Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Brett Shavers

Brett Shavers

APR
05
2

Mini-WinFE 10 and WinFE 10 Updated

Posted by Brett Shavers
in  Digital Forensics

The short story on the newest Mini-WinFE 10 (aka, the download link):

Mini-WinFE has been updated and upgraded.  I update WinFE developments (including the downloads for Mini-WinFE) at https://www.patreon.com/posts/34814255.  The Mini-WinFE builder is a free download.

Mini-WinFE 10 

Are forensic bootable OSs still useful today?

Depending on who you ask, forensic bootable OSs are either extremely valuable or of no practical use. The answer is based on your job, which is why WinFE works great for some and not at all for others. For traditional forensics on deadbox machines, WinFE has a place. In ediscovery matters for data collection, WinFE certainly has a place with custodian machines. For devices that can’t be imaged or accessed other than booting the machine, WinFE has a solid place in the DFIR toolbox. If your job does not involving imaging machines in a forensically sound matter, then WinFE may not be useful to you. The value of WinFE is solely dependent on if you can use it in your job.

What is (Mini) WinFE?

WinFE (Windows forensic Environment) is a forensically sound, bootable Windows operation system, created by Troy Larson and built using a string of command lines. In short, Troy turned WinPe into a WinFe.

Mini-WinFE is easier method of building a WinFE that gives a more ‘fuller’ version of WinPE.  I selected WinBuilder, a project in use for years for customizing WinPEs, to be used as the WinFE building project. A smaller, lighter, quicker build (Mini-WinFE) became the defacto WinFE build because of ease of build and ease of use. Mini-WinFE has now evolved into using PE Bakery with Misty updating the Mini-WinFE project and Colin Ramsden’s updating the Write Protect Tool.

Mini-WinFE 10

WinFE 10 is the most substantial improvement to WinFE since its inception by Troy Larson.  Colin Ramsden did an amazing job of completely updating the WinFE Write Protect tool in his build project and with the WinFE acquisition of ARM devices.  The next phase of WinFE 10 was to implement Colin Ramsden’s upgraded write protect app into the WinBuilder build of Mini-WinFE. In this most recent improvement of Mini-WinFE, PE Bakery was chosen as an improved replacement for WinBuilder.  Both Colin and Misty have now updated the Mini-WinFE with Colin’s latest Write Protect tool.

The primary difference between Mini-WinFE and WinFE 10 is that the Mini-WinFE build, unfortunately, does not acquire ARM devices as does Colin’s WinFE 10 build. However, Mini-WinFE is easier and faster to build which is great for anyone needing a WinFE but not needing an ARM WinFE (WinFE 10).

WinFE 10

Using Colin Ramsden’s build of WinFE 10, you have the new capability to image ARM devices. He also completely updated his write protect tool, and his build method also includes a new forensic imaging tool that works in ARM. That is 100% cool.

For the build download of Colin’s new WinFE, check out Colin’s website, https://www.winfe.net/.

https://www.winfe.net/

 

WinFE Resources

WinFE Documentation

Ultimate Cheats! Windows Forensic Environment (https://www.amazon.com/Ultimate-Cheats-Windows-Forensic-Environment/dp/1790322782). Covers all-things-WinFE and is a good reference to building all versions of WinFE, from the first version to the current WinFE 10 version.

DFIR books:  Multiple books have referenced WinFE, but few (if any) have any details on the how-to-build a WinFE.

Training

If you are in law enforcement (LE), there are a few sources of WinFE training:

  • SEARCH   https://www.search.org/get-help/training/high-tech-crime-investigations/instructor-led-training/windows-forensic-environment/
  • RCFL   https://www.rcfl.gov/orange-county/training-schedule/secure-techniques-for-on-site-preview-stop-nw3c
  • Others As part of FLETC, IACIS, short conference presentations, and others.

For non-LE, the training is even less, but you may be able to find WinFE incorporated in some college-level forensic programs.

An online WinFE course that includes printable proof of completion as part of a Patreon subscription at https://www.patreon.com/DFIRtraining.  The work-at-home/stay-at-home special of 60% off is ongoing and includes other courses too.  The curriculum of the online course can be seen at: http://courses.dfironlinetraining.com/windows-forensic-environment-winfe.

The future of WinFE

Until/unless a day comes when devices cannot be booted forensically, WinFE will continue to be a useful tool in your DFIR toolbox. WinFE has been around for over a decade, used to acquire evidence in both civil and criminal cases worldwide, taught everywhere, noted as a community accepted forensic tool in many DFIR books, and is awesome as an acquisition tool!

 

 

 

  17097 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — Jeff E.
Hi Brett, Wondering if there is a way to add dot net framework to a Mini WinFE build?
Friday, 24 April 2020 11:31
Brett Shavers
There is, but it is not easy. I remember seeing a Winbuilder script at one point, but do not know if it worked. Microsoft says i... Read More
Friday, 24 April 2020 12:02
17097 Hits
JAN
18
0

Eat your broccoli first

Posted by Brett Shavers
in  Digital Forensics

Something good and something not-so-good on learning DFIR

The good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and gain skills in this career than most any other professional career.

*  Resources are plentiful (such as thousands of websites, hundreds of books, colleges, trade schools, etc..)

*  Skills (aka: competence) are generally more important than pieces of paper (i.e.: certifications)

*  The DFIR field is segmented into many specific jobs (at least one surely fits you best!)

The not-so-good thing is the time and effort needed. Plus it is scary because of the time, effort, and money involved is a virtual unknown when you start out.  Then again, anything worthwhile is worth the effort and time. The time and effort needed is actually the most common obstacle that everyone faces to get into the DFIR field. Keep in mind that no matter which path in DFIR that you embark, you have a lot of barrels to jump over and they just keep coming. Sometimes, it seems that there are so many that you feel that you will never make it. Everyone gets frustrated. Many give up. Some keep going (this is you).

Let’s get something out the way first

In this game of getting of getting into DFIR, or growing your skills in DFIR, everyone has to jump over the same barrels, meaning, there are subjects and skills that you must learn, just like everyone else. No one has a shortcut to reach the end.  (PS: there is no end to what you need to learn to stay relevant and current). There is one tip that I found to work for me that might work for you. By the way, I am far from perfect, far from the smartest, and far from the best. It feels like that I have to work twice as hard as everyone else, but I realize that everyone has to work hard regardless of who you are or what your background experience may be.

First things first.

Keeping your DFIR skills up is no easier than it is to get the skills in the first place. We each know that because we know how difficult it is to get started. We are reminded of this sometimes-painful trek into DFIR each time we hear the question asked, “How do I get started?”.

As for me, as it applies to anything that I wanted to learn, the first lesson that I learned still applies today as it did the first time I really wanted to learn. That lesson is..

Eat your broccoli first.

Translated, this means to first do the things that you don’t want to do but you know have to get done. Get it over with as quick as possible. Push yourself through it. Your desire to only do what you want to do and not do what you don’t want to do is not only irrelevant, it is counterproductive.  But how does that apply in the DFIR world?

The broccoli

If you love broccoli, then broccoli is a bad analogy. But I think you see my point. I am not the biggest fan of broccoli, so when it is on my plate, I eat it first, because I don’t like it. I like the health benefits, but not the broccoli itself.  But I know by eating it first, I won’t have to suffer eating it later when it is cold and staring me in the face for 20 minutes after I finished eating my steak. To be fair, by eating my broccoli first for years, I now like it.

In DFIR, we have lots of ‘broccoli’ to eat. Hexadecimal may be one for you (unless you like hex from the beginning). Basic computer repair (A+) for another.  Network topology may be another one for you. And the list goes on. The things that are not exciting, but necessary to do the DFIR work, must be learned, otherwise, they will stare at you later as you regret not mastering these topics first.

Luckily, in the broad category of DFIR, you can avoid much of what you might not like if you choose your job carefully. I doubt you can avoid the broccoli all together, but you can minimize quite a bit by avoiding the type of jobs that require learning what you don’t want to learn. But generally, across the board, there are quite a few topics in DFIR that everyone should know. Some of the topics fall into the “must know” category. Other topics are specific to the specific type of job in broad category of DFIR.

The way I handle the topics that bore me, or that I don’t initially think to be important, is to make those topics a priority. Learn them. Become competent enough, and then move onto the things that I want to do. Otherwise, if you skip over the basics or the boring things, the day will come when you will suffer at having not done the first things first.

Programming (your brain)

For me, at this stage of life and work, I actually like the boring topics, because I have seen where a basic fundamental aspect of DFIR will cinch a case shut. Many in the field skip the basics and that is where the big failures come. I have also seen some turn a “basic” forensic thing into a whole new world of how to do forensics.

Let me reiterate

*  There is no free lunch.

*  You cannot fake competence (for long).

*  You can’t buy competence.

*  You can’t buy experience.

*  You can’t buy knowledge.

* You can’t buy determination.

*  You can’t buy dedication.

*  There are no shortcuts.

 

I screwed up

If I don’t catch myself making an error somewhere at some point, that means I am missing my mistakes. We all make them because we are human. The people who claim to never have made a mistake, or an oversight, or any fragment of an error only fool themselves.

The path to learning DFIR, whether new to the field or in it for decades, resembles the act of shopping for a car.  Or dishes.  Or groceries.  Or a computer. No matter which thing you choose to buy at the time, eventually you discover that you should have bought something different or at a different place for a better price. That is the way it works buying things and the way it works learning things. Some of the things work out. Some were not the best idea. But sometimes you need to have your path diverted intentionally, inadvertently, or unknowingly in order to get where you need to be.

Some of my greatest hits of learning DFIR screwups

*  Studied like crazy for a cert and failed just as crazily. Then failed again. I even failed a third time. Just call me rock.

*  Not studied at all for a cert due to over confidence (arrogance probably) and failed just as miserably. Twice.

*  Paid for certs that did absolutely nothing for me because 'everyone' says you need these.

*  Refused to get a specific cert out of spite even though it probably would have helped me get hired.

*  Renewed same certs…for no good reasons other than acronyms to put on a CV.

*  Paid for membership in “high tech” orgs that provided nothing more than a certificate of membership.

*  Paid for a cert that required no test, no exam, nothing. Too embarrassed to ever write that one on my CV.

*  Paid for an expensive course that was WAAAAYYYY above my level at the time. Gained practically nothing in the course.

*  Paid for an expensive course that was WAAAAAYYY below my level at the time. Also, gained practically nothing in the course.

*  Bought expensive software and hardware that I didn’t need, but everyone said that I did.

*  Didn't buy expensive software and hardware that I knew I that I needed, but wrongly assumed that I could use other software and hardware.

*  Not listened to advice from experienced mentors.

*  Listened to advice from experienced mentors (sometimes it works, sometimes it doesn’t…)

*  Took on cases that I ‘assumed’ I could handle, resulting in hiring people who could actually handle the cases that I assumed I could do.

*  Take the above listed items, multiply by a factor of 4, maybe 5 or 6, and that's my life in learning DFIR..

 

But with that, a few neat things happened along the path..

*  Hired to teach forensics at a university that rejected me as a student several years prior.

*  Hired to teach forensics to a federal agency (same agency that also didn’t hire me when I applied…).

*  Turned down a request to apply to that same federal agency that didn’t hire me (life had changed in a different & better direction).

*  Taught forensics to a packed room of PhDs who teach forensics, yet never did forensics, but wanted to learn forensics!

*  Met some of the smartest people in the world in this field, and most all have been great people!

*  Worked some of the most amazing types of cases with incredible government agencies and law firms from class action litigation to the “T” type cases (if you worked in an alphabet agency, you probably know what I mean by T…….. case).

Perceptions change

Here is how I initially looked at everyone who was working in DFIR (even before ‘DFIR’ was coined);

Wow. They are so lucky. They had all the opportunities. They must all be geniuses. They must have had it so easy their entire life. I am so unlucky compared to them. Life is so unfair. I have to work so much harder to get where they are at. They are younger than me (or older), taller (or shorter) than me. You name it, I thought it. I feel pretty stupid thinking today about what I was thinking about all the DFIR folks at that time...

Here is how I look at them now;

They had to have worked hard. They had to have had amazing obstacles to overcome. They most likely had personal issues to handle at the same time of learning this work. They struggled like me. They most certainly are determined. They most certainly know that you have to put in the work. They are definitely still learning. They surely know that they don't know everything and never will. They all had different paths, and every path had it's own obstacles and challenges.  They also know to eat the broccoli first.

  33401 Hits
Tweet
Share on Pinterest
33401 Hits
DEC
26
0

The Second Decade of the 2000s is almost over!

Posted by Brett Shavers
in  Digital Forensics Books
The Second Decade of the 2000s is almost over!

We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown! Whether you were born or have been doing DFIR work during this period, there has been much going on.

We’ve gone from “pull the plug and image the entire drive” to “fit the process to the totality of the situation”.  Processes and methods have grown exponentially in what we keep learning about digital forensics. Whether we are triaging terabytes of data prior to collection or doing live examinations involving volatile memory, the field has grown quickly over the past two decades compared to simply imaging hard drives (which we still do of course).

Let’s fly over just some of the highlights of only a few of the areas. Keep in mind that there is so much that has happened, that I only selected a few of the major highlights to emphasize the growth and changes.

Books

The number of books in a certain field is generally a good indication of that field’s growth and development. The digital forensics field of books is no different.

2001       Warren Kruse tested the waters with Handbook of Computer Crime Investigation.

2007        Harlan Carvey waded in with Windows Forensics Analysis (the FIRST edition).

 

2010     Into the second decade, many others jumped in headfirst writing books (including me!).

2019       Before the end of the second decade of the 2000s, we had amazing flood of great books on practically every topic and sub-topic in the DFIR world, in the form of ebooks, print books, guidebooks, and textbooks. There is almost no book that you cannot find that focuses on a specific subtopic of DFIR.

  Software

The forensic software that started in the last two decades is incredible. Practically anything in use today has only been around for less than 20 years, with not too many choices in the beginning of the century. Many of these tools used today have only been around for less than 10 years!

2000        Computer forensics was mostly DOS based, command-line tools, like those from NTI and Maresware !

2002        Belkasoft opens its door with a forensic suite and continues to grow!

2003        You could buy Accessdata’s FTK (version 1) for $795!

2004        Encase version 4, and it was about $2500!

2004      X-Ways Forensics was born from WinHex (and was less than $350!).

2008        Troy Larson developed the Windows Forensic Environment ( WinFE ) and it remains free today.

2011      Magnet Forensics sprouted from a small forensic tool (Internet Evidence Finder) and company (JADSoftware) into a full-fledged forensic company.

2019        Over a thousand shareware, freeware, open source, and commercial DFIR tools available today, with most of them listed on DFIR Training .  Developers are creating and releasing forensic tools on an astronomical basis, like Eric Zimmerman ’s constant showering of amazing forensic applications!

Degrees & Certifications

From having no degrees in “digital forensics” to being able to choose from any level of degree in Cybersecurity, Digital Forensics, etc… across the globe.  We’ve also created more “cyber/DFIR” certifications than any one person could ever hope to earn in a single lifetime.

2004        The University of Washington launched a computer forensics certificate program.

2019        Practically every major university and college offers now one or more degrees in cybersecurity, digital forensics, network forensics, cyber security management, and security. Many are listed here: https://www.dfir.training/educational-map

Law enforcement & Military

Sure, there were some forensic cases in the 80s and 90s, but the forensic investigation world didn’t really pick up in law enforcement until this century. Where digital forensics in criminal cases was the outlier before, it has been a central focus now for many investigations.

2000        FBI creates Regional Computer Forensic Laboratories.

 

2009        The United States Cyber Command was created! The military branches each created their own cyber units under the US Cyber Command!

2019       Virtually every federal, state, and local law enforcement agency adds digital forensics processes to cases involving electronic evidence (whether conducted in-house, by cooperating agencies, or contracting work to private analysts). Rarely does any case not consider electronic evidence as part of the investigation process.

Famous cases

2000     Michelle Theer: E-mails documented a conspiracy to murder her husband

2002     Scott Tyree: Kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. Case solved via a Yahoo screen name and IP address.

2003       Zubulake v. UBS Warburg: This case set the stage for electronic discovery cases!

2005     Dennis Rader , the "BTK" Serial Killer: Case broke by the metadata of a deleted Microsoft Word document on a floppy disk!  Software used: Encase!

2011       Capture of Bin Laden: Who knows what intelligence came out of all the collected electronic evidence items (10 hard drives, 5 computers, and over a hundred storage devices) from the Bin Laden operation?  Certainly something!

2019       Digital forensics has solved more cases than ever before, sometimes being the only evidence in a crime. It may be fair to say that more crimes are solved in 2019 that have been solved in the entire first decade of this century.

Malware and Ransomware

Cybercrime is regular crime on nitrous. Where one criminal can physically only victimize one or a few people in real life, connected computers and devices make it easy for one criminal to remotely victimize hundreds or millions of people. The past two decades proves this to be true much more than ever before.

2004       Virus.Win32.Gpcode: Early type ransomware that scanned and encrypted a user’s documents, and then deleted the original files.  Had a short life due to being easy to detect and crack.

2011       Trojan WinLock: Locked users out of their Windows computers until they called a scam line that racked up a large phone bill to ‘reactivate’ Windows.

2017       Wannacry: Yes, this one made you want to cry. It affected hundreds of thousands of computers in dozens of countries with losses in the hundreds of millions of dollars!

2017       LeakerLocker: Not to ignore mobile devices, here is one which targeted Android devices and threatened to share the phone contents with all the user’s contacts, unless a fee was paid…

Websites

The Internet, for all its faults in facilitating cybercrime, also has been the primary means of investigators sharing information to fight cybercrime. From humble beginnings of one or two digital forensics forums to now an endless supply of websites, the DFIR Internet has grown into a worldwide force of sharing powerful weapons against crime.

2002        Forensic Focus begins! The most popular digital forensics forum is still growing strong!

2003     e-evidence.info curates a massive amount of PDFs and forensic news links. Sadly...it went offline..

2005       Forensicswiki.org opens its doors! Although it has disappeared and reappeared over the years, the wiki is back.

2016        DFIR Training lets loose with the most comprehensive list of DFIR software and grew into one of the most popular DFIR websites on the Internet curating “All Things DFIR”.

2017        AboutDFIR.com gets a website!  From a Google Docs spreadsheet to a website, another resource of DFIR curated content goes online.

2019        The Internet became plush with DFIR resources with website, forums such as Reddit , Github, Slack, and Discord .

Magazines

This is one area where I have unfortunately not seen much growth….I suspect it is due to the number of online resources, but still, DFIR became important enough in these two decades to warrant magazines!

2007        The Digital Forensics Magazine (Website) goes online.

2012        eForensicsMag , another magazine focused on digital forensics.

Operating Systems

Just a high-level overview of the systems that are interrogated with DFIR processes, we have come a long way. Many of those working in DFIR judge their time in the field by the OS version that they first examined.

2000        Windows ME and Windows 2000. Oh my!

2001       Mac OS X 10.0 (Cheetah) and Windows XP.

2015       Windows 10

2019       Mac OS 10.15 (Catalina) and Windows Server 2019.

Mobile Devices

In 2001, I sat in a briefing at CRIMES in Portland, Oregon, about how cell phones would play a major a part of crime and forensics in the coming years. The speaker (from ATT?) said that he believed cell phones to be the most prevalent, most used, and most valuable pieces of criminal evidence for the next 25 years. To be honest, as looked at the Nokia in my hand, I took those words lightly. Now, I wish that I paid more attention in that briefing…

2000       The Nokia 5110. It made calls and you could play Snake on it. Forensics was not a thing with this mobile device.

2007       The iPhone was introduced. A computer in your pocket, meaning a new world of mobile forensics.

2019       Mobile devices spanning a range of operating systems, styles, designs, storage capacities, Internet connections, unlimited data, and virtually the same applications as on a consumer desktop computer are now the norm. Mobile device forensics is practically its own field in digital forensics.

Hard Drives

The storage of hard drives directly impacts a forensic analysis, as the larger the harder, the more likely it will have more data to sift through in order to find evidence. Of course, high end computers and efficient forensic software minimize this impact, but then again, massive amounts of data is still massive amounts of data.

2000       The size of most common hard drives in consumer PCs was than 50GB.

2003       Seagate produced the first serial ATA

2005     Hitachi developed the first 500GB drive

2010       When the terabyte barrier broke, for around $100 you could get a 1.5 terabyte drive.

2013       Solid state drives are out and cost less than $100 (but that’s only for about 128GB drive).

2019       You can grab an 8-terabyte HDD for less than $200.

Jobs

From practically few jobs (outside law enforcement) in 2000 to now having an entire field of DF and IR where positions are unfilled due to shortages of applicants. The degrees of specialty have gone from being simply working as a ‘computer forensic specialist’ to now being able to specialize in the field by operating system, type of device, or type of work (forensics, incident response, electronic discovery, etc…).

The next decade and beyond

My intention with this post was not just to show how amazingly the DFIR field grew in just two decades, but also that the next decade will most certainly dwarf the previous two decades in terms of new software, processes, discoveries, and information shared in books and online.

My other intention in this post is to ignite a spark in the new generation of DFIRrs (age irrelevant!) into developing these future improvements, developments, and inventions! Anyone, and I mean anyone, can change the course of direction in this field by a seemingly small piece of information or by a huge deviation in the way things have been done.

We are still in the heyday of DFIR with lots more to figure out. Fortunately, we have outstanding people in DFIR who break new ground, blaze trails, share discoveries, and help all of us move forward.

 

  12676 Hits
Tweet
Share on Pinterest
12676 Hits
    Previous     Next
5 6 7 8 9 10 11 12 13 14

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2023 Brett Shavers