Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Brett Shavers

Brett Shavers

JUL
09
6

"Remote" Collections with WinFE, a neat trick

Posted by Brett Shavers
in  Digital Forensics
In civil litigation, the procedures for data collection are a little more relaxed as compared to criminal investigations, but cost is a huge factor.  Typically, criminal suspects lose custody of their seized systems and won't necessarily cooperate with the seizure of electronic evidence.  Civil litigants on the other hand, will usually maintain custody of their systems and cooperate with the data collection.   With the costs of travel to simply image a hard drive or copy a folder, one hard drive can cost a client thousands of dollars in expenses.

But here is a neat trick.

1)  Ship the custodian a customized WinFE CD and an external drive.

2)  Over a phone call, walk the custodian (or IT staff) in booting the system to WinFE and plugging in the external USB hard drive.

3) Access the forensically booted drive remotely to image directly to the supplied USB external drive.

The external drive can be shipped back to you overnight. You can accomplish in minutes what would take hours and thousands of dollars (air-ground travel, meals, lodging), all without leaving the office.

There is more than one method of accessing the booted WinFE system remotely, either through Remote Desktop, VNC, or any number of commercial applications such as TeamViewer.   Any of these methods allow for you to take control of the custodian system (in the WinFE OS), and run just about any Windows based forensic application to forensically image the custodian hard drive to the USB external drive.  Or you could create containers of targeted files/folders.  Or you can triage the computer to determine if it needs to be collected.

Should you decide to save your client or company thousands of dollars per case, here are some tips when using this WinFE "remote" collections method:

1)  Build your WinFE with the forensic apps you need (FTK Imager, Encase, etc..).

2)  Have a one-click connect icon on the desktop for the custodian to start the remote connection.

3)  Run a system information application on the custodian machine (WinAudit) to identify the hardware in the system.  Maybe even have the custodian or IT email you a photo of the system being imaged.  Store the hardware scan with the image file.

3)  Create two images (one to be shipped, one to be maintained at the premise in case the shipped image is lost in transit).

In practice, you can connect to as many WinFE booted computers as needing to be imaged, one after another, all imaging to external hard drives.

Of course, not everything always works out as planned.

Custodian machines may not have a CD drive - ship a WinFE CD and WinFE USB together,  just in case....

Hard drives may be bitlocked-you can still access the drive for imaging through WinFE.   Other encrypted drives may be accessed too, depends on the setup of the system.

Custodian machine may be broken - might have to ship the entire machine or hard drive/s, but that's still cheaper than travel expenses.

No internet access for the custodian machine - you need this for this method to work....you could always ship a wireless card with the WinFE CD and external drive.

If volatile memory is required to be captured, like RAM, this isn't your best option or even a good option.  In fact, this is not the best 'live response' method at all.

And yes, this can also be done with many of the Linux forensic boot discs.  But is certainly much easier for the majority of custodians to use a Windows FE OS if their everyday systems are also Windows.  Plus, you can use just about any of your everyday Windows forensics applications.

[caption id="attachment_657" align="aligncenter" width="640"] Well, you may miss out on traveling on the client's dime, but your client will be happy (that's the goal anyway, isn't?).

This may not be good news for anyone wanting to make easy money with travel, but in the long run, your clients (and boss perhaps) will appreciate the savings and speed at which this can be done.  You'll also be to get more done in a shorter period of time.  That is a good thing.

  2760 Hits
Tweet
Share on Pinterest
Recent Comments
Guest — Howard Patterson
If you were to use something like Teamviewer, would this have to be installed on your WinFE setup?
Thursday, 12 July 2012 01:35
Guest — Brett Shavers
Not installed, only copied into the build or run from an external device. There are scripts on the reboot.pro website for Teamvie... Read More
Thursday, 12 July 2012 02:45
Guest — Jason
Hi Brett, So I've tried running Teamviewer 5, 6 & 7 from a USB drive once booted into WinFE - both the portable and Quick support ... Read More
Thursday, 13 September 2012 05:14
2760 Hits
JUL
08
0

Adding Our Target System to Our SEAT Workstation

Posted by Brett Shavers
in  Digital Forensics JustAskWeg

In this step we’ll add our target system virtual disk to our SEAT VM.  We already have the target (MyImage) virtual disk that we created, and we’ll add it to our system as in the next video.

Add Virtual Disk

Add Virtual Disk▶

As you saw, we chose to add the disk as an independent disk in non-persistent mode.  Any changes to the disk are discarded when we power off our SEAT VM.  Actually, as we’re going to examine shadow volumes, we’re not too concerned about routine changes that our operating system may make to volumes attached to our SEAT VM.  Nothing within the shadow volumes will be changed.  Remember, we’re not out to do a general exam; for that we can use our favorite tools on our image file.

When you add the disk, VMware may present a box that warns of a hardware compatibility issue.  If my SEAT VM was created in an earlier version, I’ll get the following warning.

If you encounter this, change your SEAT hardware compatibility as in the video.  Your hardware may differ from mine, but I bring my hardware up to my current version (Ver. 8).  Choose Alter this virtual machine as your last step.

▶

We’re ready to boot our SEAT workstation and get our target ready for a shadow volume exam.  In Windows, we can see our target system as Volumes E:, F:, and G:  Your volume letters may differ as may the number of partitions on your target.

A little exploring reveals that our target’s system partition is Volume F:  While the last screen shot is right above us, I want to point out a very handy feature of VMware, which is the Pause button. You can see it in the screen shot as the two, vertical bars right below the File menu item.  Pausing the VM freezes the action.  So, if you have a number of tasks underway and don’t want to shut down your SEAT VM, just pause it until you want to return to work.  Remember, too, that the VMware Snapshot feature is your friend.

The first thing that I do is write protect the target system disk.  Even though the disk is non-persistent, it can be written to during our session.  It’s also possible that the volume shadow service may delete one or more of the target’s shadow volumes.  To write protect our target, we’ll employ Windows Diskpart, which is a command line tool that’s part of Windows 7.  In the next video, I’ll step through the process.  We’ll begin at the point where I entered the Diskpart shell.

Diskpart

Diskpart▶

To exit Diskpart, simply type the command exit. Note that the write protection survives a hot or cold reboot.  Nevertheless, you don’t have to shut down your SEAT VM, unless you want to make certain changes to its configuration in VMware.  Otherwise, you simply can use the Pause feature.  Should you want to remove write protection, go through the steps in the video, but enter the command attributes disk clear readonly as the final command.

That’s it for now.  In the next post, I’ll get down to mounting and accessing the shadow volumes.  Thanks for visiting!

3 comments

  1. Gerald

    July 10, 2012 at 7:31 am

    Jimmy,

    Hello, great series and info. Have you experimented with using the SIFT to make all .E01, .AFF or .RAW images available to the Windows Forensic box for Volume Shadow analysis? I have found it to be extremely quick to set up and reliable (takes about two minutes). Successive exams are faster to setup. Corey Harrell did a posting on how to do that here: http://journeyintoir.blogspot.com/2012/05/more-about-volume-shadow-copies.html

    Reply

    • jimmyweg

      July 10, 2012 at 9:08 am

      >Have you experimented with using the SIFT
      I haven’t. I do have SIFT, but I’m kind of linux-averse. It’s great stuff, but I like my GUI. I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment. As I mentioned, I can make this work with E01s, but it’s a little more work. I started down this road because I received quite a few remarks about problems with EnCase PDE and LiveView. I don’t use EnCase, so I can’t attest to any issues, but I did play with LiveView and prefer my “hand-built” approach. My aim, which will become a little clearer as I progress, is to do a SV exam with X-Ways Forensics. You can use any tool as long as it will run in a VM. For that matter, you can do the same thing directly in the running VM of the target that we bulit in my first post. XWF can be run from a thumb! You also can add the target virtual disk directly to SIFT through VMware. You’ll have to let me know what you think as I proceed. Thanks.

      Reply

      • Gerald

        July 10, 2012 at 9:45 am

        >I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment.

        Absolutely it will work to access VSCs. Just make sure your Win forensic box is on the same subnet as the SIFT workstation. Send me an email at This email address is being protected from spambots. You need JavaScript enabled to view it. and I will send you back a short PPT on the method. Should save you a bit of experimenting time.

        Reply

  2500 Hits
Tags:
Jimmy Weg
Tweet
Share on Pinterest
2500 Hits
JUN
29
0

Getting Ready for a Shadow Volume Exam

Posted by Brett Shavers
in  Digital Forensics JustAskWeg

We now have built a virtual machine from an image of the target system.  Next, we’ll build a Windows 7 VM and configure it as our examination platform: Shadow Examination and Analysis Technique (SEAT) workstation.  Building the VM basically is the same as installing a operating system from scratch, and I’ll  go over the basic steps in the following video.

Build Base VM

Build Base VM▶

I installed Windows 7 Ultimate 64 from a DVD, but you can use an ISO instead of a disc.  I have a library of operating systems on ISOs, as they come in handy.  Please be mindful of licensing requirements.  I didn’t install a network adapter, but will do so later.  I use as much RAM as I can afford, and you can experiment.  RAM can be adjusted from a powered off state.  I like using a single, growable disk for my VM.  For the most part, I set up the system as I like.  I turn off User Account Control, but we must leave System Protection enabled.  I also set my folder view options to allow access to hidden and system files.  Remember that you can use snapshots to protect the state of your VM.  Below is a screenshot of my VM.  I keep my frequently used tools on the desktop.  Be sure to include a shortcut to the command prompt, and be set it to run in administrator mode.

For you X-Ways users, you can configure your options as you do normally.  Be sure, however, to set the option to run XWF as administrator by default, and allowing multiple instances is suggested.  Remember that XWF, as most forensic suites, is USB dongle based.  When you want to work with XWF in your VM, you must connect the dongle to the VM as in the image below.

 If you have more than one Feitian dongle as in the screenshot, you’ll have to experiment to find the correct dongle.  Then, connect it to the VM (Disconnect from host).  Note that, if XWF is running in the host system, it will become aware that the dongle was disconnected and issue a notice.  The easiest thing to do is close the host instances of XWF before you work in the SEAT application.  Of course, if you have more than one dongle, you can work simultaneously in both environments.  Note that you can install any USB devices that you wish by using the same procedure.

Note, too, that our SEAT workstation is portable. At the moment, my VM is about 18GB, so it’s easily copied to another forensic workstation or USB drive.  In the next post, I’ll review how we mount the target VM in out SEAT workstation and begin an exam.

4 comments

  1. Derek Frawley

    August 3, 2012 at 11:05 am

    Thanks for the vm creation tutorial.
    Do you have anything that will show how to do with E01 file(s) or multiple raw files.( as mentioned in the tutorial) Most of the images i have are E01 and takes too long to re-image.

    Reply

    • jimmyweg

      August 3, 2012 at 12:32 pm

      I’ll add a post on E01s this weekend, if I have time. In any event, I’ll do that next. Thanks for the comment and suggestion!

      Jimmy
      http://JustAskWeg.com/

      Reply

  2. Scott Koehle

    July 9, 2012 at 7:03 pm

    Great Stuff, Jimmy. Thanks for taking the time to put this website together. Very Helpful.

    Scott Koehle, CFCE
    Altoona Police Department
    1106 16th St
    Altoona, PA 16601
    814-932-2588

    Reply

    • jimmyweg

      July 9, 2012 at 9:15 pm

      I’m glad that it’s helpful. If you enciunter any issues, please let me know.

      Reply

  2262 Hits
Tags:
Jimmy Weg
Tweet
Share on Pinterest
2262 Hits
    Previous     Next
99 100 101 102 103 104 105 106 107 108

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2023 Brett Shavers