|
|
| Line 1: |
Line 1: |
| − | {{Infobox_Software | | + | {{Expand}} |
| − | name = Windows Forensic Environment |
| + | |
| − | maintainer = [[Windows Forensic Environment Project]] |
| + | |
| − | os = {{Linux}} |
| + | |
| − | genre = {{Live CD}} |
| + | |
| − | license = unknown |
| + | |
| − | website = http://winfe.wordpress.com |
| + | |
| − | }} | + | |
| | | | |
| | + | == Quarantine directory == |
| | | | |
| − | '''Windows Forensic Environment''' - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.
| + | On Windows XP: |
| | + | <pre> |
| | + | C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Quarantine |
| | + | </pre> |
| | | | |
| − |
| + | On Windows 7: |
| − | == Windows Forensic Environment ("WinFE") ==
| + | <pre> |
| | + | C:\ProgramData\Microsoft\Microsoft Antimalware\Quarantine |
| | + | </pre> |
| | | | |
| − | WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft([http://www.twine.com/item/113421dk0-g99/windows-fe]. WinFE is based off the Windows Pre-installation Environment of media being Read Only by default.
| + | == External Links == |
| − | It works similar to Linux forensic CDs that are configured not to mount media upon booting.
| + | * [http://windows.microsoft.com/en-us/windows/security-essentials-download Microsoft Security Essentials], by [[Microsoft]] |
| − | However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities.
| + | * [http://technet.microsoft.com/en-us/library/hh508836.aspx Endpoint Protection], by [[Microsoft]] |
| − | WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.
| + | |
| | | | |
| − | WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder ([http://reboot.pro]).
| + | [[Category:Applications]] |
| − |
| + | [[Category:Anti Virus]] |
| − | Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:
| + | |
| − | * X-Ways Forensics [http://www.x-ways.net],
| + | |
| − | * AccessData FTK Imager [http://www.accessdata.com],
| + | |
| − | * Guidance Software Encase [http://www.guidancesoftware.com],
| + | |
| − | * ProDiscover [http://www.techpathways.net],
| + | |
| − | * RegRipper [http://www.RegRipper.wordpress.com].
| + | |
| − | | + | |
| − | A write protection tool developed by Colin Ramsden was released in 2012 that provides a GUI for disk toggling ([http://www.ramsdens.org.uk/]). Colin Ramsden's write protect tool effectively replaces the command line to toggle disks on/offline or readonly/readwrite.
| + | |
| − | | + | |
| − | == Technical Background and Forensic Soundness ==
| + | |
| − | | + | |
| − | Windows FE is based on the modification of just two entries in the Windows Registry.
| + | |
| − | The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1".
| + | |
| − | By doing this the Mount-Manager service will not automatically mount any storage device.
| + | |
| − | The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3".
| + | |
| − | While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.
| + | |
| − | | + | |
| − | Testing has shown that mounting a '''volume''' in READ ONLY mode will write a controlling code to the disk, whereas mounting a '''disk''' in READ ONLY mode will not make any changes. Depending on the type of filesystem there is a potential modification to the disk with a documented 4-byte change to non-user created data. This modification exists for non-Windows OS disks, where Windows (FE) will write a Windows drive signature to the disk, although it is not shown to be consistent. Various issues with Linux Boot CDs can be compared [http://www.forensicswiki.org/wiki/Forensic_Linux_Live_CD_issues] ).
| + | |
| − | | + | |
| − | == Resources: ==
| + | |
| − | | + | |
| − | * Windows Forensic Environment blog: [http://www.winfe.wordpress.com]
| + | |
| − | * Article on Win FE in Hakin9 magazine 2009-06 [http://hakin9.org]
| + | |
| − | * step-by-step Video to create a Win FE CD [http://www.youtube.com/v/J3T5wnPiObI]
| + | |
| − | * WinPE Technical Reference: [http://technet.microsoft.com/en-us/library/dd744322(WS.10).aspx]
| + | |
| − | * Windows Automated Installation Kit: [http://www.microsoft.com/downloads/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en]
| + | |
| − | * WinFE Write Protect tool [http://www.ramsdens.org.uk/]
| + | |
