Difference between pages "Openssl" and "WinFE"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (File Extensions)
 
(Technical Background and Forensic Soundness)
 
Line 1: Line 1:
OpenSSL is an open source software system that provides the following:
+
'''Windows Forensic Environment''' - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.
* Forensic-grade implementations of the most widely used hash functions.
+
* Symmetric cryptographic functions
+
* Asymmetric cryptographic function
+
* Certificate management functions
+
* A complete S/MIME implementation
+
* A complete SSL/TLS implementation
+
  
OpenSSL is interesting for forensic practitioners and developers because it provides a basic toolkit for building software, and because the higher-level certificate management functions give you an easy way to decode the contents of certificates that are used to secure computer systems.
+
                                             
 +
== Windows Forensic Environment ("WinFE") ==
  
This web page contains step-by-step instructions on using OpenSSL from the command line to perform specific tasks. There are a lot of online OpenSSL guides and we'll try to link to some of them from here. But this page is a handy reference just the same.
+
WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft. WinFE is based off the Windows Pre-installation Environment of media being Read Only by default.
=File Extensions=
+
It works similar to Linux forensic CDs that are configured not to mount media upon booting.
OpenSSL doesn't care what you use for file extensions. However, the following extensions to seem to be commonly used:
+
However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities.
{|
+
WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.
!File Extension
+
!Meaning
+
|-
+
|.pem
+
| can contain a private key, public key, or certificate signing request.
+
|-
+
|.crt
+
|Windows file extension for a .pem file.
+
|-
+
|.p12
+
| a PKCS12 file, which contains a private key and a certificate, encrypted for transport with a passphrase.    This is the format that Windows and MacOS like to import
+
|}
+
=Conversion=
+
* convert pem to pkcs12:
+
  % openssl pkcs12 -export -in mpage.crt -inkey mpage.key -out mpage.p12 -name 'MPage Signing Key'
+
  
* convert pkcs12 to pem, putting both private key and certificate in the same file
+
WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder ([http://reboot.pro]).
  % openssl pkcs12 -in mpage.p12 -out mpage.pem
+
 +
Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:
 +
* X-Ways Forensics [http://www.x-ways.net],
 +
* AccessData FTK Imager [http://www.accessdata.com],
 +
* Guidance Software Encase [http://www.guidancesoftware.com],
 +
* ProDiscover [http://www.techpathways.net],
 +
* RegRipper [http://www.RegRipper.net].
  
* The same, but with no encryption of file
 
  % openssl pkcs12 -in mpage.p12 -out mpage.pem -nodes
 
  
* Decrypt a PEM file private key:
+
== Technical Background and Forensic Soundness ==
  % openssl rsa -in newreq.pem -out key.pem
+
  
* Print the contents of a certificate
+
Windows FE is based on the modification of just two entries in the Windows Registry.
  % openssl x509 -in mpage.pem -text
+
The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1".
 +
By doing this the Mount-Manager service will not automatically mount any storage device.
 +
The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3".
 +
While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.
  
* Input the PKCS12 file and output a key file and a cert file:
+
Testing by various people of the forensic community has shown that by just mounting the volume no write access will happen on the evidentiary media. However by mounting the partition (even in read-only mode) some sort of writing may occur - depending on the type of filesystem (the potential modification is a documented 4-byte change to non-user created data)such as the Linux/UNIX journaling filesystems like ext3/4 and zfs. At present the most likely explanation for this effect lies in the writing of a "drive signature". In-depth testing is still ongoing.
openssl pkcs12 -in slg.p12 -out slg.key -nocerts -nodes
+
openssl pkcs12 -in slg.p12 -out slg.pem -nokeys -nodes
+
=Making Certificates=
+
To make certificates:
+
  
  openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 3650
+
== Resources: ==
  
Make a certificate request:
+
* Windows Forensic Environment blog: [http://www.winfe.wordpress.com]
creates a certificate
+
* Article on Win FE in Hakin9 magazine 2009-06 [http://hakin9.org]
 
+
* step-by-step Video to create a Win FE CD [http://www.youtube.com/v/J3T5wnPiObI]
=Get a certificate from an SSL server=
+
* WinPE Technical Reference: [http://technet.microsoft.com/en-us/library/dd744322(WS.10).aspx]
  openssl s_client -connect www.nitroba.com:443
+
* Windows Automated Installation Kit:  [http://www.microsoft.com/downloads/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en]
 
+
=Viewing Certificates=
+
  openssl x509 -in ssl.crt-text
+
 
+
=S/MIME=
+
* to sign an outgoing mail:
+
    from_email = `openssl x509 -email -in certfile.pem -noout`
+
    x509_subject = `openssl x509 -subject -in certfile.pem -noout`
+
    openssl smime -from %s  -to %s  -subject %s -sign -inkey file -signer %s -in tempfile.txt extra
+
 
+
=See Also=
+
* http://www.macdevcenter.com/pub/a/mac/2002/08/23/jaguar_server.html?page=4
+

Revision as of 16:48, 19 May 2011

Windows Forensic Environment - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.


Windows Forensic Environment ("WinFE")

WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft. WinFE is based off the Windows Pre-installation Environment of media being Read Only by default. It works similar to Linux forensic CDs that are configured not to mount media upon booting. However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities. WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.

WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder ([1]).

Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:

  • X-Ways Forensics [2],
  • AccessData FTK Imager [3],
  • Guidance Software Encase [4],
  • ProDiscover [5],
  • RegRipper [6].


Technical Background and Forensic Soundness

Windows FE is based on the modification of just two entries in the Windows Registry. The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1". By doing this the Mount-Manager service will not automatically mount any storage device. The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3". While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.

Testing by various people of the forensic community has shown that by just mounting the volume no write access will happen on the evidentiary media. However by mounting the partition (even in read-only mode) some sort of writing may occur - depending on the type of filesystem (the potential modification is a documented 4-byte change to non-user created data)such as the Linux/UNIX journaling filesystems like ext3/4 and zfs. At present the most likely explanation for this effect lies in the writing of a "drive signature". In-depth testing is still ongoing.

Resources:

  • Windows Forensic Environment blog: [7]
  • Article on Win FE in Hakin9 magazine 2009-06 [8]
  • step-by-step Video to create a Win FE CD [9]
  • WinPE Technical Reference: [10]
  • Windows Automated Installation Kit: [11]