Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link
OCT
26
0

Imaging with X-Ways Forensics

Posted by Brett Shavers
in  Digital Forensics

The current (and free) issue of eForensics Magazine has an article on imaging with X-Ways Forensics.   Of course, the XWF Guide is more detailed, but to get an idea of some of what XWF can do with imaging,  take a look at the article.

eForensics_17_2013-11 http://eforensicsmag.com/jumpstart-3-free/
 

 

  2556 Hits
Tags:
imaging X-Ways Forensics
Tweet
Share on Pinterest
2556 Hits
OCT
26
0

WinFE article in eForensics Magazine

Posted by Brett Shavers
in  Digital Forensics

There is a new write up on WinFE in a free issue of eForensics Magazine. Check it out, it's free :)


[caption id="attachment_984" align="aligncenter" width="356"]eForensics_17_2013-11 http://eforensicsmag.com/jumpstart-3-free/

  2361 Hits
Tweet
Share on Pinterest
2361 Hits
OCT
16
0

Quick video on building a Mini-WinFE

Posted by Brett Shavers
in  Digital Forensics
Download Mini-WinFE here: http://reboot.pro/files/file/375-mini-winfe/

1) Unzip the project with 7 zip or WinRAR (you'll run into build problems using other methods)

2)  Choose your source

3)  Choose if you want to have the program in or out of the wim file

4) Add FTK Imager (must be on your hard drive)

5) Add X-Ways Forensics (must be on your hard drive)

6) OPTION: Add wallpaper

7) Push the blue arrow

http://www.youtube.com/watch?v=IJ3OBTysVbI
  1935 Hits
Tweet
1935 Hits
OCT
14
9

Mini-WinFE is out of beta!

Posted by Brett Shavers
in  Digital Forensics

miniwinfe



Mini-WinFE is out of beta!


The Mini-WInFE project is out of beta (it worked as expected).  This is a "mini" FE because it is a tad bit more than the original command line only version and a little less than the full-featured-every-option-available version.


It's fast to build (less than 10 minutes to build and burn to a CD), fast to boot, and fast to image.

Since is it primarily an imaging solution, scripts for FTK Imager, X-Ways Forensics, and the FAU imaging utilities and included.  X-Ways does not "come with" this WinFE, you need a license for X-Ways.  FTK Imager, like FAU, is free for you to download for use in this Mini-WinFE.

This is the build you want when you need a Windows based imaging boot system.  It has been developed from a forensics acquisitions perspective, without an option to build anything other than a write-protected, WinFE OS.

The project is freely downloaded at http://reboot.pro/files/file/375-mini-winfe/

Superb documentation on the Mini-WinFE by Misty can be found here: http://mistype.reboot.pro/mini-winfe.docs/readme.html

More wallpaper has been added to the download page.
  2821 Hits
Tweet
Share on Pinterest
Recent Comments
Guest — Toy
Daddy is pleased. Thanks.
Monday, 14 October 2013 11:07
Guest — Brett Shavers
Thanks Dad.
Tuesday, 15 October 2013 11:17
Guest — Jonas
Awesome Thanks
Monday, 14 October 2013 19:52
2821 Hits
OCT
11
0

X-Ways Forensics and WinFE

Posted by Brett Shavers
in  Digital Forensics

winfeA faster WinFE build is available on http://winfe.wordpress.com/ that includes a script to add XWF to the build.  Of course, you have to have a license for XWF for the script to add it to the build.  As of now, it includes FTK Imager and dd tools, with more on the way to add.   The build method is a beta only because more apps are being added that need to be tested.  Other than that, it works great with FTK Imager, XWF, and a few other small apps.  The goal is to put several imaging options on it for user preference.

Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD. Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD with XWF installed on it.


There is no difference between the write protection in this faster build as it uses Colin Ramsden's write protection application, but the main difference is that you can build a WinFE ISO file in less than 5 minutes, start to finish.  You can burn it to a CD or make a bootable USB within 5 more minutes, giving you a WinFE in about 10 minutes time, starting from pushing the button and having a WinFE CD/DVD/USB in your hand.

Although this is meant to be the fastest method to build an acquisition boot OS, with X-Ways, you can still do a heck of a lot more than just imaging with WinFE.  And just because it only takes 10 minutes doesn't mean WinFE is a minor forensic tool.  With XWF, WinFE is way more than just something you can throw together to image.  It's really neat.

  3119 Hits
Tags:
winfe X-Ways Forensics
Tweet
Share on Pinterest
3119 Hits
OCT
08
0

Mini-WinFE

Posted by Brett Shavers
in  Digital Forensics
This is Project 1 of 3 for alternative WinFE builds.  The two other projects are forthcoming with the primary difference being you being able to choose which method you prefer.

This build is tentatively called “Mini – WinFE” because it is a super quick method to build a WinFE with minimal features.  Primarily, it is an acquisition boot disc with the FAU utilities and FTK Imager available for you to add (no cost for these apps online).  It is also set up for X-Ways Forensics (of course I want X-Ways on it…) if you have XWF.  You will notice that there is not an option to select the Write Protection app (by Colin Ramsden) to make this a WinFE.  That is because you don’t have a choice.  This project only builds a WinFE and not a PE, eliminating any mistake in your build.  It’d be a ‘bad thing’ to think you were using WinFE when you actually missed a step and were using a “P”E.

From start to finish, you can have your WinFE.iso completed in about 3 or 4 minutes.  From there, you can either put the ISO on a CD or USB.  Creating a bootable USB or CD adds about 5 minutes.  So, in less than 10 minutes, you have your very own WinFE bootable CD/USB.  By the way, I am only a conduit of these builds as others (to be credited) are actually doing all the heavy lifting.  For this project, "Misty" from reboot.pro put it all together.  Nicely done.

Personally, this is a build method I really like because it is fast to build, fast to boot, and fast to run.  It does not have all the bells and whistles of a more fully WinFE build, but if you just need an imaging disk, this is a great way to go.

Contact me if you want to be a beta tester and I’ll send the login creds to download the project.

And really, if you haven't built a WinFE yet, it doesn't get much easier than this, or faster.   If you teach how to build a WinFE in training, everything you did before has just been negated with this build method insofar as time involved to teach and use.  In less than 10 minutes, your class has a bootable forensic operating system.  How cool is that?

So how easy is it?  Take a look below.
winfe1
Point to your Windows source

winfe2
Few options = no mistakes.

winfe3
Point to the FTK Imager.exe on your drive (download and install from Accessdata)

winfe4
Point to your XWF.exe if you have XWF. Otherwise, uncheck the box.

winfe5
Push the blue arrow. Don't go anywhere, it'll only take a few minutes.

Bootable USB Media



You can either use the command line with Diskpart or a GUI app like Rufus (http://rufus.akeo.ie/).   The instructions on how to use Rufus is to look at the GUI, choose your needs and select Start.

rufus

Using the command line requires a bit more instructions as seen below.  Both methods work.


winfe6
Want to make a bootable USB? Open a command prompt. Type diskpart.

winfe7
Run the above commands against your USB. Be careful and make sure you choose your USB. Disconnect extra drives to be sure.

winfe8
Copy/extract the files from your WinFE.iso to your USB. You can use WinRAR and just extract to the USB. End result = DONE. You now have a USB bootable USB.

winfe9
Boot screen for WinFE (source was Windows 8 for this example)

winfe10
You get a friendly reminder to be careful with ALL forensic boot discs. You also get Colin Ramsden's most excellent write protection application. Very cool, thanks Colin.

winfe11
  7103 Hits
Tweet
Share on Pinterest
7103 Hits
OCT
01
0

Updated link on the Mistype project

Posted by Brett Shavers
in  Digital Forensics

Updated link:  http://mistype.reboot.pro/documents/WinFE/winfe.htm

This is really good info, check it out.

  2077 Hits
Tweet
2077 Hits
OCT
01
0

Another discount on the XWF Guide at $37.96

Posted by Brett Shavers
in  Books

Xways-Cover Click to order from Amazon (lowest price available for now)


Amazon reduced the price.  Grab it before it goes up (again).

Regarding companion materials to go along with the book, please comment on the blog, or send an email, with suggestions you would like to see.  So far, there will be one image that will be used to use with examples in the book.  As far as a demo of XWF...that's probably not going to happen...

You can tell that X-Ways Forensics has made it into the market when so many DFIR job requirements list X-Ways Forensics as one of the 'big 3' tools to know to apply.

For those that are tinkering with writing X-Tensions, the documentation at the x-ways.net site was just updated on Sept 27.  Don't forget to send your x-tension to X-Ways to share with all of us, just like Mom told you when you were little.

It's also becoming more common to see statements like these: "The only tool I've currently tested that parses the user name is X-Ways Forensics, so it may be necessary to manually parse this record if you don't have a tool that will do it for you." - https://rstforums.com/forum/75954-ms-excel-biff-metadata-last-opened.rst

  2405 Hits
Tags:
X-Ways Forensics Practitioner's Guide
Tweet
Share on Pinterest
2405 Hits
SEP
30
0

Best publicly available testing of WinFE I've seen to date

Posted by Brett Shavers
in  Digital Forensics
I'm sure you have tested your WinFE (if not, that means you have not yet used it in a real case....).  If you have, take a look at a draft of tests at http://minixp.reboot.pro/other/WinFE/winfe.htm.  This link will change soon, but I will update it as soon as it changes.  Until then, you can catch it now.

For anyone that has not yet tested their WinFE, this would be a good foundation to build your tests and validation on.  For anyone that doesn't believe in validating your tools, that is totally a personal choice (although, not my choice).
  2062 Hits
Tweet
2062 Hits
SEP
28
0

Creating distributable test images

Posted by Brett Shavers
in  Digital Forensics

I'm in the process of creating working materials to go along with the XWF Guide in the form of exercises and test images.  I expect to be finished in 2014 or 2015 or ...(it all depends on time available).  The materials will be freely available but will really only work best with the XWF Guide.  And yes, I know I can use images already available, like at http://digitalcorpora.org/corpora/disk-images, but these datasets will be made to demonstrate all the neat things detailed in the XWF Guide.wipe

One thing I'd like to point out regarding an issue with creating forensic images when giving images to students that contain data may violate the EULA if distributed. Files like commercial programs and operating systems.  Anyone that deals with this in training will be happy with how XWF can be used to address this problem.

With the "Cleansed Image" option of XWF, simply exclude/hide any and all files that would violate any privacy concerns or EULA violations before creating the image. Then create the image :)

This gives you a complete (minus excluded files) disk image without worrying about violating a EULA.  You could do this the hard way by using WinHex to overwrite every single file in question.  Or you can mass exclude files in one fell swoop with XWF and bam.  Image done.  Now you have something to give out to your class.

I've always wondered why some instructors give out complete images of a single system and make the student "promise" not to distribute the files...that is a bit too trusting in my opinion.   And come on, you know who you are...

<and I'll leak a little information from the book on the cleansed image feature.  you can use this technique to remove private/privileged/protected data from an image to comply with a court order but can't produce specific protected data on the image.  an example being a civil case where you need to turn over an image to the opposing expert but have privileged files on the image. don't hex edit it, cleanse it!>

The XWF Guide has dozens of these kinds of tips and tricks, but you get one today for free.  Get the book for the rest of the tips and tricks, you will without a doubt, find something worthwhile that will save you hours or days of work.

  2380 Hits
Tags:
imaging X-Ways Forensics
Tweet
Share on Pinterest
2380 Hits
SEP
25
1

Hindsight is 20-20

Posted by Brett Shavers
in  Digital Forensics
  2264 Hits
Tags:
X-Ways Forensics
Tweet
Share on Pinterest
Recent comment in this post
Guest — wmarney
I saw that train coming so I did the FTK/EnCase dongle swap. I'm now stuck with a forensically too klunky original.
Wednesday, 25 September 2013 05:11
2264 Hits
SEP
25
0

Cool. Download the XWF Guide to your iPad, iPhone, iTouch, or iPod

Posted by Brett Shavers
in  Digital Forensics

Image

https://itunes.apple.com/us/book/x-ways-forensics-practitioners/id694171610?mt=11

  2479 Hits
Tags:
X-Ways Forensics Practitioner's Guide
Tweet
Share on Pinterest
2479 Hits
SEP
24
0

X-Ways Users Conference

Posted by Brett Shavers
in  Digital Forensics

cbitVery cool.  Meet Eric Zimmerman and Craig Ball at The Inaugural Australian X-Ways Users Conference in Canberra in March 2014!

The best part...you get a copy of the XWF Guide :)

 

 

]Xways-Cover If you can't make it to this conference, get the book!
Click to order, Amazon still has the best price.

 

 

 

 

 

  2241 Hits
Tags:
X-Ways Forensics X-Ways Forensics Practitioner's Guide
Tweet
Share on Pinterest
2241 Hits
SEP
23
0

Clean up on aisle 7...

Posted by Brett Shavers
in  Digital Forensics
WinFE Twitter account compromised...now WinFE is following over a thousand new Twitter users...too bad none of those that are actually the kind of accounts to follow...clean up time...
  2013 Hits
Tweet
2013 Hits
SEP
19
0

XWF Guide as #2 best seller (in Forensic Science) on Amazon

Posted by Brett Shavers
in  Books
We've gotten quite a bit of personal email feedback on the XWF Guide, and in one category at Amazon (Forensic Science), the XWF Guide ranks at #2.

There's been only one Amazon review, so let us know if you found the book helpful with a review on Amazon.  We will be very grateful for nice :) words, but we'll take any criticisms as well :(no 2

  1889 Hits
Tweet
Share on Pinterest
1889 Hits
    Previous     Next
11 12 13 14 15 16 17 18 19 20

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2022 Brett Shavers