Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link
FEB
15
2

But does it do Mac?

Posted by Brett Shavers
in  Digital Forensics


Just to clear up any questions on whether WinFE can 'do a Mac', well...it can.  And Linux too.  And of course it can do Windows as well.   As long as the machine can be booted to a WinFE CD or USB, then you can image the hard drive.  Actually, you can do a whole lot more than just image it...you can triage it, preview it, search it, or just copy files and folders from it.  If the drive is encrypted and you have the key, you can access the drive.  And what about VSS (Volume Shadow Service/Copies)....you can access those too, all through WinFE.

I can promise that as soon as you build a WinFE CD or bootable USB, you will regret not having done it months or years earlier (it's been around since 2008....).  And if building a forensic boot OS makes you hesitate at all, there is no need because if you use WinBuilder, it is as simple as pointing and clicking to fully customize your Windows FE CD or bootable USB.
  2597 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — Andreas D
I think as long, as the suspicious machine has an Intel Architecture, Windows FE will boot. And from there, the Tools will work...... Read More
Tuesday, 15 February 2011 14:18
Guest — Brett Shavers
You are completely correct on why WinFE can boot to a Mac (intel Macs anyway). And that is one of the reasons WinFE is such a pow... Read More
Friday, 18 February 2011 14:40
2597 Hits
JAN
15
14

It's time to build your WinFE!

Posted by Brett Shavers
in  Digital Forensics

You can now download the WinFE WinBuilder.  Thanks to everyone that helped support this effort, it was well worth it.



As to a guide on how to use WinFE, it probably isn't really needed since WinFE is simply a forensic boot disc.  So, you might not need any help in putting WinFE to good use.  However...there may be a few things you didn't know you could do with WinFE that could be of interest.   Since that might be the case, here is a quick guide on tips on using WinFE as well as tips for building with WinBuilder.

Users Guide to WinFE

For support on how to use WinBuilder (troubleshooting, advanced features), check out the WinBuilder website at http://reboot.pro.

To reiterate some points about WinFE (and to hopefully prevent 'hate mail' coming to me from commercial products...), WinFE is an addition to your forensic toolkit. It doesn't replace any tools, only supplements what you are using anyway.   Commercial products that do the same thing that WinFE does work too, keep buying those if you want, you don't have to use WinFE.  And for the Linux lovers out there (Hey, I'm one of you guys too!), there is time and place for everything, sometimes WinFE is best, another time CAINE or DEFT or ???*nix may be best.

As far as anyone making a profit out of WinFE, no need to ask, because no one is;  it is a community project of customizing a Windows PE to fit your needs.

And yes, there are even some more neat things to be added to WinFE in the future...but as of now, you have access to a solid forensic environment.

For additional credits to this project;

This project uses the project Win7PE_SE as Base building, thank's to ChrisR for his great work ( Win7PE_SE http://reboot.pro/12427/).  Also, thanks to theYahoouk , JFX, Altorian, Lancelot, and RuiPaz with the Win7PE project on which this WinFE WinBuilder is based.
  6474 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — Lancelot
Taking any tool or codes and using it for some other purposes is okey to the contributers of open-source free world. Even no cred... Read More
Sunday, 16 January 2011 01:44
Guest — Brett Shavers
Credit to all who I know that contributed to both WinFE and the WinBuilder WinFE project (if I've missed anyone, I'm happy to add ... Read More
Sunday, 16 January 2011 10:14
Guest — ChrisR
I'm agree with Lancelot. Thank you for the credit and for clarifying things. I think it's good to added Lancelot. He really provi... Read More
Sunday, 16 January 2011 20:11
6474 Hits
JAN
15
2

Portable Internet Evidence Finder and WinFE

Posted by Brett Shavers
in  Digital Forensics

Jad Saliba (of JadSoftware.com) has released an update to his Internet Evidence Finder/IEF in a portable version.  Now this sounds really good to have the ability to plug in a USB drive into a running machine to gather the information that IEF does.   But, to take it a step further, I tried IEF within a booted WinFE system.   And the result....it works perfectly!

To make sure you can get the full grasp of how neat this is, you can boot to WinFE and run IEF across the physical drive, without making any changes to the evidence.  This could be of real importance in an investigation such as a missing person case where internet/chat/webmail may be of immediate intelligence value.  Rather than imaging the hard drive to search for this data from the image, or booting the machine to its operating system and potentially overwriting pertinent data, you can boot to WinFE and run IEF on the write protected drive.   Of course, in a missing person case where chat is involved, it may also be most important to capture the volatile data FIRST before turning off the computer.

In civil case matters, this can be a fairly quick method of obtaining data relevant to the case matter onsite if imaging the hard drive is not allowed.

Although IEF doesn't run on Mac or Linux....if you boot a Mac or Linux machine with WinFE, IEF will run against that Mac or Linux hard drive ;)

  2664 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — Nily
I am currently using a mac right now and was just wondering if i could get some info on how to boot a mac with WinFE. i am curren... Read More
Sunday, 27 March 2011 16:39
Guest — Brett Shavers
Just boot the Mac to a WinFE CD. As long as it an intel Mac, it'll boot to WinFE.
Monday, 28 March 2011 01:47
2664 Hits
DEC
19
2

Updated video and other things

Posted by Brett Shavers
in  Digital Forensics

If you haven't seen Marc Remmert's video on creating a WinFE ISO, here is his video.  Although the WinBuilder method greatly simplifies what Marc shows in his video, it certainly recommended to see what is actually happening to a Win"P"E to make it into a Win"F"E, no matter the process used, at least understand the changes being made, the reason for the changes, and the validation of the changes.  And for those that insist that WinFE is not WinFE and that it is WinPE...well, you are sorta correct.  WinFE is the 'forensic' modification of a WinPE, so it really is something different.

[youtube=http://www.youtube.com/watch?v=J3T5wnPiObI]

On the WinBuilder topic, a great group of beta testers have started to put WinBuilder through its paces.  Again, although the end result is that you will be able to create a WinFE ISO with a few clicks, it is best to know what is happening behind the scenes and Marc's video gives you that insight.

  2343 Hits
Tags:
winfe
Tweet
Recent Comments
Guest — Isaac
When do you expect the WinBuilder available version of WinFE to be avaiable for download to non-beta testers? When will you relea... Read More
Monday, 10 January 2011 07:03
Guest — Brett Shavers
Working on a short 'How To" written guide and video to accompany it. But to answer your question...I'm working to finish it in 2 ... Read More
Monday, 10 January 2011 07:16
2343 Hits
DEC
16
10

Do you wanna be a beta tester for WinFE?

Posted by Brett Shavers
in  Digital Forensics

Just before the latest WinBuilder WinFE gets released, would you like to take it on a test run first before the rest of the world gets it?  There are some neat features (Bitlocker support, DiskPart batch file, plus others), but the main concern is testing to see if anything needs to be fixed, corrected, added, or taken away from the build.



If you have the time to make a build or two and run it against your computer, send me an email and I'll send you the build (not the ISO, you have to build that, but you get the Winbuilder app to build it).  I'd appreciate any comments, good-bad-or indifferent.   I'll cut off the number of beta testers as soon as a decent number can reply to this request by email to; This email address is being protected from spambots. You need JavaScript enabled to view it..  So give me your email to get your beta!

  2681 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — Angelo Siciliano
Does it support video and audio or not? And I guess that you don't post a link to a CD image cause you don't want too many people ... Read More
Thursday, 16 December 2010 11:25
Guest — Brett Shavers
It can support video and audio, although the intended purpose is for forensic acquisition/analysis. Due to the Microsoft EULA, di... Read More
Monday, 20 December 2010 10:00
Guest — Emexus
Id like to participate
Thursday, 16 December 2010 18:24
2681 Hits
DEC
14
0

WinBuilder Revisited

Posted by Brett Shavers
in  Digital Forensics


A big thanks to Royal Meier for providing  a script to modify the registry with a WinBuilder Win7PE build.   What I thought would be a difficult task of using WinBuilder to build a WinFE ISO, is turning out to be quite simple, at least for Royal Meier (he makes it look simple anyway).



I am planning that "the" WinFE WinBuilder will be available before Christmas, for Christmas.  So far, it works wonderfully, but there are a few tweaks to be added to make it really able to create the Super WinFE ISO without having to spend any time running batch files or typing in commands in a DOS shell.

There are a few other things to be added after the New Year, like Colin Ramsden's work, but that is coming up as well.  So, if you have procrastinated all this time to build a WinFE CD/USB, the wait is nearly over.

How cool is it to build your own custom forensically sound boot CD (in a Windows OS...) with a few clicks?  It is just plain cool.   This is quick and easy, quite super actually.
 
  2168 Hits
Tags:
winfe
Tweet
Share on Pinterest
2168 Hits
DEC
14
1

MobaLiveCD

Posted by Brett Shavers
in  Digital Forensics

Here is a neat and FREE app to test your Live CDs.  Not sure how I missed this one, but instead of creating an entire virtual machine to boot a ISO for testing, you can just run the ISO with MobaLiveCD (http://mobalivecd.mobatek.net/en/).  QEMU opens a virtual machine window that much faster on your screen.



This may just cut down the number of cup mats I usually make when burning CDs...

  2314 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent comment in this post
Guest — dubiaku
True. Looks useful. But I already have a VM in VMware called "ISO Boot" that is specifically for this. No need to make a new VM ea... Read More
Tuesday, 14 December 2010 15:13
2314 Hits
NOV
30
2

WinFE and Triage

Posted by Brett Shavers
in  Digital Forensics

On the subject of triage, I have some thoughts which some companies may not like to hear (at least companies selling triage software or 'triage computer systems'...).

Here are some problems I see with several triage systems available;

-Any triage tool that is marketed that anyone can plug it in and capture all responsive data and even create a forensic image, without having any knowledge of computers is a tool I would keep at a safe distance from custodians of data...Plug n' Play to capture evidence or triage a system?  How many problems? Let me count the ways...

-Any triage tool that is restricted to run on a specific computer is one that has just limited itself out of the market.  Since when do you want a tool that can only run on a specific computer you must buy?  Sorta useless if something happens to that computer.

-Any triage tool that professes to magically find all relevant data, even in the hands of untrained persons...wow.    Are you sure its finding what you need?

Why not triage a computer like everyone did in the old days.  Boot to a forensic OS (pick your flavor of OS) and use a tool you always use to find what you need to find.  Every case is different, so every triage is bound to be different.   On one computer, you may need to see the registry, whereas on another, you need to see the images.



And untrained persons triaging machines?  Good luck.  Emergency rooms don't use non-medical staff to triage patients, why would anyone use non-computer trained persons to triage computers?

As for a pretty good system for triage, build a WinFE disc (it's free, you don't need to buy anything other than a CD) and put your favorite forensic tools on it, the ones you use all the time.  Now you have a triage system.   No, more than that, you have a complete Windows Forensic Environment to look for exactly the things you need to look for.   Done right the first time.

So the next time you see a "Triage System" that is plug n'play simple, that decides what data you need to be collected, and that you just sit back and let it work, think about it a little more.  As for me, I want to push the buttons and triage based on what I need and what I see when I am looking at the data.

  2376 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — Andrew Sheldon
Hi Brett, Your comments are interesting but your conclusions are, IMHO, missing the mark by some way (and yes, we produce SPEKTOR... Read More
Monday, 29 November 2010 23:58
Guest — Brett Shavers
Thanks for your comment. There is certainly a situation for everything. I don't believe there is a single answer to the triage ... Read More
Tuesday, 30 November 2010 00:42
2376 Hits
OCT
29
6

What makes WinFE better/different than other forensic boot discs?

Posted by Brett Shavers
in  Digital Forensics
I've been asked on occasion, "What makes WinFE better or different than any other boot disc?".

WinFE is Windows based, not Linux.  For someone not experienced in Linux, the Windows environment may be easier to use due to familiarity with Windows.

Additionally, WinFE allows you to use your Windows based forensic applications in a forensically booted environment.  Rather than using a Linux CD and image with Linen, you can use a Windows CD and image with the full version of Encase or FTK Imager or X-Ways Forensics or other Windows based tool.

If your lab is Linux based, then WinFE may not be as comfortable as using a Linux based tool, but still may be an option to keep on hand (the opposite still remains true, if you focus on using Windows based tools, have some Linux options on hand as well).

Lastly, WinFE is updated by YOU, when YOU need it updated.  There is no need to wait for a distro to be upgraded every 6 months or longer before you can download it.  Current Linux ISO's available online still may have older versions of software that are outdated.  With WinFE, if any tool is updated/upgraded, you can do it immediately and always have the latest apps.

Other than that, its just user preference.X-Ways Forensics Practitioner's Guide
  2843 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — Cainer
Why do you affirm this: "Current Linux ISO’s available online still may have older versions of software that are outdated" Did you... Read More
Sunday, 31 October 2010 16:22
Guest — WinFE
I like CAINE as it is one of the most current updated Linux forensics distros. In a presentation I just gave, I complimented CAIN... Read More
Monday, 01 November 2010 00:58
Guest — Cainer
Ok CAINE or better WinTaylor 2.1 has FTK Imager 2.9.0.5 and Nirsoft Mega Report, but these are the Windows Live analisys tools. In... Read More
Monday, 01 November 2010 01:05
2843 Hits
OCT
19
0

FTK Imager 3.0 in the Windows Forensic Environment

Posted by Brett Shavers
in  Digital Forensics

By now, most everyone involved with forensics knows about the latest release of FTK Imager 3.0.   In my opinion, this is perhaps the best release ever of FTK Imager and probably one of the top releases of software this  year because of one of the newest features and the price (FREE and MOUNTS IMAGES!).  Given other expensive software, or free software  that doesn't work as expected, or difficult to manage manual procedures to mount images, to now have FTK Imager 3.0 quickly and neatly mount an image is a nice addition to my Start Menu.



So the bigger deal with FTK Imager 3.0....it runs in WinFE.  With FTK Imager 3.0, you can mount images in WinFE and conduct analysis in the Windows Forensic Environment with any other tool that runs in WinFE, such as X-Ways Forensics, ProDiscover, or Encase.



Now I know what you are probably thinking.  FTK Imager "Lite" 2.9 will run in WinFE and that version doesn't support image mounting.  FTK Imager 3.0 needs to be installed, which is problematic in WinFE.  Well, right and wrong. FTK Imager 3.0 only needs to be installed on any system, then copy the program folder onto WinFE  to run as if it were installed.  Voila!  No need for the Lite version when you can have the full meal deal.

Now how's that for having a completely self-contained Windows Forensic Environment, running minimal processes on just about any system...technically, this is called, "Niiiccceee...."

  3564 Hits
Tags:
winfe
Tweet
Share on Pinterest
3564 Hits
SEP
30
0

WinFE as a Student Training Aid

Posted by Brett Shavers
in  Digital Forensics

And yet another use for WinFE.

This year, at the University of Washington's Digital Forensics Certificate Program, I am having each student create their own Windows Forensic Environment with as many forensic applications as we can fit on a USB drive.   This fulfills several objectives that any school or training program can incorporate at virtually no cost.

Students in forensic programs can learn to create a forensically sound bootable media and validate it through testing (how's that for a takehome assignment?).  Since WinFE can be used as a forensic platform on almost any computer (for those students without a 'forensic machine' at home), this bootable media may be more than enough to practice and do homework assignments on their home computer (...they can image...they can run forensic tools against an image or hard drive...they can do quite a bit).  Forensic software developers...consider making your applications run in a portable mode and VOILA, you just reached a second use (and market) for your application/s.  Anything that runs on WinFE is a tool I want and so far, only X-Ways Forensics fits that bill as a full fledged, portable forensic suite.

And yes, a Linux forensic environment can do many of these things as well, so why not do both?  The cost of a Linux CD...same as WinFE :)

  2431 Hits
Tags:
winfe
Tweet
Share on Pinterest
2431 Hits
SEP
14
4

WinBuilder-What a neat way to make a WinFE CD

Posted by Brett Shavers
in  Digital Forensics
I came across WinBuilder today (http://www.boot-land.net/), which provides downloads to a GUI based, Windows Live CD builder.  I'm willing to try anything, so I gave it a whirl and was happy I did.

With WinBuilder, many of the functions of Windows that are not in the basic WinFE builds are included.   This includes the Windows"Start" button, computer management tools, and even network access.

Running WinBuilder is not complicated and scriptable.  The one thing it does not do (at this time) is make your CD forensically safe with the 2 registry changes.  However, this is easy enough to do manually or by writing a script to be used during the build.

I'm not sure how I missed this before, but I may have now found my primary method of making a WinFE disc, using WinBuilder instead of a batch file.  Oh yeah, you don't need WAIK either.

  3351 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — DT
I have used WinBuilder and other WinPE builds from boot-land and really appreciate all the hard work that went into them. They are... Read More
Monday, 04 October 2010 05:05
Guest — WinFE
Absolutely agree.
Monday, 04 October 2010 05:28
Guest — Nuno Brito
Your point of view is interesting and makes sense. Following the case of certification, which steps would you recommend WinBuilde... Read More
Friday, 29 October 2010 09:00
3351 Hits
JUL
29
0

Follow up: Windows FE and Live Forensic Triage

Posted by Brett Shavers
in  Digital Forensics
For anyone that missed this WinFE webinar-"https://www2.gotomeeting.com/register/892321554"...I did view it today.  The WinFE discussion started about 30 minutes into the webinar, and only lasted for about 10 minutes.   Fortunately, there was a question/answer after the presentation for about 10 minutes.   However, the only information given on building your own WinFE was to contact Microsoft and an article in Hackin9 magazine (there was no reference to this WinFE site as a resource to build your own WinFE…even after submitting the web address information…).

Given some interest, I’d gladly host a webinar on WinFE, (more than 10 minutes worth, showing how to build your own, and not based on selling you some software…).
  2779 Hits
Tags:
winfe
Tweet
2779 Hits
JUL
05

WinFE Wish List

Posted by Brett Shavers
in  Digital Forensics

Troy Larson and Colin Ramsden are working on making some changes and adding features of interest to Windows FE. If you have any ideas as to what you'd like to see, please post them in the forum.

Some of the features of interest are Bitlocker support and VSS support. Feel free to shoot your requests here since you have the best hands on WinFE looking for ideas to implement, and a rare opportunity to 'develop' WinFE as a WinFE user.

  2657 Hits
Tags:
winfe
Tweet
Share on Pinterest
2657 Hits
JUN
30
4

Create your own WinFE ISO, for free, in just a few minutes

Posted by Brett Shavers
in  Digital Forensics

The below video shows how simply and quickly you can create a WinFE ISO. As you'll see in the video, all you need to do is...
1) Install Windows AIK
2) Download the WinFE batch files
3) Run "createfolders.bat"
4) Copy your forensic tools into a folder
5) Run "createwinfe.bat"
6) Burn your CD with the created ISO

[youtube=http://www.youtube.com/watch?v=VUwDjYC5TUE]

  8574 Hits
Tags:
winfe
Tweet
Recent Comments
Guest — Alex Alborzfard
I created the .ISO following the instructions in the video (the second detailed one), and burned it to a CD. Booted the system off... Read More
Friday, 09 July 2010 03:45
Guest — WinFE
When the command prompt opens, it may take some time before you get a cursor to work with. I can't think of a reason where it woul... Read More
Friday, 09 July 2010 04:11
Guest — Anonymous
I created the .ISO also following the instructions. Everything went fine, so I loaded it up and ran diskpart in the command promp... Read More
Friday, 06 August 2010 06:59
8574 Hits
    Previous     Next
15 16 17 18 19 20 21 22 23 24

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2023 Brett Shavers