Difference between pages "WinFE" and "Plaso"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Technical Background and Forensic Soundness)
 
(File Formats)
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = Windows Forensic Environment |
+
   name = plaso |
   maintainer = [[Windows Forensic Environment Project]] |
+
   maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
   os = {{Windows}} |
+
   os = [[Linux]], [[Mac OS X]], [[Windows]] |
   genre = {{Live CD}} |
+
   genre = {{Analysis}} |
   license = unknown |
+
   license = {{APL}} |
   website = http://winfe.wordpress.com |
+
   website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
 
}}
 
}}
  
 +
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
  
'''Windows Forensic Environment''' - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.
+
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
                                             
+
== Windows Forensic Environment ("WinFE") ==
+
  
WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft [http://www.twine.com/item/113421dk0-g99/windows-fe].  WinFE is based off the Windows Pre-installation Environment of media being Read Only by default.
+
== Supported Formats ==
It works similar to Linux forensic CDs that are configured not to mount media upon booting. 
+
However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities.
+
WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.
+
  
WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder [http://reboot.pro].
+
=== Storage Media Image File Formats ===
+
Storage Medis Image File Format support is provided by [[dfvfs]].
Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:
+
* X-Ways Forensics [http://www.x-ways.net],
+
* AccessData FTK Imager [http://www.accessdata.com],
+
* Guidance Software Encase [http://www.guidancesoftware.com],
+
* ProDiscover [http://www.techpathways.net],
+
* RegRipper [http://www.RegRipper.wordpress.com].
+
  
A write protection tool developed by Colin Ramsden was released in 2012 that provides a GUI for disk toggling [http://www.ramsdens.org.uk/].  Colin Ramsden's write protect tool effectively replaces the command line to toggle disks on/offline or readonly/readwrite.
+
=== Volume System Formats ===
 +
Volume System Format support is provided by [[dfvfs]].
  
== Technical Background and Forensic Soundness ==
+
=== File System Formats ===
 +
File System Format support is provided by [[dfvfs]].
  
Windows FE is based on the modification of just two entries in the Windows Registry.
+
=== File Formats ===
The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1".
+
* [[Property list (plist)|Binary property list (plist) format]] using [[binplist]]
By doing this the Mount-Manager service will not automatically mount any storage device.
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]using [[libesedb]]
The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3".
+
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.
+
* [[OLE Compound File]] using [[libolecf]]
 +
* [[Windows Event Log (EVT)]] using [[libevt]]
 +
* [[Windows NT Registry File (REGF)]] using [[libregf]]
 +
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
 +
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
 +
* Syslog
  
The latest modification (New for Windows 8) to the registry is SAN policy 4.  SAN policy 4 Makes internal disks offline. Note. All external disks and the boot disk are online.
+
<b>TODO expand this list</b>
  
Testing has shown that mounting a '''volume''' in READ ONLY mode will write a controlling code to the disk, whereas mounting a '''disk''' in READ ONLY mode will not make any changes.  Depending on the type of filesystem there is a potential modification to the disk with a documented 4-byte change to non-user created data. This modification exists for non-Windows OS disks, where Windows (FE) will write a Windows drive signature to the disk, although it is not shown to be consistent.  Various issues with Linux Boot CDs can be compared [http://www.forensicswiki.org/wiki/Forensic_Linux_Live_CD_issues] ).
+
== History ==
 +
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]] and other projects.
  
== Resources: ==
+
== See Also ==
 +
* [[dfvfs]]
 +
* [[log2timeline]]
  
* Windows Forensic Environment blog:  [http://www.winfe.wordpress.com]
+
== External Links ==
* Article on Win FE in Hakin9 magazine 2009-06 [http://hakin9.org]  
+
* [https://code.google.com/p/plaso/ Project site]
* step-by-step Video to create a Win FE CD [http://www.youtube.com/v/J3T5wnPiObI]
+
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
* WinPE Technical Reference: [http://technet.microsoft.com/en-us/library/dd744322(WS.10).aspx]
+
* [http://blog.kiddaland.net/ Project blog]
* Windows Automated Installation Kit:  [http://www.microsoft.com/downloads/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en]
+
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]
* WinFE Write Protect tool [http://www.ramsdens.org.uk/]
+

Revision as of 03:21, 3 June 2014

plaso
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/plaso/

Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating targeted timelines.

The Plaso project site also provides 4n6time, formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by David Nides.

Supported Formats

Storage Media Image File Formats

Storage Medis Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File Formats

TODO expand this list

History

Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson. Plaso builds upon the SleuthKit, libyal and other projects.

See Also

External Links