And yet another use for WinFE.

This year, at the University of Washington's Digital Forensics Certificate Program, I am having each student create their own Windows Forensic Environment with as many forensic applications as we can fit on a USB drive.   This fulfills several objectives that any school or training program can incorporate at virtually no cost.

Students in forensic programs can learn to create a forensically sound bootable media and validate it through testing (how's that for a takehome assignment?).  Since WinFE can be used as a forensic platform on almost any computer (for those students without a 'forensic machine' at home), this bootable media may be more than enough to practice and do homework assignments on their home computer (...they can image...they can run forensic tools against an image or hard drive...they can do quite a bit).  Forensic software developers...consider making your applications run in a portable mode and VOILA, you just reached a second use (and market) for your application/s.  Anything that runs on WinFE is a tool I want and so far, only X-Ways Forensics fits that bill as a full fledged, portable forensic suite.

And yes, a Linux forensic environment can do many of these things as well, so why not do both?  The cost of a Linux CD...same as WinFE :)

I came across WinBuilder today (http://www.boot-land.net/), which provides downloads to a GUI based, Windows Live CD builder.  I'm willing to try anything, so I gave it a whirl and was happy I did.

With WinBuilder, many of the functions of Windows that are not in the basic WinFE builds are included.   This includes the Windows"Start" button, computer management tools, and even network access.

Running WinBuilder is not complicated and scriptable.  The one thing it does not do (at this time) is make your CD forensically safe with the 2 registry changes.  However, this is easy enough to do manually or by writing a script to be used during the build.

I'm not sure how I missed this before, but I may have now found my primary method of making a WinFE disc, using WinBuilder instead of a batch file.  Oh yeah, you don't need WAIK either.

For anyone that missed this WinFE webinar-"https://www2.gotomeeting.com/register/892321554"...I did view it today.  The WinFE discussion started about 30 minutes into the webinar, and only lasted for about 10 minutes.   Fortunately, there was a question/answer after the presentation for about 10 minutes.   However, the only information given on building your own WinFE was to contact Microsoft and an article in Hackin9 magazine (there was no reference to this WinFE site as a resource to build your own WinFE…even after submitting the web address information…).

Given some interest, I’d gladly host a webinar on WinFE, (more than 10 minutes worth, showing how to build your own, and not based on selling you some software…).

Troy Larson and Colin Ramsden are working on making some changes and adding features of interest to Windows FE. If you have any ideas as to what you'd like to see, please post them in the forum.

Some of the features of interest are Bitlocker support and VSS support. Feel free to shoot your requests here since you have the best hands on WinFE looking for ideas to implement, and a rare opportunity to 'develop' WinFE as a WinFE user.

The below video shows how simply and quickly you can create a WinFE ISO. As you'll see in the video, all you need to do is...
1) Install Windows AIK
2) Download the WinFE batch files
3) Run "createfolders.bat"
4) Copy your forensic tools into a folder
5) Run "createwinfe.bat"
6) Burn your CD with the created ISO

[youtube=http://www.youtube.com/watch?v=VUwDjYC5TUE]

It is great to see that the Windows Forensic Environment is being used as an accepted forensic platform by software manufactures, such as F-Response (blogged about running F-Response on WinFE) and WetStone.   WetStone has a version of their malware software available  on the WinFE system (although WetStone calls it the Windows Forensic Edition rather than Environment,  I believe they mean the same thing).

Colin Ramsden has been working feverishly on some modifications to WinFE that will appeal to everyone.    For some teaser screenshots, take a look here.   Bitlocker support, installing drivers while already booted to WinFE, clean shutdown that ejects the CD, and an easy to use Disk Management Console.  Believe it or not, Colin has even more to add.

Given the ability to make your own WinFE ISO with Colin's work, you surely will have one of the best forensic boot environments to date.

As you can see, the WinFE site has been migrated to WordPress.  This format allows me a little more freedom than Blogger as well as less time maintaining a website.  This site and work is free...be patient ;)

You can now find the batch files accessed through direct downloads.  I am more than happy to put up additional work or corrections/improvements to what is posted.  At this point, Colin Ramsden is working on his code in creating something I call the "SuperDuper Version" of Windows FE.  I'll let him describe the details when he is finished, but I promise, from what I've seen so far, it is really cool.

The WinFE journey…

From Troy Larson’s first vision of the Windows Forensic Environment to the improvements currently being made, WinFE is set to become one of the best forensic boot disks/USBs available.

The ease to which it can be created has been simplified greatly by Björn Ganster’s automated batch files (my initial batch files were elementary compared to Björn’s improvements).  Colin Ramsden is working some aspects of WinFE that really are impressive, such as GUI’s for WinFE, installing hasps drivers, mapping network drives, Apple HFS+ drivers, other program installations help, etc…   Jad Saliba of JadSoftware has plans to work on making IEF run in the WinFE environment.  Add these to Matt Churchhill’s version “WindowsRipper” modified from Harlan Carvey’s  “RegRipper” and you are set to add such a triage functionality to WinFE, that given 20 minutes in front of a computer, you may be able to get everything you need from the machine.  You can either determine if the computer is worth seizing at all, or in the case of a (legal!) snatch and grab op, grab only the data of importance from a host computer without the (criminal/terrorist) user ever knowing their computer was touched.

It is incredible what a group of contributors can have on a project that benefits the community. If you haven't gotten access to the shared folder, you can use this link to sign up for DropBox and I'll share the folder with you.  If you have already gotten a DropBox account, send me an email so I can share the folder with your current login.  I'd make the folder public, but would rather have at least one step to get to it rather than it open to the world so easily.  The neat thing about the shared folder, is that when someone puts in an updated batch file, you have access to it immediately.


For anyone waiting for WinFE to be available for one single and complete download...it won't happen.  There are some MS licensing issues that prevent that, so sit down for a bit, take a look at how to make one, and get started!  You won't regret it.

Jad Saliba, developer of the Internet Evidence Finder (IEF) and other neat software was interviewed recently and mentioned that he has plans to make IEF run portable on WinFE.  If you haven't purchased a copy of IEF (free to LE), take a look at it.  This would be a fantastic triage type application on WinFE as it searches for chat, email fragments (including Gmail!), Facebook snippets and fragments, Limewire, and more.

The day IEF is able to run on WinFE is the day I add it to mine ;)

Matt Churchhill (http://mattchurchill.net/2010/06/windowsripper/) has been doing some work to supercharge RegRipper.  Take a look at his video and while watching, consider how this can affect your method to triage a computer when booted to WinFE...

[youtube=http://www.youtube.com/watch?v=r4nBUXYGkBw&hl=en_US&fs=1&border=1]

This should be a neat webinar on Windows FE and Triage.

https://www2.gotomeeting.com/register/892321554

Check the "Using WinFE" page for tips on using WinFE for not only triage/preview, but other ways to use the tool.  Until I hear otherwise, I have found that X-Ways Forensics is the most complete forensic tool that can run on the Windows Forensic Environment without having to install dongles or hasps, dependent files, or other installation hassles.  Simply copying the X-Ways Forensic folder runs the program.  Take a look at the Triage/Preview link on this site for some things XWF can do in this sort of scenario.