive (via USB) to the
suspect's computer
2. Open "WinFEWrite ProtectTool Management
Console " and mount this new drive as read/write
 NOTE – if this is the first drive you are mounting in WinFE it will
be given the drive letter “C”
 This drive will now be visible inWindows Explorer
3. Open FTK Imager and image normally
33

34.  Even w/o X-Ways or EnCase dongles there
are a number of tools to facilitate triage of
devices
 Apple Bootcamp script allows HFS+
partitions to be seen throughWinFE w/o third
party tools
34

35.  XnView:
 Graphic files
 Recursively look at directories
 Tag files  create reports
35

36.  XnView
36

37.  Nirsoft SearchMyFiles
 Keyword searching
 Advanced Filtering:
▪ Date range
▪ File type
▪ File size
 Context search (binary or text)
 Identify encrypted files
 Identify duplicates
 Create reports (CSV, HTML)
37

38.  Nirsoft
SearchMyFiles
38

39.  Email viewing programs:
 MiTec MailView
▪ DBX, MBX, EML,Thunderbird DB
 Kernel Exchange EDBViewer
▪ EDB, STM
 Kernel OSTViewer
▪ OST
 Kernel Outlook PSTViewer
▪ PST
 Windows MBOXViewer
▪ MBOX
39

40.  SQLite
 SQLite DB Browser
 SQLiteQ
 Microsoft ESE/EDB/JET Blue DB files
 Nirsoft ESEDatabaseView
40

41.  Web browser history
 Nirsoft BrowsingHistoryView
▪ IE (including 10/11), Firefox, Chrome, Safari
 Windows Registry
 LockAnd Code RegistryBrowser
▪ Mount the suspect's drive as read-only usingWrite Protect
Tool first
41

42. 42

43.  Larson,T. (2008) “HowTo BuildWindows FEWithThe
Windows Preinstallation Environment 2.1”, SysInternals,
Microsoft Law Enforcement Portal
 Shavers, B. (2010) “The (Nearly) Perfect Forensic Boot CD”,
URL: http://www.forensicfocus.com/downloads/WinFE.pdf
43

44.  CryptHunter (LE only) - http://www.cert.org/digital-intelligence/tools/crypthunter.cfm?
 Kernel Data Recovery Tools - http://www.nucleustechnologies.com/
 MiTeC (MailView, SQLiteQ) - http://www.mitec.cz
 Nirsoft Suite - http://nirsoft.net/
 RegistryBrowser - https://lockandcode.com/software/registry_browser
 SQLite Database Browser - http://sourceforge.net/projects/sqlitebrowser/
 WinBuilder - http://reboot.pro/files/file/4-winbuilder/
 Windows Assessment and Deployment Kit (Windows ADK) - http://www.microsoft.com/en-us/download/details.aspx?id=39982&751be11f-
ede8-5a0c-058c-2ee190a24fa6=True
 Windows Automated Installation Kit (Windows AIK) - http://www.microsoft.com/en-au/download/details.aspx?id=5753
 Windows MBOX Viewer - http://sourceforge.net/projects/mbox-viewer/
 WinFE Blog (Brett Shavers) - http://winfe.wordpress.com/
 XnView - http://www.xnview.com/en/ 44