Difference between pages "WinFE" and "Microsoft Security Essentials"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{Expand}}
  name = Windows Forensic Environment |
+
  maintainer = [[Windows Forensic Environment Project]] |
+
  os = {{Linux}} |
+
  genre = {{Live CD}} |
+
  license = unknown |
+
  website = http://winfe.wordpress.com |
+
}}
+
  
 +
== Quarantine directory ==
  
'''Windows Forensic Environment''' - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.
+
On Windows XP:
 +
<pre>
 +
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Quarantine
 +
</pre>
  
                                             
+
On Windows 7:
== Windows Forensic Environment ("WinFE") ==
+
<pre>
 +
C:\ProgramData\Microsoft\Microsoft Antimalware\Quarantine
 +
</pre>
  
WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft([http://www.twine.com/item/113421dk0-g99/windows-fe].  WinFE is based off the Windows Pre-installation Environment of media being Read Only by default.
+
== External Links ==
It works similar to Linux forensic CDs that are configured not to mount media upon booting.
+
* [http://windows.microsoft.com/en-us/windows/security-essentials-download Microsoft Security Essentials], by [[Microsoft]]
However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities.
+
* [http://technet.microsoft.com/en-us/library/hh508836.aspx Endpoint Protection], by [[Microsoft]]
WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.
+
  
WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder ([http://reboot.pro]).
+
[[Category:Applications]]
+
[[Category:Anti Virus]]
Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:
+
* X-Ways Forensics [http://www.x-ways.net],
+
* AccessData FTK Imager [http://www.accessdata.com],
+
* Guidance Software Encase [http://www.guidancesoftware.com],
+
* ProDiscover [http://www.techpathways.net],
+
* RegRipper [http://www.RegRipper.wordpress.com].
+
 
+
A write protection tool developed by Colin Ramsden was released in 2012 that provides a GUI for disk toggling ([http://www.ramsdens.org.uk/]).  Colin Ramsden's write protect tool effectively replaces the command line to toggle disks on/offline or readonly/readwrite.
+
 
+
== Technical Background and Forensic Soundness ==
+
 
+
Windows FE is based on the modification of just two entries in the Windows Registry.
+
The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1".
+
By doing this the Mount-Manager service will not automatically mount any storage device.
+
The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3".
+
While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.
+
 
+
Testing has shown that mounting a '''volume''' in READ ONLY mode will write a controlling code to the disk, whereas mounting a '''disk''' in READ ONLY mode will not make any changes.  Depending on the type of filesystem there is a potential modification to the disk with a documented 4-byte change to non-user created data. This modification exists for non-Windows OS disks, where Windows (FE) will write a Windows drive signature to the disk, although it is not shown to be consistent.  Various issues with Linux Boot CDs can be compared [http://www.forensicswiki.org/wiki/Forensic_Linux_Live_CD_issues] ).
+
 
+
== Resources: ==
+
 
+
* Windows Forensic Environment blog:  [http://www.winfe.wordpress.com]
+
* Article on Win FE in Hakin9 magazine 2009-06 [http://hakin9.org]
+
* step-by-step Video to create a Win FE CD [http://www.youtube.com/v/J3T5wnPiObI]
+
* WinPE Technical Reference: [http://technet.microsoft.com/en-us/library/dd744322(WS.10).aspx]
+
* Windows Automated Installation Kit:  [http://www.microsoft.com/downloads/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en]
+
* WinFE Write Protect tool [http://www.ramsdens.org.uk/]
+

Revision as of 03:32, 27 March 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Quarantine directory

On Windows XP:

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Quarantine

On Windows 7:

C:\ProgramData\Microsoft\Microsoft Antimalware\Quarantine

External Links