Taking WinFE to even another level on a multiboot thumbdrive.  Very cool.

http://www.youtube.com/watch?v=Ce9eQ0OG2jA

http://hackingexposedcomputerforensicsblog.blogspot.com/2014/02/daily-blog-248-adding-winfe-image-to.html

The X-Ways Users Conference is here in a few weeks.  My kind of conference: Australia and fellow X-Ways users! 

 

Maybe next year for me...but it sure would make for a good vacation, I mean, training trip.

 

 

 

 

 

Not that many years ago, you would not find a requirement of having experience with X-Ways to apply for a DFIR job.   But now, some jobs recommend it and yet some others require it.  This is not to say the other big players (Encase, Accessdata, etc..) are not needed or useful, just that XWF has made it to the same level at a price point that will probably not be beat with capabilities that still outpace other tools.

So......it makes sense to know a little about the tool that might put you over the edge for that next job.  Of course, you need to be competent too, but like I've said before, "beware the examiners that use X-Ways Forensics because they probably know what they are doing."



For the future XWF users, check out www.x-ways.net for some details, download and read a quick guide, and when you move forward with XWF, buy the book :)

 

David Cowen has a great instruction writeup on adding WinFE to the Multiboot thumbdrive.  I am anxious to see the video he plans to make next week to add this to the multiboot thumbdrive.

[caption id="attachment_1091" align="aligncenter" width="683"] http://hackingexposedcomputerforensicsblog.blogspot.com/2014/02/daily-blog-242-how-to-build-winfe-to.html


I may have said that WinFE is nearly the perfect forensic boot system before, but actually, when WinFE is on a multiboot media, I would have to change it to the multiboot thumbdrive with WinFE being the perfect forensic boot system.  Very very cool.

 

Cool.  WinFE is mentioned in a Scientific Working Group on Digital Evidence document.

From a twitter post, a cool video on imaging with X-Ways noted (13:50) as doing something other tools don't.  The entire video is actually pretty good too.



http://youtu.be/zYYCv21I-1I

I'm duplicating this post from another blog because this will probably be the coolest book to come out this year in digital forensics and is a must-have.  The short version as to why the book is a must-have is "duh, it's Harlan's latest book...and Windows 8..."

I'll wait to give an "official" review of Harlan's book (Windows Forensic Analysis Toolkit, Fourth Edition: Advanced Analysis Techniques for Windows 8) only to give others the chance to read it once it becomes available.  But...I'll say that based on my early reading as a tech editor, this is a book that ranks for me in as much anticipation as a new Tom Clancy novel being released.

I also think this is one of those books that if not pre-ordered, will have you waiting until it is reprinted due to being over-ordered.  The X-Ways Practitioner's Guide was one of those books too, where late-comers had to wait weeks for the second printing.  This book is no different, because just about all of the neat things in the book show just how much Harlan has discovered in some very neat areas of Windows 8.

One thing I learned about ordering books from Amazon, is that Amazon will pretty much match the lowest price found elsewhere.  I also learned that with a pre-ordered book, you can cancel before the book is printed if you find a lower price somewhere else.  The point is, pre-order the book or you may be waiting a month after everyone else gets their copy...it comes out in April '14 and I'd expect the second printing to be needed in April '14...

I'll wait to give an "official" review of Harlan's book (Windows Forensic Analysis Toolkit, Fourth Edition: Advanced Analysis Techniques for Windows 8) only to give others the chance to read it once it becomes available.  But...I'll say that based on my early reading as a tech editor, this is a book that ranks for me in as much anticipation as a new Tom Clancy novel being released.

I also think this is one of those books that if not pre-ordered, will have you waiting until it is reprinted due to being over-ordered.  The X-Ways Practitioner's Guide was one of those books too, where late-comers had to wait weeks for the second printing.  This book is no different, because just about all of the neat things in the book show just how much Harlan has discovered in some very neat areas of Windows 8.

One thing I learned about ordering books from Amazon, is that Amazon will pretty much match the lowest price found elsewhere.  I also learned that with a pre-ordered book, you can cancel before the book is printed if you find a lower price somewhere else.  The point is, pre-order the book or you may be waiting a month after everyone else gets their copy...it comes out in April '14 and I'd expect the second printing to be needed in April '14...

It is always nice to find more than a few people work on any project which benefits many others.  This blog (http://gverswijvel.wordpress.com/) shows that effort.

Winfe : the forensic winpe made in windows 8 , windows 7 and vista

There is quite of bit of information and tips regarding WinFE, all of which is helpful to anyone who uses WinFE.   And not to give the impression that WinFE is the only solution, I still advocate having at least one each of the "other" forensic booting systems, such as DEFT, CAINE, RAPTOR, etc...

Anyone who boots systems to a forensic OS knows that a single bootable forensic OS doesn't work on every system, nor work every time, nor is appropriate for every situation.  Plus, it doesn't look to professional when the client sees you staring at the screen when something doesn't work and you don't have a backup plan...

A new user to WinFE can be a new forensic analyst or a forensic analyst new to WinFE.  Either way, this short post will be helpful to everyone who has not yet taken the time to try WinFE.  To save you frustration, time, and questions, try this natural progression to start using WinFE:

1) Start with Mini-WinFE

2) Move onto bigger builds (WinFE Lite or Winbuilder)  and/or stay with Mini-WinFE.

Here's some reasons to try this route.

*  Mini-WinFE only needs about 10 minutes, start to finish and needs zero knowledge of coding.  You get a fully operational, forensically bootable Windows operating system.  It's fairly minimal, but pretty.  It is also fast and easy to build and use with the lowest chance of having any build errors.   You actually should have zero errors when the app builds WinFE for you.

*  The bigger (full blown WinBuilder) builds take more time and effort.  You will also experience build errors no matter how much effort you put into it.  It just happens and you have to start over each time.  The build process also takes longer.  Basically, these build methods (not so much with WinFE Lite) take longer as you have more options to choose and have the ability to customize just about everything with the build to personalize it, add programs, and add features/options.  You will try this eventually just because it is so cool and practical to have in your Go-bag.

I promise that after building and using Mini-WinFE, you will eventually make a bigger build that can run more forensic apps.

http://www.amazon.com


I have a detailed review of this book at http://winfe.wordpress.com.  In short, it's a really good book and of all tools to choose for the research in the book, the authors picked X-Ways Forensics.  But then, that should not come as any surprise.

There's still time to ask Santa to put this in your stocking...

I've been waiting for this book to come out so I can write something about it.  I had the fortune of being able to read it early as I was asked to be the tech editor of the book.  It's not my book, but if it were, I'd be mighty proud of it.   If you want to skip this review and get to the point, here it is;  get this book, it is well worth it!  This is another one of those books that you will wish had been written before you tried to figure out how to do it on earlier cases...

[caption id="" align="alignleft" width="209"] http://www.amazon.com


The forensic books of today have gotten so much better, not because older books are not good, but because the information we know now is so much more detailed and specific.  The topics of the books are no longer "Computer Forensics" but rather specific topics within forensics.  Books focusing solely on registry forensics or windows forensics or X-Box forensics.  And now we have cloud forensics.   This makes it so much easier to find a reference when needed by grabbing a book on the specific subject instead of flipping through a book to find a specific chapter of a subject.

One of the biggest differences you'll find in this book is the documentation of the methodology followed by the authors.  Step-by-step instructions of what they did and their findings.  Every chapter follows the same methods, in order and detail.  It is laid out so well, that you can replicate their work on any cloud system not covered and know that you did a good job.  Another neat thing about this book...the authors used X-Ways Forensics.

As I mentioned, the forensic books of today make it nice to have books dedicated to one topic in detail. That is the good news and the bad news as there are many of these books being published to buy.

I know many people like Kindle versions, but I have this book in print (not Kindle) because I like to treat it the same as all my other reference books.  Dog eared, highlighted, sticky-noted, and lots of personal notes written throughout the book. 

Very cool of Alex to share his work.  Thanks Alex!

[caption id="attachment_1020" align="aligncenter" width="465"] http://winfe.files.wordpress.com/2013/12/alex-van-ginkel-final-thesis-msc_27nov.pdf

Alex van Ginkel Final Thesis MSc_27nov

There are a few behind the scenes work on creating scripts to integrate forensic applications into WinFE.   This is substantial work for WinFE users as it reduces your effort to add programs during the build process.  Basically, a one button approach to add a forensic application.

But, before you wait for these scripts to be written, remember that you can add many programs without a script or additional work if the program is already portable (meaning, no need to install for it to run).  The best example of a full-fledged forensic suite is X-Ways Forensics.  Many small forensic applications are also portable and easily copied into a WinFE build.  The difference is, X-Ways Forensics is an entire forensic suite, not just one app.

Some forensic apps being worked on now to be put into WinFE may not be full forensic suites, but have a single powerful function that make it worthwhile. I won't break the news yet and will let the vendors have first crack.

On another note, last week, I helped a LE forensics detective set up a review platform with WinFE for other detectives in his department using X-Ways Investigator.

The problem:

--Detectives assigned to cases with electronic evidence, particularly illicit images evidence, wanted to do light review work for their cases.

--Reviewing any type of illicit images on a work machine only leads to that machine getting dirtied up.  Also, every detective had 'their own way' of setting up their computers.

--Detectives had no forensic training.

The solution:

--WinFE and X-Ways fixed both problems.

--Department purchased two licenses of X-Ways Investigator.

--A WinFE boot CD was made with X-Ways Investigator copied onto it.

--Detectives now boot their machine to WinFE, run X-Ways Investigator, and access the forensic images from an external drive.  All work is saved onto the external drive and their workstation remains clean.

--This also prevented the IT staff from the city panicking over installing 'unauthorized' software

--And of course, a copy of the X-Ways Forensics Practitioner's Guide was ordered for the detectives to use :)

[caption id="attachment_1010" align="aligncenter" width="121"] X-Ways Forensics Practitioner's Guide


 

 

 

 

 

 

 

Eric is at it again.  This time with a pretty cool update to the X-Ways Forensics Install Manager (v0.0.7.0).  The update to the XWFIM now includes an option to create a portable install to external media.   Page 13 of the Practitioner's Guide to X-Ways Forensics details how to do this manually, but XWFIM does it for you with a few clicks.

Easy enough


 

Cool! Notepad++ and Volume Label renamed.


 

Bam! Done.


 

Another cool little feature is that the XWFIM creates all the case folders for you in the process of the portable install.  Neat.

I like this. Saves a few keystrokes and I'm all about saving keystrokes.


 

Don't forget, if you liked the Practitioner's Guide to X-Ways Forensics, write a review on Amazon to let us know how you liked it (or if you didn't...).  And if you use XWF and didn't buy the guide...you are missing out on more than a few tips and tricks that will save you dozens of keystrokes.