I don't believe there is any means of determining how many users of WinFE exist, but the stats of just this blog may be an indication.
So why would this be important? For one, using any forensic utility that has not been tried, proven, or commonly used by the forensic community is a big risk for the examiner. I would imagine that having some statistical information on the number of visitors to this blog, plus the number of blogs that talk about WinFE, and training given on WinFE at various conferences and courses lend credibility in its use. This doesn't mean that every visitor uses or used or tested WinFE, but I would assume that within this number, there is a large percentage of users.
So the stats for this blog and the unique visitor's locations (as of today):
Welcome to my blog and first post! My aim is to provide tutorials that describe some of the things about which my colleagues have questions. I’m neither a seasoned blogger nor videographer, so please bear with me as I progress. I don’t plan to produce a regularly updated journal on digital forensics, as many of the good folks in my blog list now publish. Instead, I’ll try to provide some guidance on practices that may help others who haven’t had a chance to explore an area of computer forensics that I may have delved into repeatedly. As you’ll see, I have a plan for a few topics and will consider suggestions thereafter. I do, however, have a full time job that already extends beyond a “reasonable” workday, so pardon my delays in posting. The videos herein should be viewed in high-def, and you’re welcome to download them.
This will be a multi-part presentation that goes into creating VMware virtual machines and using them to examine shadow volumes. First, we’ll create a virtual machine from a single dd image file. In the next presentation, well examine the target system’s shadow volumes using VMware and X-Ways Forensics (XWF) http://www.x-ways.net/forensics/index-m.html. We can create a target-system VM from a segmented image, but it takes more work to create our configuration file. We also can build a VM from other image formats, like E01, as long as we can mount the image as a physical disk. First, I always take care to see that my image file is read only. Our image file is MyImage.001. There are a variety of ways to approach an exam of shadow volumes, and this is mine at the moment. I’m using VMware 8.x, but the steps are the same in 7.x.
I’m going to assume that readers have a modest grasp of VMware and Windows shadow volumes. The next presentation features XWF more prominently, and I encourage readers to pick up a copy, as it’s benefits go far beyond the points that I’ll present.
Step One is to create a disk descriptor (vmdk) file, which is a text file that contains the disk geometry and image name. Below is a screen shot of the contents of a Vista/Win7 vmdk file. The yellow-highlighted fields are the ones that you will edit. The first is the number of sectors on the physical disk. Next is the name of your image file. Then, skip the next (cylinders) field one and be sure that your heads=255 and sectors=63. Then enter the number of cylinders by calculating /255/63. It’s 19458 in our example, and always round up to the next whole number and do not use commas. I usually place this file in the same folder as my image, where we’ll name this file MyImage.vmdk.
Here’s an editable copy of our vmdk file: MyImage.txt. Save the file as a text file and then change the extension to vmdk for actual use. It’s configured for VMware 8.x. If you’re wondering where to get the number of sectors, an easy approach is to highlight the image in XWF and select the Technical Details Report from the Specialist menu:
Next, we’ll create a VM, so open VMware and elect to create a new virtual machine. At this point, the following video will save some explaining:
Create VM
This is what we do: Run VMware and create a new VM. Select the Custom option in the first window. Choose to install the OS later. Next, choose the OS (32 vs. 64 is not critical). Then, pick a name for the VM and a path for the VM files. It’s best to place them in their own folder. In the next couple of screens, choose one processor and a little more memory (2-4GB) than the default. In the network box, select “do not use…” You can add a network adapter later. For the I/O adapters box, select LSI Logic (SCSI). In the Select a Disk box, choose “Use an existing virtual disk.” Next, navigate to your vmdk file (MyImage.vmdk). Then click Finish, and you will have built a basic VM. Now, take a Snapshot in VMware: VM\Snapshot\Take Snapshot.
In the next step, we’re going to edit the registry of our VM (we don’t do this in XP) and remove the password (keep EFS in mind). We mount the VM as a logical disk in read-write mode (remember, we’re working with a snapshot and the image file is RO). So, mount the system partition in VMware as writable. Watch the video:
Prep for boot
As you saw, I loaded the VM’s System hive in my host’s registry. I navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI. I edited the Start value (DWORD) so that it’s 0x00. The 0 has the effect of starting the service at “boot” automatically by the system loader. You can edit the other Control Sets, but it’s unnecessary. Then I unload the System hive and shut down Regedit.
Next, we’ll deal with the user’s password. I use a free tool named ntpwedit.exe, http://cdslow.webhost.ru/ntpwedit/. (It’s in Russian, but you’ll figure it out.) We’ll run ntpwedit and point it to the SAM hive in your mounted virtual disk and remove any password that you wish. Note that you usually can boot a VM with Nordahl’s CD and do so, but it doesn’t always work. Watch:
Remove Password
Now, the VM is ready to boot. You may wish to fire it up to be sure that it runs, but create another snapshot first. We want to but be careful about doing anything that could create a restore point, which could delete one or more existing restore points. For example, installing VMware Tools will create a restore point. Snapshots allow us to go back and recover a pristine system. It’s a good idea to check the shadow volumes in your image and be sure that they all show up later with their proper dates when we examine them. In our example, there are 19:
70 comments
Red Forman
September 4, 2016 at 7:20 am
Hey Jimmy,
Just tried this with a Windows 10 x64 image and turns out there is no registry entry for LSI_SCSI. I managed to get the VM created successfully starting with the VMDK modified to my VMWare version (12), and the following steps:
New VM
Custom
Hardware Version VMWare 12 (my version)
Install OS Later
Choose OS (Win 10×64)
Name and location
Firmware type EFI
1 Processor 1 Core
4GB RAM
No Network Connection
I/O Controller Types – LSI Logic SAS
Virtual Disk Type – SCSI
The rest was the same, except I didn’t need to mount or map the VM HD to change the registry, because Windows 10 has all of the LSI configured as Start=0 by default.
I did have an issue when I started to try your original method though with permissions on the ‘config’ folder, and I wasn’t able to gain access to it using the ‘Map’ method. So I used FTK Imager and mounted the image Writable – Logical and went from there.
Hope this helps out some of the others having issues with Windows 10.
Reply
jimmyweg
September 4, 2016 at 11:57 am
Thanks, Red. Yes, the SAS controller is an alternative. Usually, there are two SAS controllers, and picking either should work. I’m not sure why you couldn’t access System32\Config, but perhaps Win 10 tightened up access somewhat. Yet, I can access the folder directly on my native system.
Reply
Richard
August 10, 2016 at 10:52 am
Anyone willing to share their copy of ntpwedit? The site to download it from is down. I’ve gotten to the point of booting and a login, don’t want to take the time to crack the SAM if I don’t have to. Thanks!
Reply
jimmyweg
August 15, 2016 at 8:09 pm
Solved.
Reply
Jason
July 25, 2016 at 10:19 am
Using Workstation 11 on Windows 10, i can map the VM drive, however the drive is not displayed in RegEdit and Explorer gives me the error “not accessible. Incorrect function.” when i try to view the contents of the drive. Is this a limitation of Windows 10/Workstation 11? Any workarounds?
Hi, Jason. I can tell you that my VMware 12 works fine on/with Win 10. I don’t think you’ve encountered a limitation.You didn’t give me much info. Are you working with an image? What type? What is the guest’s OS? Have you tried the approach using Arsenal image Mounter?
Make sure you take a snapshot before trying to mount it as read/write.
I had the same issue, I kept getting “Not accessible. Incorrect function.” after attempting to mount the drive as read/write in VMWare and browse in explorer. It would mount fine as read only, no errors browsing. Once I did a snapshot it worked fine.
Good article, however I’m having trouble with the regedit. I can do the load hive, but the mapped drive doesn’t show up, the hard drive, a recovery partition, and my local drives do, just not the drive I mapped in VMware… I can’t boot that system as I believe it needs the SCSI to start up when the system boots.
I’ve tried this numerous times, and still a no-go.
Thanks for writing, Greg. What is the guest OS? Is it GPT (I think it is)? How are you loading and editing the System/SAM hives if you can’t map the system partition? Try mapping the partition before and after the desired system partition. WMware seems to have an issue with mapping the selected partition on GPT.
Imaging it’s GPT (windows 7 box I’m fairly sure), my host is windows 7. I can see the drive mapped to windows (a 455GB drive using about 120GB). Under advanced shows scsi.
Now on my host I try regedit, file local hive( as in video). On left hand side, I still see my C drive, my USB drive, and now instead of Q (which is the image file that I wish to use), I see an 11GB recovery drive (different letter).
OSX is an entirely new ballgame. I will tell you that I can create a VMware VM in Windows from an OSX dd image. However, there is at least a debate over whether doing so conforms with Apple’s licensing conditions. So, I haven’t posted instructions because I don’t want to take a chance on violating the license. I will say that it also requires a tweak to certain VMware system files, and I don’t know whether those edits will work in all versions. You can, however, build a VM in Fusion on a Mac.
Let’s check the easies thing first: make sure that your image name in the vmdk is precise. Nxet, double check the geometry, e.g., number of sectors. I take it that your target is a single image file and not a mounted image. Let me know what you find.
Little further along….
Able to install the VM and open it in VMWare – however it says it cannot start normally. I tried to stop the VM and restart it – same issue — should I attempt to repair it?
Then it has to boot in VMware if you correctly created the vmdk, edited the registry, and took a snapshot. Try to back to the first snapshot and boot. Don’t do a repair at that point.
If it’s the same issue that Patrick last reported, it seems to be a Windows issue. Try the repair. Does it boot to safe mode? I get that screen all the time and simply elect to start Windows normally. Go back to square one and make sure that you get the registry edited before your first attempt, in case something was corrupted when you first built the VM.
Hi Jimmy
I keep getting Stop code 0x0000007B on boot
My OS is Win XP.
I suspect it cannot boot because I have not changed the appropriate setting in the registry. I looked and cannot find the LSI_SCSI key (probably becuase this is XP).
Is there an XP version of this key I can change?
Great article but I am having problems mapping the drive. I am using Workstation 10. It seems to map the drive but when I click on it, it says to format the drive. When I try to start the VM, I get a disk error. I can mount the dd and browse the folders using FTK Imager. Any ideas? Thx!
Perhaps your geometry is wrong. Check your vmdk file and be sure that the C-H-S settings are correct. H=255, S=63, C=Total Sectors/255/63. Your total (physical) sectors should be included in the file, too, of course.
First, remove the commas in your sector count number, and RW should be 976773168. The ddb.geometry.cylinders should 60801. Create a vmdk file that contains the following:
# Disk DescriptorFile
version=1
encoding=”windows-1252″
CID=fffffffe
parentCID=ffffffff
isNativeSnapshot=”no”
createType=”monolithicFlat”
Thanks for your excellent work and for sharing it!
Just a quick question as you might have come across.
I’m trying to write the System registry key as you said so, but on VMWare Workstation 8, when I try to map the partition as writable, got a Windows message saying it can’t open that drive letter.
I’ve tried in VMWare Workstation 10, and I can map to a drive letter, but then I can’t open folder Config under Windows\System32, as says that I don’t have permissions. I tried of course to edit the permissions, but always get an error that can’t write.
If you can map the volume as writable with VMware, it seems to be a permissions issue, as you noted. Win 8 can be a little fussier than 7. Have you disabled UAC? First try the normal way through Control Panel. If that doesn’t work, try HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and set EnableLUA to 0x00. Note that you will be unable to use Metro Apps (so what).
Hi Jimmy, may i got your need to boot from single dd image?
1. i create a dd image from a system drive(logical drive) using ftk imager
2. i create vmdk and VM according your posts step
3. i load the VM system hive in my host’s registry and operated with your given method and removed the password use ntpwedit
4. then i power on the VM, but the VM suspended on a starting but black screen. what’s the problem?
I don’t know about a black screen, and what do you mean by “VM suspended”? If you’re not even getting to Windows, there may be a problem with your target’s boot loader. Make sure you give it enough time, as it can be slow sometimes. What is the OS?
but ia have a question, can you tell me, how to loaded the VM’s System hive in my host’s registry and then how to navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI?
It’s in my posts, but mount your virtual disk after taking a snapshot. Mount it as writable. Then open regedit, and select load hive from the File menu, when your focus is on HKLM on your own registry. Navigate to the mounted virtual disk’s SYSTEM hive, select it, and give it a name. You should find the LSI_SCSI key in your mounted hive.
Thank you for taking the time to put together such helpful information! I am using VMWare Workstation 8 on a Windows 7 x64 host, and I created a VM from an E01 image of a Windows 7 machine.
I was unable to map the virtual drive, and the vmware.log exposed the problem: “failed to open \\.\PhysicalDrive11 the physical disk is already in use”
To solve this problem, I closed VMWare Workstation 8 and started it again running it “As Administrator”. It was a permissions issue accessing the physical disk, and running as Administrator fixed it.
Hi! Im stuck again. After mapping the “harddrive” with VM Ware as explained it shows in windows explorer, but it does not show in disk management and it does not show through regedit, so I can not choose the sytem file in it. I guess that some of my computer settings are not right. I would be wery happy if you could help me out again. Thanks for great information!
I have the same problem as Diego. My image is a raw, dd image that opens fine in WinHex Specialist. I made changes to the number of sectors and to the image file name in your template. I saved the file as a vmdk. I do not think I made a mistake.
Hi, Alan. The “The file specified is not a virtual disk” error typically indicates a problem with your vmdk or an issue with your image. If you want to send the vmdk to me, email it to jweg mt. gov. In WinHex, click on the physical image and send the Technical Details Report, too, if available. Make sure that your vmdk file is in the folder with your image. Check that no commas are in any numbers, e.g., sectors. Double check that you named the image correctly in your vmdk. Check your math for number of cylinders.
Thanks for the offer to troubleshoot it. I’ll send it to you. I double checked all that you suggested so I am hoping you can shed some light. BTW, I hate captchas.
Sent you an email. I also hate Captchas, but you can’t believe how many spam comments I was getting. I wish that there was an alternative, and I do use other blockers.
Hello, Hans. As you’re using an E01, you must mount the image as a physical disk and then build your VM from the disk. Please follow the instructions at http://justaskweg.com/?p=653.
I followed all steps with VMWare 8.x, but when I navigate to the vmdk file and click next I get the error: “The file specified is not a virtual disk”. I tried creating another VM and check the contents of the generated vmdk file, it contains some weird characters at the beginning and the end, but the file I made manually doesn´t. What could be the problem?
That usually means that your vmdk file contains an error or the wrong type of virual disk. Are you trying to create a vm from a dd image If you’re trying to create a VM from an E01 or mounted disk, you want to open the vmx file after you follow the steps in mypost on E01s.
First, Vista/7/8 VMs prefer SCSI disks. If you simply create one from scratch, SCSI is the default. As many have found, leaving an IDE drive in place usually results in a BSOD. IIRC, it’s a Stop 0x0000007B error, which should be a driver issue. It took a bit of testing and trial and error. The issue/conflicts doesn’t arise with a SCSI disk/drivers. But, the target system probably doesn’t use a SCSI disk, so it won’t load the driver at boot. Vista/7/8 include the LSI SCSI drivers, but we have to make them load at boot. All that takes is editing the driver’s Start value data to 0x00. Thereafter, the SCSI drivers will load at boot and the system will recognize your SCSI disk. Per MS, these are the available value data for Start values (summarized):
0x0 Part of the (Boot) driver stack for the boot (startup), loaded by the Boot Loader.
0x1 Represents a driver to be loaded (System) subsystem at Kernel initialization.
0x2 To be loaded or started (Auto load) Control automatically for all startups,
0x3 Load on Control but will not be started until demand, for example, by using the Devices icon in Control Panel.
0x4 NOT TO BE STARTED UNDER ANY CONDITIONS.
Thanks, Stephane, I’m glad you found my post useful. Typically, Win7/Vista in VMware like SCSI drives, and XP uses IDE. However, if your VM boots, it doesn’t matter. If you have to strip a password and you use my approach for that, you have to mount the disk and edit the registry anyway. Even if you boot with a password-stripper disc, it edits the SAM, too.
Great Job here! Thanks so much for the step by step guide. Very informative.
Few questions.
Following the guide from ‘Creating a VM from 01 Images’ I was able to get a Win 7 64bit image to boot, but only once. After I shut it down and restarted it I keep getting the BSOD. I tried deleting everything and starting over but still had the BSOD. Anything changing outside of the files created in target directory, like in the VMWare Workstation folder/files? Any other thoughts on this?
Also in this post in the section about editing the registry of the mapped image it says ‘In the next step, we’re going to edit the registry of our VM (we don’t do this in XP)’ What do you mean ‘we don’t do this in XP’. Do I not edit the registry in host system if its XP or do I not edit the registry of a XP image?
>After I shut it down and restarted it I keep getting the BSOD.
If it boots once, it should boot indefinitely, absent something that went wrong in the VM guest. If it BSODs again, don’t do anything until you mount the virtual disk and recheck the registry to be sure that the LSI SCSI Start=0x00. If it reverted back to its original state, perhaps try taking another snapshot after you re-edit the registry. Maybe you somehow set the disk to non-persistent, although I don’t think that you can do that.
>Do I not edit the registry in host system if its XP or do I not edit the registry of a XP image?
Correct, you don’t. XPs usually don’t come with the native LSI drivers, anyway. You build an XP VM with the standard IDE disk. Then, to get it to boot, you’ll have to do a Windows repair in mnost cases. I can do a post on that if you think it would help a number of folks.
Thanks for the amazing info. I find these posts have a lot of material. I can’t wait to get a chance to impliment all these great posts. Thank you very much.
Colin Ramsden has developed WinFE Lite, a build of WinFE that will run with a minimal amount of RAM (256MB). WinFE Lite is a very solid build and is detailed on Colin's website (http://www.ramsdens.org.uk/).
On his site, you will find everything needed to build WinFE Lite in great detail.
As he mentions on his site, WinFE Lite runs with less RAM than a full WinBuilder version needs. Depending upon your evidence machine and the RAM available, having a Lite version of WinFE may be just right for those machines.
Check it out, lots of work for a great forensic utility, at a price of only your time to build it. I sincerely appreciate Colin's contributions and effort (as I appreciate anyone that contributes to the overall good of the forensic community).
Perhaps the best and easiest tutorial I've seen on using Winbuilder. Just add the forensic write protect script and that's it. You can customize as you see fit.
Colin Ramsden is working on some really neat changes to his WinFE version, which is being tested now. So far, looking good!
If you still haven't decided to download it and try it, here is a QuickStart Guide to show only what you need to get going.
[scribd id=91022843 key=key-13pbj0h95qsj4sio15zu mode=list]
Colin's Write Protect Script (wp.script) is available, but still considered Beta (and as with any forensic utility, test - test - test). You can download today's version here. wp.script. To make sure you get the most recent version after today, download from the Boxnet from this website. Troy Larson's registry modifications are included in Colin Ramsden's WinBuilder Script. That's all you need.
If anyone would like to formally have their test results posted on this site, feel free to send the results to me.
I would reckon that for anyone that has not taken the time yet to build their own WinFE, there isn't any excuses left now. And like everyone else that waited, you'll wonder why you waited so long.
Here it is, Colin Ramsden's WinFE write protect application!
Although long in waiting, it is finally here. Colin worked diligently on making this work without making Microsoft unhappy. Documentation is forthcoming on the use of his application, but as you can see, it is really easy to figure out how to manage your disks.
Other little features may be coming in the future, but for now, say so long to DiskPart.
You can download the WinBuilder script from the BoxNet on this site (to your right of the page) and it will also be made available on the www.reboot.pro website. The file, "wp.script" needs to be placed in the "tweaks" folder in the WinBuilder folder structure.
For support on creating a WinFE ISO using WinBuilder, consult the forums at www.reboot.pro.
For those that have been using WinFE and wanting to know about recent updates, I have only a little news to mention. WinFE is still just as good today as when Troy Larson first created it, so not much in the update area there. WinFE still boots the same computer systems and you can do the same forensic work as before, not much has changed since then. DiskPart is still the primary (only) method to toggle drives on/offline, which isn't difficult to do. Still command line, but easy commands to use.
WinFE Batch File Building Method
And building WinFE is the same as before, no changes there either. If you use the batch file method, you can write your own or you can download pre-made batch files using the Box.net widget on this site to the right. Several to choose and modify to suit your preferences.
The location of the batch files on this blog looks like the below screenshot, so if you don't see it, you may need to have Java enabled in your browser.
All the batch files are in this zip file.
WinFE WinBuilder Building Method
If you are using WinBuilder (www.reboot.pro), there have been a continual update of the WinFE scripts by RoyM. The reboot.pro site is also the best place for forum support directly with the script writers if you have problems building your WinFE. RoyM (and others) has taken a great lead in the WinFE WinBuilder development. My hat is off to all the contributors.
Other Forensic Boot Systems
The "other" forensic boot systems have had a few updates, some major. I would highly recommend checking out Raptor, CAINE, and DEFT! A major difference between WinFE and several of the Linux forensic boot systems is that many of the Linux systems are pre-made forensic OS's, with freeware/open source tools already installed. WinFE requires you to add the apps you want to use, which may be freeware, open source, or commercial. A more complete forensic G0-Bag Kit has all of them....just in case....
It's been awhile, a long while, since there has been anything added to the WinFE project, and the bad news is that nothing is new other than Microsoft not quite accepting of Colin Ramsden's write protect tool. As that is not good news, both Troy and Colin are working toward an effort that may meet Microsoft's needs for an acceptable (to Microsoft...) write protect application other than DiskPart.
Sorry for the news on no news, but WinFE still works as it is, you just need to use the command line to toggle drives on/offline.
There have been numerous presentations showing how to build and use a WinFE boot disc around the world. Most recently I see that IACIS has given a demo this year along with several HTCIA Chapters and a DOD conference as well. A write up of Imaging a MacBook by Sean Morrissey shows just how easy WinFE is to use on a MacBook based on one demo at IACIS.
As simple as it is to use, it has become even easier to build using WinBuilder. Probably the most significant difference when using WinBuilder rather than building via WAIK and the command line is the numerous options that can be automatically added, particularly in that of supporting more software able to run on WinFE.
Many examiners have already tried to build and use WinFE, but I know there are a few of you out there that just haven't sat down to give it a whirl. If you can speak to anyone that uses WinFE, they will each tell you that it is well worth it!
The next coolest thing to be added to WinFE is Colin Ramsden's GUI currently being finalized. Say goodbye to the DiskPart command line!
Always test your tools (this includes WinFE). Considering that NIST recently discovered that some Ubuntu based forensic boot discs could make modifications to a booted suspect drive (modifies the $logfile upon booting....), these sort of news breaks are a friendly reminder to test your tools. Additionally, when 'bugs' are found in forensic tools, it may help to review any cases that may be affected by a past use of a tool. Even Guidance Software just released a firmware update to a hardware physical write blocker in which writes to the evidence drive were not protected. How's that for reassurance with hardware write blockers being known as the absolute write protection tool?
You can't rely upon someone else's work, you can't even rely upon the label of a box of something you buy. You just have to spend the time to test it personally.
If you've not tested a tool that you used and later find that there was a problem with it, how long will you worry about one of those times you relied upon it to come back to haunt you in a past case?
Better that you tested it ("I know it works because I tested it") rather than rely on someone else to test it ("But the company/website/brochure said it worked...").
An easy quickstart guide to build your WinFE ISO...
1) Extract WinBuilder to the root of your C:/ drive
2) Run WinBuilder
3) Click 3 buttons and you are done.
If you want more features, such as additional programs, network support, audio, more drivers, customized wallpaper, create a bootable WinFE flashdrive, etc..., then you just need to push a few more buttons. Download and read the write up (Users Guide to WinFE) for details on adding features. It's just as easy as pushing the 3 buttons.
These screenshots show all that is needed. Now, after looking at what is needed to create your WinFE, what is the reason you haven't started yet?.....
One of the biggest benefits (besides imaging storage media) of WinFE is the ability to create a customized triage system at virtually no cost. Purchasing a pre-made system may not be an issue when only one or a few systems are needed, but when outfitting an entire unit or perhaps an entire police department, bulk purchases of software to be issued individually most likely may not happen. Completing disregarding the ability to triage due to cost does not benefit the community or country. Finding solutions does.
With a WinFE "triage system", the cost can be minimal due to the multitude of freely available software available. Not to be confused with shareware, pirated software, or other questionable software, there are plenty available at no cost that are effective and easy to use (and did I mention the keyword "free"?).
So, when contemplating purchasing a pre-built system, consider that a customized system can be simply created that fits the needs and budget of your organization or your case.
There are several tools of worthy mention, but plenty more that are just as viable for triage and forensic quality software.
For law enforcement and military, there is the excellent (and free!) search tool "Field Search". Field Search is a tool initially developed to run on a live machine to scan for images, internet history, and other items of evidential value.
Field Search can also run under a WinFE booted system, giving it the capability of being "forensic" in that instead of running on the suspect machine and altering the system, it can now be run without altering the system. Field Search is an extremely quick and easy program to use for First Responders and those in combat zones. The use of this program in a forensic environment just doubled its potential.
The only limits to the software that will run on WinFE are those that depend upon the dependent files. As an example, the Microsoft .NET framework is needed to run ChromeAnalysis and FoxAnalysis. .NET is installed in the WinFE with the check of a box when using WinBuilder to build a WinFE ISO. With that, both FoxAnalysis and ChromeAnalysis from www.forensic-software.co.uk run in the WinFE booted system giving more options in triage. Both of these tools provide an intensive internet history capability in any forensic examination, and can be easily used in a triage/preview situation.
Other types of forensic software can also be used to target specifically desired information. RegRipper can be used to run against an entire drive and output specific results to a text file. RegRipper (freely available!) can be modified in a multitude to ways to target what may be needed in a given scenario, either by using pre-made plugins or writing a unique plugin based on what is needed.
WinFE allows you to customize a triage booting system based on several factors other than just a budget. As an example, a police department can have a WinFE customized for First Responders with a bare minimal selection of triage tools, Field Search being a prime example. Investigators could have additional tools (with some additional training) that can go beyond the First Responders' needs. With this type of system, by the time a forensic examiner is given evidence to examine, the evidence has been prioritized by the First Responder and case investigator to best determine how resources should be spent. Compared to literally dumping multiple computers onto an examiner's desk and asking for "everything", triage can be conducted for more effective results and quicker turnaround. This can be applied to non-LE work as well.
Since WinFE can boot virtually any intel based computer, (this also includes Macs and *nix machines), the majority of situations can be handled with it. Forensic Linux boot discs can be used in the same fashion as WinFE, using Linux software, however, I would hazard a guess to opin that most computer users are using the Windows Operating System. Giving an unfamiliar operating system to a First Responder may be creating a problem due to mistakes being made by not knowing 'which buttons to push' to find the evidence...Those with more experience with Linux should not have that problem. Given the option to outfit a battalion of combat troops with this capability...I'd probably lean heavily toward a Windows based system...
Fairly soon, if not already in some jurisdictions, the days of giving the forensic examiner dozens of hard drives that have not been previewed or triaged in some fashion by someone, will be over. A WinFE triage system can be configured to find basic information (user accounts, internet history, graphics, etc...) which can be used to prioritize, or even eliminate, media to be examined. Some information that can be gleaned onsite during triage could substantially affect the outcome of the situation (combat arena? searching for victims related to an electronic crime scene? or other scenarios where an extensive examination will yield results that may be useless months later?).
Using a triage system can save more hours than you may initially realize. If just one computer hard drive is triaged, and determined not to be of importance (as compared to the other 10 in the investigation...), then it need not be imaged (saving hours) and need not be examined (saving days). It's very easy to determine the ROI or manhours saved with one hard drive, extrapolate that to dozens or more hard drives. How's that for cutting down the workload?
Giving more usability to WinFE, OSForensics has several features that I can see being beneficial in triage of a system with OSForensics. OSForensics can be run on a live system (not the optimal decision in most cases), a mounted image, or in a forensically booted WinFE system.
The program's interface is simple and encompasses quite a bit of the basic forensic processes (searching, indexing, hashing, etc...). Of particular interest is that some of these standard forensic processes can easily be used in a WinFE booted system for basic triage.
As an example, a scan of images of the suspect computer can be conducted with OSForensics. This type of triage may certainly help determine which computer systems contain illicit images and need forensic analysis.
Another feature that can benefit cases is that of indexing. OSForensics allows for indexing of files, including email (pst, mbox.msg,eml, and dbx), for keyword searches. Searches can also be restricted by date ranges.
Although OSForensics doesn't appear to be as powerful as a tool such as X-Ways Forensics, I definitely foresee a place where it can used, particularly in a First Responder role.
I'll be giving a demo of WinFE to www.ctin.org on March 10 (online). I'll be showing some neat developments in the work as well as discuss solving build problems.
There are a few spots left and you have to be a CTIN member to view the presentation. But maybe it is something worthwhile to join anyway as most all the training is free to members.
Red Forman
jimmyweg
Richard
Jason
EC
Greg
MacLuser
Steve Linn
Kevin Chaney
Shelby Mertins
Matthew
Hannah
saintbin
Randy
Johan S
Alan
Hans Marius
Brian
Diego
Phill
Jason
jbscarva
William O'Sullivan
 is it to build a WinFE with WinBuilder?)
With this type of system, by the time a forensic examiner is given evidence to examine, the evidence has been prioritized by the First Responder and case investigator to best determine how resources should be spent. Compared to literally dumping multiple computers onto an examiner's desk and asking for "everything", triage can be conducted for more effective results and quicker turnaround. This can be applied to non-LE work as well. 
