WinFE

From ForensicsWiki
Revision as of 15:18, 19 May 2011 by Mrem (Talk | contribs)

Jump to: navigation, search

Windows Forensic Environment - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.


Windows Forensic Environment ("WinFE")

WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft. WinFE is based off the Windows Pre-installation Environment of media being Read Only by default. It works similar to Linux forensic CDs that are configured not to mount media upon booting. However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities. WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.

WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder ([1]).

Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include: X-Ways Forensics [2], AccessData FTK Imager [3], Guidance Software Encase [4], ProDiscover [5], RegRipper [6].


Technical Background and Forensic Soundness

Windows FE is based on the modification of just two entries in the Windows Registry. The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1". By doing this the Mount-Manager service will not automatically mount any storage device. The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3". While both keys will avoid the mounting of storage devices the user has to mount both the evidentiary media and the storage drive manually by using the command-line tool DiskPart. Doubts on the forensical soundness of Win FE are circulating ever since the first information about Win FE leaked to the public. Intense testing by various people of the forensic community has shown that by just mounting the volume no write access will happen on the evidentiary media. However by mounting the partition (even in read-only mode) some sort of writing might occur - depending on the type of filesystem. Especially Linux/UNIX journaling filesystems like ext3/4 and zfs seem to be prone to filesystem corruptions. At present the most likely explanation for this effect lies in the writing of a "drive signature". In-depth testing is still ongoing.--Mrem 12:18, 19 May 2011 (PDT)


Resources:

Windows Forensic Environment blog: [7] Article on Win FE in Hakin9 magazine 2009-06 [8] step-by-step Video to create a Win FE CD [9] WinPE Technical Reference: [10] Windows Automated Installation Kit: [11]