Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Brett Shavers

Brett Shavers

FEB
28
0

OSForensics

Posted by Brett Shavers
in  Digital Forensics
Giving more usability to WinFE, OSForensics has several features that I can see being beneficial in triage of a system with OSForensics.  OSForensics can be run on a live system (not the optimal decision in most cases), a mounted image, or in a forensically booted WinFE system.



The program's interface is simple and encompasses quite a bit of the basic forensic processes (searching, indexing, hashing, etc...).  Of particular interest is that some of these standard forensic processes can easily be used in a WinFE booted system for basic triage.

As an example, a scan of images of the suspect computer can be conducted with OSForensics.    This type of triage may certainly help determine which computer systems contain illicit images and need forensic analysis.

Another feature that can benefit cases is that of indexing.  OSForensics allows for indexing of files, including email (pst, mbox.msg,eml, and dbx), for keyword searches.    Searches can also be restricted by date ranges.

Although OSForensics doesn't appear to be as powerful as a tool such as X-Ways Forensics, I definitely foresee a place where it can used, particularly in a First Responder role.
  2887 Hits
Tweet
Share on Pinterest
2887 Hits
FEB
25
0

WinFE Demo Online

Posted by Brett Shavers
in  Digital Forensics

I'll be giving a demo of WinFE to www.ctin.org on March 10 (online).  I'll be showing some neat developments in the work as well as discuss solving build problems.



There are a few spots left and you have to be a CTIN member to view the presentation.  But maybe it is something worthwhile to join anyway as most all the training is free to members.

  2349 Hits
Tags:
winfe
Tweet
Share on Pinterest
2349 Hits
FEB
15
2

But does it do Mac?

Posted by Brett Shavers
in  Digital Forensics


Just to clear up any questions on whether WinFE can 'do a Mac', well...it can.  And Linux too.  And of course it can do Windows as well.   As long as the machine can be booted to a WinFE CD or USB, then you can image the hard drive.  Actually, you can do a whole lot more than just image it...you can triage it, preview it, search it, or just copy files and folders from it.  If the drive is encrypted and you have the key, you can access the drive.  And what about VSS (Volume Shadow Service/Copies)....you can access those too, all through WinFE.

I can promise that as soon as you build a WinFE CD or bootable USB, you will regret not having done it months or years earlier (it's been around since 2008....).  And if building a forensic boot OS makes you hesitate at all, there is no need because if you use WinBuilder, it is as simple as pointing and clicking to fully customize your Windows FE CD or bootable USB.
  2508 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — Andreas D
I think as long, as the suspicious machine has an Intel Architecture, Windows FE will boot. And from there, the Tools will work...... Read More
Tuesday, 15 February 2011 14:18
Guest — Brett Shavers
You are completely correct on why WinFE can boot to a Mac (intel Macs anyway). And that is one of the reasons WinFE is such a pow... Read More
Friday, 18 February 2011 14:40
2508 Hits
    Previous     Next
105 106 107 108 109 110 111 112 113 114

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2023 Brett Shavers