Here is a neat and FREE app to test your Live CDs.  Not sure how I missed this one, but instead of creating an entire virtual machine to boot a ISO for testing, you can just run the ISO with MobaLiveCD (http://mobalivecd.mobatek.net/en/).  QEMU opens a virtual machine window that much faster on your screen.



This may just cut down the number of cup mats I usually make when burning CDs...

On the subject of triage, I have some thoughts which some companies may not like to hear (at least companies selling triage software or 'triage computer systems'...).

Here are some problems I see with several triage systems available;

-Any triage tool that is marketed that anyone can plug it in and capture all responsive data and even create a forensic image, without having any knowledge of computers is a tool I would keep at a safe distance from custodians of data...Plug n' Play to capture evidence or triage a system?  How many problems? Let me count the ways...

-Any triage tool that is restricted to run on a specific computer is one that has just limited itself out of the market.  Since when do you want a tool that can only run on a specific computer you must buy?  Sorta useless if something happens to that computer.

-Any triage tool that professes to magically find all relevant data, even in the hands of untrained persons...wow.    Are you sure its finding what you need?

Why not triage a computer like everyone did in the old days.  Boot to a forensic OS (pick your flavor of OS) and use a tool you always use to find what you need to find.  Every case is different, so every triage is bound to be different.   On one computer, you may need to see the registry, whereas on another, you need to see the images.



And untrained persons triaging machines?  Good luck.  Emergency rooms don't use non-medical staff to triage patients, why would anyone use non-computer trained persons to triage computers?

As for a pretty good system for triage, build a WinFE disc (it's free, you don't need to buy anything other than a CD) and put your favorite forensic tools on it, the ones you use all the time.  Now you have a triage system.   No, more than that, you have a complete Windows Forensic Environment to look for exactly the things you need to look for.   Done right the first time.

So the next time you see a "Triage System" that is plug n'play simple, that decides what data you need to be collected, and that you just sit back and let it work, think about it a little more.  As for me, I want to push the buttons and triage based on what I need and what I see when I am looking at the data.

I've been asked on occasion, "What makes WinFE better or different than any other boot disc?".

WinFE is Windows based, not Linux.  For someone not experienced in Linux, the Windows environment may be easier to use due to familiarity with Windows.

Additionally, WinFE allows you to use your Windows based forensic applications in a forensically booted environment.  Rather than using a Linux CD and image with Linen, you can use a Windows CD and image with the full version of Encase or FTK Imager or X-Ways Forensics or other Windows based tool.

If your lab is Linux based, then WinFE may not be as comfortable as using a Linux based tool, but still may be an option to keep on hand (the opposite still remains true, if you focus on using Windows based tools, have some Linux options on hand as well).

Lastly, WinFE is updated by YOU, when YOU need it updated.  There is no need to wait for a distro to be upgraded every 6 months or longer before you can download it.  Current Linux ISO's available online still may have older versions of software that are outdated.  With WinFE, if any tool is updated/upgraded, you can do it immediately and always have the latest apps.

Other than that, its just user preference.

By now, most everyone involved with forensics knows about the latest release of FTK Imager 3.0.   In my opinion, this is perhaps the best release ever of FTK Imager and probably one of the top releases of software this  year because of one of the newest features and the price (FREE and MOUNTS IMAGES!).  Given other expensive software, or free software  that doesn't work as expected, or difficult to manage manual procedures to mount images, to now have FTK Imager 3.0 quickly and neatly mount an image is a nice addition to my Start Menu.



So the bigger deal with FTK Imager 3.0....it runs in WinFE.  With FTK Imager 3.0, you can mount images in WinFE and conduct analysis in the Windows Forensic Environment with any other tool that runs in WinFE, such as X-Ways Forensics, ProDiscover, or Encase.



Now I know what you are probably thinking.  FTK Imager "Lite" 2.9 will run in WinFE and that version doesn't support image mounting.  FTK Imager 3.0 needs to be installed, which is problematic in WinFE.  Well, right and wrong. FTK Imager 3.0 only needs to be installed on any system, then copy the program folder onto WinFE  to run as if it were installed.  Voila!  No need for the Lite version when you can have the full meal deal.

Now how's that for having a completely self-contained Windows Forensic Environment, running minimal processes on just about any system...technically, this is called, "Niiiccceee...."

And yet another use for WinFE.

This year, at the University of Washington's Digital Forensics Certificate Program, I am having each student create their own Windows Forensic Environment with as many forensic applications as we can fit on a USB drive.   This fulfills several objectives that any school or training program can incorporate at virtually no cost.

Students in forensic programs can learn to create a forensically sound bootable media and validate it through testing (how's that for a takehome assignment?).  Since WinFE can be used as a forensic platform on almost any computer (for those students without a 'forensic machine' at home), this bootable media may be more than enough to practice and do homework assignments on their home computer (...they can image...they can run forensic tools against an image or hard drive...they can do quite a bit).  Forensic software developers...consider making your applications run in a portable mode and VOILA, you just reached a second use (and market) for your application/s.  Anything that runs on WinFE is a tool I want and so far, only X-Ways Forensics fits that bill as a full fledged, portable forensic suite.

And yes, a Linux forensic environment can do many of these things as well, so why not do both?  The cost of a Linux CD...same as WinFE :)

I came across WinBuilder today (http://www.boot-land.net/), which provides downloads to a GUI based, Windows Live CD builder.  I'm willing to try anything, so I gave it a whirl and was happy I did.

With WinBuilder, many of the functions of Windows that are not in the basic WinFE builds are included.   This includes the Windows"Start" button, computer management tools, and even network access.

Running WinBuilder is not complicated and scriptable.  The one thing it does not do (at this time) is make your CD forensically safe with the 2 registry changes.  However, this is easy enough to do manually or by writing a script to be used during the build.

I'm not sure how I missed this before, but I may have now found my primary method of making a WinFE disc, using WinBuilder instead of a batch file.  Oh yeah, you don't need WAIK either.

For anyone that missed this WinFE webinar-"https://www2.gotomeeting.com/register/892321554"...I did view it today.  The WinFE discussion started about 30 minutes into the webinar, and only lasted for about 10 minutes.   Fortunately, there was a question/answer after the presentation for about 10 minutes.   However, the only information given on building your own WinFE was to contact Microsoft and an article in Hackin9 magazine (there was no reference to this WinFE site as a resource to build your own WinFE…even after submitting the web address information…).

Given some interest, I’d gladly host a webinar on WinFE, (more than 10 minutes worth, showing how to build your own, and not based on selling you some software…).

Troy Larson and Colin Ramsden are working on making some changes and adding features of interest to Windows FE. If you have any ideas as to what you'd like to see, please post them in the forum.

Some of the features of interest are Bitlocker support and VSS support. Feel free to shoot your requests here since you have the best hands on WinFE looking for ideas to implement, and a rare opportunity to 'develop' WinFE as a WinFE user.

The below video shows how simply and quickly you can create a WinFE ISO. As you'll see in the video, all you need to do is...
1) Install Windows AIK
2) Download the WinFE batch files
3) Run "createfolders.bat"
4) Copy your forensic tools into a folder
5) Run "createwinfe.bat"
6) Burn your CD with the created ISO

[youtube=http://www.youtube.com/watch?v=VUwDjYC5TUE]

It is great to see that the Windows Forensic Environment is being used as an accepted forensic platform by software manufactures, such as F-Response (blogged about running F-Response on WinFE) and WetStone.   WetStone has a version of their malware software available  on the WinFE system (although WetStone calls it the Windows Forensic Edition rather than Environment,  I believe they mean the same thing).

Colin Ramsden has been working feverishly on some modifications to WinFE that will appeal to everyone.    For some teaser screenshots, take a look here.   Bitlocker support, installing drivers while already booted to WinFE, clean shutdown that ejects the CD, and an easy to use Disk Management Console.  Believe it or not, Colin has even more to add.

Given the ability to make your own WinFE ISO with Colin's work, you surely will have one of the best forensic boot environments to date.

As you can see, the WinFE site has been migrated to WordPress.  This format allows me a little more freedom than Blogger as well as less time maintaining a website.  This site and work is free...be patient ;)

You can now find the batch files accessed through direct downloads.  I am more than happy to put up additional work or corrections/improvements to what is posted.  At this point, Colin Ramsden is working on his code in creating something I call the "SuperDuper Version" of Windows FE.  I'll let him describe the details when he is finished, but I promise, from what I've seen so far, it is really cool.

The WinFE journey…

From Troy Larson’s first vision of the Windows Forensic Environment to the improvements currently being made, WinFE is set to become one of the best forensic boot disks/USBs available.

The ease to which it can be created has been simplified greatly by Björn Ganster’s automated batch files (my initial batch files were elementary compared to Björn’s improvements).  Colin Ramsden is working some aspects of WinFE that really are impressive, such as GUI’s for WinFE, installing hasps drivers, mapping network drives, Apple HFS+ drivers, other program installations help, etc…   Jad Saliba of JadSoftware has plans to work on making IEF run in the WinFE environment.  Add these to Matt Churchhill’s version “WindowsRipper” modified from Harlan Carvey’s  “RegRipper” and you are set to add such a triage functionality to WinFE, that given 20 minutes in front of a computer, you may be able to get everything you need from the machine.  You can either determine if the computer is worth seizing at all, or in the case of a (legal!) snatch and grab op, grab only the data of importance from a host computer without the (criminal/terrorist) user ever knowing their computer was touched.

It is incredible what a group of contributors can have on a project that benefits the community. If you haven't gotten access to the shared folder, you can use this link to sign up for DropBox and I'll share the folder with you.  If you have already gotten a DropBox account, send me an email so I can share the folder with your current login.  I'd make the folder public, but would rather have at least one step to get to it rather than it open to the world so easily.  The neat thing about the shared folder, is that when someone puts in an updated batch file, you have access to it immediately.


For anyone waiting for WinFE to be available for one single and complete download...it won't happen.  There are some MS licensing issues that prevent that, so sit down for a bit, take a look at how to make one, and get started!  You won't regret it.

Jad Saliba, developer of the Internet Evidence Finder (IEF) and other neat software was interviewed recently and mentioned that he has plans to make IEF run portable on WinFE.  If you haven't purchased a copy of IEF (free to LE), take a look at it.  This would be a fantastic triage type application on WinFE as it searches for chat, email fragments (including Gmail!), Facebook snippets and fragments, Limewire, and more.

The day IEF is able to run on WinFE is the day I add it to mine ;)

Matt Churchhill (http://mattchurchill.net/2010/06/windowsripper/) has been doing some work to supercharge RegRipper.  Take a look at his video and while watching, consider how this can affect your method to triage a computer when booted to WinFE...

[youtube=http://www.youtube.com/watch?v=r4nBUXYGkBw&hl=en_US&fs=1&border=1]