Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
1 minute reading time (147 words)

WinBuilder-What a neat way to make a WinFE CD

Digital Forensics
Brett Shavers
Tuesday, 14 September 2010
2954 Hits
4 Comments
I came across WinBuilder today (http://www.boot-land.net/), which provides downloads to a GUI based, Windows Live CD builder.  I'm willing to try anything, so I gave it a whirl and was happy I did.

With WinBuilder, many of the functions of Windows that are not in the basic WinFE builds are included.   This includes the Windows"Start" button, computer management tools, and even network access.

Running WinBuilder is not complicated and scriptable.  The one thing it does not do (at this time) is make your CD forensically safe with the 2 registry changes.  However, this is easy enough to do manually or by writing a script to be used during the build.

I'm not sure how I missed this before, but I may have now found my primary method of making a WinFE disc, using WinBuilder instead of a batch file.  Oh yeah, you don't need WAIK either.

Tweet
Share on Pinterest
0
Tags:
winfe
WinFE as a Student Training Aid
Follow up: Windows FE and Live Forensic Triage

About the author

Brett Shavers

Brett Shavers

 

Comments 4

Guest
Guest - DT on Monday, 04 October 2010 05:05

I have used WinBuilder and other WinPE builds from boot-land and really appreciate all the hard work that went into them. They are truly stunningly useful tools. But for the moment I want to take a paranoid view because I need to deal with a production network and I have to show a clear chain of well-vetted and known-clean tools before I introduce them into that network. Note that the network is completely divorced from all others, and virus scans are considered inadequate for vetting, as they show only known viruses.

With this view, it seems that the following is about as close as I can get to a clean chain.
1. start with a bare computer that is not connected to a network
2. install Windows from a Microsoft CD
3. turn off alll but the necessary services
4. connect to the internet and go directly to Microsoft's website and download the WAIK
5. disconnect the network cable
6. hand-build the WinFE CD using your original registry edit instructions

WinBuilder, though well-regarded and very convenient, would require extensive investigation to assure that it is not carrying some unknown virus, trojan, or other nasty.

I'm probably missing something important. How would you go about building a known-clean WinFE with a traceable path showing cleanliness was maintained throughout the process (somewhat similar to a chain-of-custody document used for evidence) that would hold up in court? The last thing we want is to be accused of introducing malware and not be able to show that we did not.

0 Cancel Reply
I have used WinBuilder and other WinPE builds from boot-land and really appreciate all the hard work that went into them. They are truly stunningly useful tools. But for the moment I want to take a paranoid view because I need to deal with a production network and I have to show a clear chain of well-vetted and known-clean tools before I introduce them into that network. Note that the network is completely divorced from all others, and virus scans are considered inadequate for vetting, as they show only known viruses. With this view, it seems that the following is about as close as I can get to a clean chain. 1. start with a bare computer that is not connected to a network 2. install Windows from a Microsoft CD 3. turn off alll but the necessary services 4. connect to the internet and go directly to Microsoft's website and download the WAIK 5. disconnect the network cable 6. hand-build the WinFE CD using your original registry edit instructions WinBuilder, though well-regarded and very convenient, would require extensive investigation to assure that it is not carrying some unknown virus, trojan, or other nasty. I'm probably missing something important. How would you go about building a known-clean WinFE with a traceable path showing cleanliness was maintained throughout the process (somewhat similar to a chain-of-custody document used for evidence) that would hold up in court? The last thing we want is to be accused of introducing malware and not be able to show that we did not.
Cancel Update Comment
Guest
Guest - WinFE on Monday, 04 October 2010 05:28

Absolutely agree.

0 Cancel Reply
Absolutely agree.
Cancel Update Comment
Guest
Guest - Nuno Brito on Friday, 29 October 2010 09:00

Your point of view is interesting and makes sense.

Following the case of certification, which steps would you recommend WinBuilder to follow in order to become reliable in a court house?

As the founding developer on the winbuilder project, I am more than willing to allow the program's source code to be fully audited and verified by a trusted entity.

In fact, the only reason why winbuilder came to existence was also because we needed a tool that could be trusted upon. It wasn't possible to continue creating recovery media with a certain level of complexity by hand and we needed to have full control on the building process.

Therefore, WinBuilder.exe is a script interpreter. In essence this means that it only follows the actions prescribed by scripts and that all script code is available for audit inspectors on plain sight. All the actions performed by the engine are reported on the log.

Nevertheless, I'm aware that this is not enough for your use-case but I am also willing to improve the current state of reliability on the tool. If you have further suggestions I'd really like to hear them.

Thanks.

0 Cancel Reply
Your point of view is interesting and makes sense. Following the case of certification, which steps would you recommend WinBuilder to follow in order to become reliable in a court house? As the founding developer on the winbuilder project, I am more than willing to allow the program's source code to be fully audited and verified by a trusted entity. In fact, the only reason why winbuilder came to existence was also because we needed a tool that could be trusted upon. It wasn't possible to continue creating recovery media with a certain level of complexity by hand and we needed to have full control on the building process. Therefore, WinBuilder.exe is a script interpreter. In essence this means that it only follows the actions prescribed by scripts and that all script code is available for audit inspectors on plain sight. All the actions performed by the engine are reported on the log. Nevertheless, I'm aware that this is not enough for your use-case but I am also willing to improve the current state of reliability on the tool. If you have further suggestions I'd really like to hear them. Thanks.
Cancel Update Comment
Guest
Guest - WinFE on Saturday, 30 October 2010 07:23

I say it is a good idea to have WinBuilder be vetted (without having the WinBuilder code be given away to anyone) for forensic ISO building. I'm not versed in writing scripts for WinBuilder (yet...), but the end build using WinBuilder is much more functional than the basic WinFE build consisting of a CLI shell. The additional components that can be added to WinFE are too much to pass up.

0 Cancel Reply
I say it is a good idea to have WinBuilder be vetted (without having the WinBuilder code be given away to anyone) for forensic ISO building. I'm not versed in writing scripts for WinBuilder (yet...), but the end build using WinBuilder is much more functional than the basic WinFE build consisting of a CLI shell. The additional components that can be added to WinFE are too much to pass up.
Cancel Update Comment
Guest
Thursday, 30 June 2022

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2022 Brett Shavers