Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password

Digital Forensics

SEP
27
1

An update to a long awaited project

Posted by Brett Shavers
in  Digital Forensics
It's been awhile, a long while, since there has been anything added to the WinFE project, and the bad news is that nothing is new other than Microsoft not quite accepting of Colin Ramsden's write protect tool.   As that is not good news, both Troy and Colin are working toward an effort that may meet Microsoft's needs for an acceptable (to Microsoft...) write protect application other than DiskPart.

Sorry for the news on no news, but WinFE still works as it is, you just need to use the command line to toggle drives on/offline.
0
  2147 Hits
Tweet
Recent comment in this post
Guest — peet
it would be possible to publish the wrapper on it's own, and people are allowed to add whatever they want to their PE, FE, ..., do... Read More
Tuesday, 27 September 2011 15:59
2147 Hits
MAY
09
0

Sharing the love with WinFE

Posted by Brett Shavers
in  Digital Forensics
There have been numerous presentations showing how to build and use a WinFE boot disc around the world.  Most recently I see that IACIS has given a demo this year along with several HTCIA Chapters and a DOD conference as well.  A write up of Imaging a MacBook by Sean Morrissey shows just how easy WinFE is to use on a MacBook based on one demo at IACIS.

As simple as it is to use, it has become even easier to build using WinBuilder.  Probably the most significant difference when using WinBuilder rather than building via WAIK and the command line is the numerous options that can be automatically added, particularly in that of supporting more software able to run on WinFE.



Many examiners have already tried to build and use WinFE, but I know there are a few of you out there that just haven't sat down to give it a whirl.   If you can speak to anyone that uses WinFE, they will each tell you that it is well worth it!

The next coolest thing to be added to WinFE is Colin Ramsden's GUI currently being finalized.   Say goodbye to the DiskPart command line!

0
  2541 Hits
Tweet
Share on Pinterest
2541 Hits
APR
24
3

Friendly reminders are always nice

Posted by Brett Shavers
in  Digital Forensics
Always test your tools (this includes WinFE).  Considering that NIST recently discovered that some Ubuntu based forensic boot discs could make modifications to a booted suspect drive (modifies the $logfile upon booting....),  these sort of news breaks are a friendly reminder to test your tools.  Additionally, when 'bugs' are found in forensic tools, it may help to review any cases that may be affected by a past use of a tool.  Even Guidance Software just released a firmware update to a hardware physical write blocker in which writes to the evidence drive were not protected.  How's that for reassurance with hardware write blockers being known as the absolute write protection tool?

You can't rely upon someone else's work, you can't even rely upon the label of a box of something you buy.  You just have to spend the time to test it personally.

If you've not tested a tool that you used and later find that there was a problem with it, how long will you worry about one of those times you relied upon it to come back to haunt you in a past case?

Better that you tested it ("I know it works because I tested it") rather than rely on someone else to test it ("But the company/website/brochure said it worked..."). 
0
  2113 Hits
Tweet
Share on Pinterest
Recent Comments
Guest — Sandro
"Considering that NIST recently discovered that some Ubuntu based forensic boot discs could make modifications to a booted suspect... Read More
Saturday, 30 April 2011 04:07
Guest — Brett Shavers
I don't have the information, but you can contact http://forwarddiscovery.com/ as they updated their Linux boot disc from the NIST... Read More
Saturday, 30 April 2011 08:25
Guest — Sandro
I will! thanks! Sandro
Saturday, 30 April 2011 22:26
2113 Hits
    Previous     Next
87 88 89 90 91 92 93 94 95 96

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2023 Brett Shavers