Brett's Ramblings

A little reminder about 'write protection'
Brett Shavers
Digital Forensics
If you try hard enough, you can circumvent just about anything.  That includes hard drive write protection, whether you are booting to a Linux forensic OS, WinFE, and sometimes, even when using a physical hardware write protection device.  There have also been many instances where write protection methods have unknowingly failed only to be discover...
Mounting Shadow Volumes
Brett Shavers
Digital Forensics
We’ve built our SEAT VM and added our target image to it as a virtual disk.  The first thing that I do is verify that all of the shadow volumes are present.  My first post presented a screen shot from the image file (MyImage) and depicted the shadow volumes.  We can compare the shadow volumes from the image file with those in our VM....
"Remote" Collections with WinFE, a neat trick
Brett Shavers
Digital Forensics
In civil litigation, the procedures for data collection are a little more relaxed as compared to criminal investigations, but cost is a huge factor.  Typically, criminal suspects lose custody of their seized systems and won't necessarily cooperate with the seizure of electronic evidence.  Civil litigants on the other hand, will usually maintain cus...
Adding Our Target System to Our SEAT Workstation
Brett Shavers
Digital Forensics
In this step we’ll add our target system virtual disk to our SEAT VM.  We already have the target (MyImage) virtual disk that we created, and we’ll add it to our system as in the next video. Add Virtual Disk As you saw, we chose to add the disk as an independent disk in non-persistent mode.  Any changes to the disk are discarded when we p...
Getting Ready for a Shadow Volume Exam
Brett Shavers
Digital Forensics
We now have built a virtual machine from an image of the target system.  Next, we’ll build a Windows 7 VM and configure it as our examination platform: Shadow Examination and Analysis Technique (SEAT) workstation.  Building the VM basically is the same as installing a operating system from scratch, and I’ll  go over the basic st...
How many users of WinFE?
Brett Shavers
Digital Forensics
I don't believe there is any means of determining how many users of WinFE exist, but the stats of just this blog may be an indication.So why would this be important?  For one, using any forensic utility that has not been tried, proven, or commonly used by the forensic community is a big risk for the examiner.  I would imagine that having some stati...
Creating a VMware Virtual Machine from a Raw Image File
Brett Shavers
Digital Forensics
Welcome to my blog and first post!  My aim is to provide tutorials that describe some of the things about which my colleagues have questions.  I’m neither a seasoned blogger nor videographer, so please bear with me as I progress.  I don’t plan to produce a regularly updated journal on digital forensics, as many of the good ...
WinFE "Lite"
Brett Shavers
Digital Forensics
Colin Ramsden has developed WinFE Lite, a build of WinFE that will run with a minimal amount of RAM (256MB).  WinFE Lite is a very solid build and is detailed on Colin's website (http://www.ramsdens.org.uk/).On his site, you will find everything needed to build WinFE Lite in great detail.As he mentions on his site, WinFE Lite runs with less RAM tha...
Winbuilder Tutorial
Brett Shavers
Digital Forensics
Check it out, http://reboot.pro/4111/Perhaps the best and easiest tutorial I've seen on using Winbuilder.  Just add the forensic write protect script and that's it. You can customize as you see fit.Colin Ramsden is working on some really neat changes to his WinFE version, which is being tested now.  So far, looking good!
For those that still haven't tried WinFE....
Brett Shavers
Digital Forensics
If you still haven't decided to download it and try it, here is a QuickStart Guide to show only what you need to get going.[scribd id=91022843 key=key-13pbj0h95qsj4sio15zu mode=list]
WinFE Script Updated
Brett Shavers
Digital Forensics
Colin's Write Protect Script (wp.script) is available, but still considered Beta (and as with any forensic utility, test - test - test).  You can download today's version here.  wp.script.  To make sure you get the most recent version after today, download from the Boxnet from this website.    Troy Larson's registry modifications are included in Co...
Colin's Write Protect Application
Brett Shavers
Digital Forensics
Here it is, Colin Ramsden's WinFE write protect application! Although long in waiting, it is finally here.   Colin worked diligently on making this work without making Microsoft unhappy.  Documentation is forthcoming on the use of his application, but as you can see, it is really easy to figure out how to manage your disks.Other little features may...
Building your WinFE Update
Brett Shavers
Digital Forensics
For those that have been using WinFE and wanting to know about recent updates, I have only a little news to mention.    WinFE is still just as good today as when Troy Larson first created it, so not much in the update area there.  WinFE still boots the same computer systems and you can do the same forensic work as before, not much has changed since...
An update to a long awaited project
Brett Shavers
Digital Forensics
It's been awhile, a long while, since there has been anything added to the WinFE project, and the bad news is that nothing is new other than Microsoft not quite accepting of Colin Ramsden's write protect tool.   As that is not good news, both Troy and Colin are working toward an effort that may meet Microsoft's needs for an acceptable (to Microsoft...
Sharing the love with WinFE
Brett Shavers
Digital Forensics
There have been numerous presentations showing how to build and use a WinFE boot disc around the world.  Most recently I see that IACIS has given a demo this year along with several HTCIA Chapters and a DOD conference as well.  A write up of Imaging a MacBook by Sean Morrissey shows just how easy WinFE is to use on a MacBook based on one demo at IA...