Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link
SEP
30
0

WinFE as a Student Training Aid

Posted by Brett Shavers
in  Digital Forensics

And yet another use for WinFE.

This year, at the University of Washington's Digital Forensics Certificate Program, I am having each student create their own Windows Forensic Environment with as many forensic applications as we can fit on a USB drive.   This fulfills several objectives that any school or training program can incorporate at virtually no cost.

Students in forensic programs can learn to create a forensically sound bootable media and validate it through testing (how's that for a takehome assignment?).  Since WinFE can be used as a forensic platform on almost any computer (for those students without a 'forensic machine' at home), this bootable media may be more than enough to practice and do homework assignments on their home computer (...they can image...they can run forensic tools against an image or hard drive...they can do quite a bit).  Forensic software developers...consider making your applications run in a portable mode and VOILA, you just reached a second use (and market) for your application/s.  Anything that runs on WinFE is a tool I want and so far, only X-Ways Forensics fits that bill as a full fledged, portable forensic suite.

And yes, a Linux forensic environment can do many of these things as well, so why not do both?  The cost of a Linux CD...same as WinFE :)

  2088 Hits
Tags:
winfe
Tweet
Share on Pinterest
2088 Hits
SEP
14
4

WinBuilder-What a neat way to make a WinFE CD

Posted by Brett Shavers
in  Digital Forensics
I came across WinBuilder today (http://www.boot-land.net/), which provides downloads to a GUI based, Windows Live CD builder.  I'm willing to try anything, so I gave it a whirl and was happy I did.

With WinBuilder, many of the functions of Windows that are not in the basic WinFE builds are included.   This includes the Windows"Start" button, computer management tools, and even network access.

Running WinBuilder is not complicated and scriptable.  The one thing it does not do (at this time) is make your CD forensically safe with the 2 registry changes.  However, this is easy enough to do manually or by writing a script to be used during the build.

I'm not sure how I missed this before, but I may have now found my primary method of making a WinFE disc, using WinBuilder instead of a batch file.  Oh yeah, you don't need WAIK either.

  2899 Hits
Tags:
winfe
Tweet
Share on Pinterest
Recent Comments
Guest — DT
I have used WinBuilder and other WinPE builds from boot-land and really appreciate all the hard work that went into them. They are... Read More
Monday, 04 October 2010 05:05
Guest — WinFE
Absolutely agree.
Monday, 04 October 2010 05:28
Guest — Nuno Brito
Your point of view is interesting and makes sense. Following the case of certification, which steps would you recommend WinBuilde... Read More
Friday, 29 October 2010 09:00
2899 Hits
JUL
29
0

Follow up: Windows FE and Live Forensic Triage

Posted by Brett Shavers
in  Digital Forensics
For anyone that missed this WinFE webinar-"https://www2.gotomeeting.com/register/892321554"...I did view it today.  The WinFE discussion started about 30 minutes into the webinar, and only lasted for about 10 minutes.   Fortunately, there was a question/answer after the presentation for about 10 minutes.   However, the only information given on building your own WinFE was to contact Microsoft and an article in Hackin9 magazine (there was no reference to this WinFE site as a resource to build your own WinFE…even after submitting the web address information…).

Given some interest, I’d gladly host a webinar on WinFE, (more than 10 minutes worth, showing how to build your own, and not based on selling you some software…).
  2360 Hits
Tags:
winfe
Tweet
2360 Hits
JUL
05

WinFE Wish List

Posted by Brett Shavers
in  Digital Forensics

Troy Larson and Colin Ramsden are working on making some changes and adding features of interest to Windows FE. If you have any ideas as to what you'd like to see, please post them in the forum.

Some of the features of interest are Bitlocker support and VSS support. Feel free to shoot your requests here since you have the best hands on WinFE looking for ideas to implement, and a rare opportunity to 'develop' WinFE as a WinFE user.

  2330 Hits
Tags:
winfe
Tweet
Share on Pinterest
2330 Hits
JUN
30
4

Create your own WinFE ISO, for free, in just a few minutes

Posted by Brett Shavers
in  Digital Forensics

The below video shows how simply and quickly you can create a WinFE ISO. As you'll see in the video, all you need to do is...
1) Install Windows AIK
2) Download the WinFE batch files
3) Run "createfolders.bat"
4) Copy your forensic tools into a folder
5) Run "createwinfe.bat"
6) Burn your CD with the created ISO

[youtube=http://www.youtube.com/watch?v=VUwDjYC5TUE]

  8031 Hits
Tags:
winfe
Tweet
Recent Comments
Guest — Alex Alborzfard
I created the .ISO following the instructions in the video (the second detailed one), and burned it to a CD. Booted the system off... Read More
Friday, 09 July 2010 03:45
Guest — WinFE
When the command prompt opens, it may take some time before you get a cursor to work with. I can't think of a reason where it woul... Read More
Friday, 09 July 2010 04:11
Guest — Anonymous
I created the .ISO also following the instructions. Everything went fine, so I loaded it up and ran diskpart in the command promp... Read More
Friday, 06 August 2010 06:59
8031 Hits
JUN
29
0

Gargoyle and Windows Forensic Environment

Posted by Brett Shavers
in  Digital Forensics

It is great to see that the Windows Forensic Environment is being used as an accepted forensic platform by software manufactures, such as F-Response (blogged about running F-Response on WinFE) and WetStone.   WetStone has a version of their malware software available  on the WinFE system (although WetStone calls it the Windows Forensic Edition rather than Environment,  I believe they mean the same thing).

  2339 Hits
Tags:
winfe
Tweet
2339 Hits
JUN
28
2

WinFE Teaser Screenshots

Posted by Brett Shavers
in  Digital Forensics

Colin Ramsden has been working feverishly on some modifications to WinFE that will appeal to everyone.    For some teaser screenshots, take a look here.   Bitlocker support, installing drivers while already booted to WinFE, clean shutdown that ejects the CD, and an easy to use Disk Management Console.  Believe it or not, Colin has even more to add.

Given the ability to make your own WinFE ISO with Colin's work, you surely will have one of the best forensic boot environments to date.

  2311 Hits
Tags:
winfe
Tweet
Recent Comments
Guest — Siv
Looks like it's going to be a useful tool. Well done Colin, keep up the good work.
Monday, 28 June 2010 19:45
Guest — Claus Valca
Oooohhh. Such a nice shiny GUI interface. I've got the original stock WinFE build I did and can use when the Linux-based LiveCD ... Read More
Saturday, 17 July 2010 07:29
2311 Hits
JUN
22
0

New Site and Updates

Posted by Brett Shavers
in  Digital Forensics

As you can see, the WinFE site has been migrated to WordPress.  This format allows me a little more freedom than Blogger as well as less time maintaining a website.  This site and work is free...be patient ;)

You can now find the batch files accessed through direct downloads.  I am more than happy to put up additional work or corrections/improvements to what is posted.  At this point, Colin Ramsden is working on his code in creating something I call the "SuperDuper Version" of Windows FE.  I'll let him describe the details when he is finished, but I promise, from what I've seen so far, it is really cool.

  2250 Hits
Tags:
winfe
Tweet
2250 Hits
JUN
11
2

Current and Future Development of Windows FE

Posted by Brett Shavers
in  Digital Forensics
The WinFE journey…

From Troy Larson’s first vision of the Windows Forensic Environment to the improvements currently being made, WinFE is set to become one of the best forensic boot disks/USBs available.

The ease to which it can be created has been simplified greatly by Björn Ganster’s automated batch files (my initial batch files were elementary compared to Björn’s improvements).  Colin Ramsden is working some aspects of WinFE that really are impressive, such as GUI’s for WinFE, installing hasps drivers, mapping network drives, Apple HFS+ drivers, other program installations help, etc…   Jad Saliba of JadSoftware has plans to work on making IEF run in the WinFE environment.  Add these to Matt Churchhill’s version “WindowsRipper” modified from Harlan Carvey’s  “RegRipper” and you are set to add such a triage functionality to WinFE, that given 20 minutes in front of a computer, you may be able to get everything you need from the machine.  You can either determine if the computer is worth seizing at all, or in the case of a (legal!) snatch and grab op, grab only the data of importance from a host computer without the (criminal/terrorist) user ever knowing their computer was touched.

It is incredible what a group of contributors can have on a project that benefits the community. If you haven't gotten access to the shared folder, you can use this link to sign up for DropBox and I'll share the folder with you.  If you have already gotten a DropBox account, send me an email so I can share the folder with your current login.  I'd make the folder public, but would rather have at least one step to get to it rather than it open to the world so easily.  The neat thing about the shared folder, is that when someone puts in an updated batch file, you have access to it immediately.


For anyone waiting for WinFE to be available for one single and complete download...it won't happen.  There are some MS licensing issues that prevent that, so sit down for a bit, take a look at how to make one, and get started!  You won't regret it.
  2765 Hits
Tweet
Recent Comments
Guest — Rob
Great info..and good to see there is Interest in this project from Developers/coders..
Monday, 14 June 2010 00:18
Guest — ihuntcrows
hi my dropbox email thing is ihuntcrows@aol.com or ihuntcrows. im interested in this shared folder. thanks
Thursday, 16 December 2010 18:47
2765 Hits
JUN
09
2

Internet Evidence Finder (IEF): interview with Jad Saliba of JADSoftware.com

Posted by Brett Shavers
in  Digital Forensics
Jad Saliba, developer of the Internet Evidence Finder (IEF) and other neat software was interviewed recently and mentioned that he has plans to make IEF run portable on WinFE.  If you haven't purchased a copy of IEF (free to LE), take a look at it.  This would be a fantastic triage type application on WinFE as it searches for chat, email fragments (including Gmail!), Facebook snippets and fragments, Limewire, and more.

The day IEF is able to run on WinFE is the day I add it to mine ;)
  1959 Hits
Tweet
Recent Comments
Guest — KP
I donated to the IEF project back before Jad started charging for it and he was kind enough to give me two licenses for it. I've ... Read More
Wednesday, 09 June 2010 13:51
Guest — Rob
Agree..Thanks for the Effort on making this work with FE.. Good stuff!
Thursday, 10 June 2010 04:32
1959 Hits
JUN
02
8

More Windows FE and triage notes (WindowsRipper?)

Posted by Brett Shavers
in  Digital Forensics

Matt Churchhill (http://mattchurchill.net/2010/06/windowsripper/) has been doing some work to supercharge RegRipper.  Take a look at his video and while watching, consider how this can affect your method to triage a computer when booted to WinFE...

[youtube=http://www.youtube.com/watch?v=r4nBUXYGkBw&hl=en_US&fs=1&border=1]

  2457 Hits
Tags:
winfe
Tweet
Recent Comments
Guest — Rob
Am I correct that once you assign a drive letter to the Volume you are going to be touching the Drive in WinFE?
Wednesday, 02 June 2010 10:30
Guest — Anonymous
If you set a volume to read only, the disk is written to (offset 0x417). If a disk is set to read only, it is not written to. So... Read More
Wednesday, 02 June 2010 11:09
Guest — Matt C
Thanks for the link, Brett. I hadn't thought of putting this on WinFE before, but it's a great idea.
Wednesday, 02 June 2010 11:32
2457 Hits
MAY
28
1

Windows FE and Triage webinar

Posted by Brett Shavers
in  Digital Forensics

This should be a neat webinar on Windows FE and Triage.

https://www2.gotomeeting.com/register/892321554

Check the "Using WinFE" page for tips on using WinFE for not only triage/preview, but other ways to use the tool.  Until I hear otherwise, I have found that X-Ways Forensics is the most complete forensic tool that can run on the Windows Forensic Environment without having to install dongles or hasps, dependent files, or other installation hassles.  Simply copying the X-Ways Forensic folder runs the program.  Take a look at the Triage/Preview link on this site for some things XWF can do in this sort of scenario.

  2475 Hits
Tags:
winfe
Tweet
Recent comment in this post
Guest — Anonymous
Great Catch..Signed up.. Now only if it was tomorrow we could save you alot of Email! ;-)
Friday, 28 May 2010 22:43
2475 Hits
    Previous     Next
14 15 16 17 18 19 20 21 22 23

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2022 Brett Shavers