Difference between revisions of "WinFE"

From ForensicsWiki
Jump to: navigation, search
(Created page with ''''Windows Forensic Environmen'''t is a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis. …')
 
(21 intermediate revisions by 3 users not shown)
Line 1: Line 1:
'''Windows Forensic Environmen'''t is a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.
+
{{Infobox_Software |
 +
  name = Windows Forensic Environment |
 +
  maintainer = [[Windows Forensic Environment Project]] |
 +
  os = {{Windows}} |
 +
  genre = {{Live CD}} |
 +
  license = unknown |
 +
  website = http://winfe.wordpress.com |
 +
}}
  
 +
 +
'''Windows Forensic Environment''' - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.
 
                                                
 
                                                
 
== Windows Forensic Environment ("WinFE") ==
 
== Windows Forensic Environment ("WinFE") ==
  
----
+
WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft [http://www.twine.com/item/113421dk0-g99/windows-fe].  WinFE is based off the Windows Pre-installation Environment of media being Read Only by default.
WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft.  WinFE is based off the Windows Pre-installation Environment with changes of media being Read Only by default, similar to Linux forensic CDs that are configured not to mount media upon booting.  However, unlike Linux boot CDs, Windows based software, to include various forensic software and general portable utilities, can be run from a booted WinFE disk. WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.
+
It works similar to Linux forensic CDs that are configured not to mount media upon booting.   
 +
However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities.
 +
WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.
 +
 
 +
WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder [http://reboot.pro].
 +
 +
Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:
 +
* X-Ways Forensics [http://www.x-ways.net],
 +
* AccessData FTK Imager [http://www.accessdata.com],
 +
* Guidance Software Encase [http://www.guidancesoftware.com],
 +
* ProDiscover [http://www.techpathways.net],
 +
* RegRipper [http://www.RegRipper.wordpress.com].
 +
 
 +
A write protection tool developed by Colin Ramsden was released in 2012 that provides a GUI for disk toggling [http://www.ramsdens.org.uk/].  Colin Ramsden's write protect tool effectively replaces the command line to toggle disks on/offline or readonly/readwrite.
 +
 
 +
== Technical Background and Forensic Soundness ==
 +
 
 +
Windows FE is based on the modification of just two entries in the Windows Registry.
 +
The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1".
 +
By doing this the Mount-Manager service will not automatically mount any storage device.
 +
The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3".
 +
While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.
 +
 
 +
Testing has shown that mounting a '''volume''' in READ ONLY mode will write a controlling code to the disk, whereas mounting a '''disk''' in READ ONLY mode will not make any changes.  Depending on the type of filesystem there is a potential modification to the disk with a documented 4-byte change to non-user created data. This modification exists for non-Windows OS disks, where Windows (FE) will write a Windows drive signature to the disk, although it is not shown to be consistent.  Various issues with Linux Boot CDs can be compared [http://www.forensicswiki.org/wiki/Forensic_Linux_Live_CD_issues] ).
  
WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK).  Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include; X-Ways Forensics, FTK Imager, Encase, ProDiscover, and RegRipper.
+
== Resources: ==
  
Resources:
+
* Windows Forensic Environment blog:  [http://www.winfe.wordpress.com]
WIndows Forensic Environment blog:  [http://www.winfe.wordpress.com]
+
* Article on Win FE in Hakin9 magazine 2009-06 [http://hakin9.org]
WinPE Technical Reference: [http://technet.microsoft.com/en-us/library/dd744322(WS.10).a]spx
+
* step-by-step Video to create a Win FE CD [http://www.youtube.com/v/J3T5wnPiObI]
Windows Automated Installation Kit:  [http://www.microsoft.com/downloads/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en]
+
* WinPE Technical Reference: [http://technet.microsoft.com/en-us/library/dd744322(WS.10).aspx]
X-Ways Forensics: [http://www.x-ways.net]
+
* Windows Automated Installation Kit:  [http://www.microsoft.com/downloads/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en]
Encase: [http://www.guidancesoftware.com]
+
* WinFE Write Protect tool [http://www.ramsdens.org.uk/]
FTK Imager: [http://www.accessdata.com]
+
ProDiscover:  [http://www.techpathways.net]
+
RegRipper:  [http://www.RegRipper.ne]t
+

Revision as of 05:46, 28 July 2012

Windows Forensic Environment
Maintainer: Windows Forensic Environment Project
OS: Windows
Genre: Live CD
License: unknown
Website: http://winfe.wordpress.com


Windows Forensic Environment - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.

Windows Forensic Environment ("WinFE")

WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft [1]. WinFE is based off the Windows Pre-installation Environment of media being Read Only by default. It works similar to Linux forensic CDs that are configured not to mount media upon booting. However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities. WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.

WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder [2].

Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:

  • X-Ways Forensics [3],
  • AccessData FTK Imager [4],
  • Guidance Software Encase [5],
  • ProDiscover [6],
  • RegRipper [7].

A write protection tool developed by Colin Ramsden was released in 2012 that provides a GUI for disk toggling [8]. Colin Ramsden's write protect tool effectively replaces the command line to toggle disks on/offline or readonly/readwrite.

Technical Background and Forensic Soundness

Windows FE is based on the modification of just two entries in the Windows Registry. The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1". By doing this the Mount-Manager service will not automatically mount any storage device. The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3". While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.

Testing has shown that mounting a volume in READ ONLY mode will write a controlling code to the disk, whereas mounting a disk in READ ONLY mode will not make any changes. Depending on the type of filesystem there is a potential modification to the disk with a documented 4-byte change to non-user created data. This modification exists for non-Windows OS disks, where Windows (FE) will write a Windows drive signature to the disk, although it is not shown to be consistent. Various issues with Linux Boot CDs can be compared [9] ).

Resources:

  • Windows Forensic Environment blog: [10]
  • Article on Win FE in Hakin9 magazine 2009-06 [11]
  • step-by-step Video to create a Win FE CD [12]
  • WinPE Technical Reference: [13]
  • Windows Automated Installation Kit: [14]
  • WinFE Write Protect tool [15]