I have used WinBuilder and other WinPE builds from boot-land and really appreciate all the hard work that went into them. They are truly stunningly useful tools. But for the moment I want to take a paranoid view because I need to deal with a production network and I have to show a clear chain of well-vetted and known-clean tools before I introduce them into that network. Note that the network is completely divorced from all others, and virus scans are considered inadequate for vetting, as they show only known viruses.
With this view, it seems that the following is about as close as I can get to a clean chain.
1. start with a bare computer that is not connected to a network
2. install Windows from a Microsoft CD
3. turn off alll but the necessary services
4. connect to the internet and go directly to Microsoft's website and download the WAIK
5. disconnect the network cable
6. hand-build the WinFE CD using your original registry edit instructions
WinBuilder, though well-regarded and very convenient, would require extensive investigation to assure that it is not carrying some unknown virus, trojan, or other nasty.
I'm probably missing something important. How would you go about building a known-clean WinFE with a traceable path showing cleanliness was maintained throughout the process (somewhat similar to a chain-of-custody document used for evidence) that would hold up in court? The last thing we want is to be accused of introducing malware and not be able to show that we did not.
Your point of view is interesting and makes sense.
Following the case of certification, which steps would you recommend WinBuilder to follow in order to become reliable in a court house?
As the founding developer on the winbuilder project, I am more than willing to allow the program's source code to be fully audited and verified by a trusted entity.
In fact, the only reason why winbuilder came to existence was also because we needed a tool that could be trusted upon. It wasn't possible to continue creating recovery media with a certain level of complexity by hand and we needed to have full control on the building process.
Therefore, WinBuilder.exe is a script interpreter. In essence this means that it only follows the actions prescribed by scripts and that all script code is available for audit inspectors on plain sight. All the actions performed by the engine are reported on the log.
Nevertheless, I'm aware that this is not enough for your use-case but I am also willing to improve the current state of reliability on the tool. If you have further suggestions I'd really like to hear them.
Thanks.
I say it is a good idea to have WinBuilder be vetted (without having the WinBuilder code be given away to anyone) for forensic ISO building. I'm not versed in writing scripts for WinBuilder (yet...), but the end build using WinBuilder is much more functional than the basic WinFE build consisting of a CLI shell. The additional components that can be added to WinFE are too much to pass up.
By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
© 2023 Brett Shavers