SlideShare una empresa de Scribd logo
1 de 44
The (Almost) PerfectTriageTool
Brent Muir – 2014 Version 1.0
 Benefits ofWinFE
 History ofWinFE
 BuildingWinFE
 “Live”Vs. Booting
 UsingWinFE:
 EncryptionTesting
 Imaging
▪ RAM
▪ HDs
 Triage
2
 Ability to boot on all x86 devices regardless of OS
 Windows
 Linux
 OSX (requires optical drive)
 RunsWindows compatible tools
 The price is right
 Cost ofWindows OS licence
 Highly customisable
3
 BartPE (2003)
 Live version ofWindows based on XP/2003
 UtilisedWindows Presinstallation Environment (PE)
http://www.nu2.nu/pebuilder/screenshots/
4
 Microsoft (SysInternals) created first “official”
WinFE guide (2008)
 Highly modified OS
▪ No GUI interface, CMD based only
▪ Registry keys modified to not mount devices by default
▪ Basic functionality, required batch scripts or plenty of
DOS commands
▪ Based onVista, compatible with Windows 7
5
Shavers, B. (2010)
6
 WinBuilder -Windows PE building utility
 WinFE script created by Brett Shavers that
modified the same registry keys as SysInternals
instructions (2010)
 Retained GUI interface
 Write ProtectTool Management Console
(replacement Disk Manager)
7
http://winbuilder.net/screenshots
8
 Microsoft Windows (32bit or 64bit) ISO
 Provides the baseband core OS files
 Windows Automated Installation Kit (AIK)
 Provides Windows PE bootable image thatWinFE is based upon
 WIM (Windows Image) mounting tools
 WinBuilder withWinFE scripts
 Provides advanced interface features ofWinFE (desktop GUI
support, etc)
9
 Two modes for third-party applications:
 Run from RAM
▪ Stops end-users modifying installed programs
▪ Takes up more RAM when booting (if working with low-
specced PCs)
 Run from Disk
▪ Easier to update (no more recompiling the fullWIM)
10
11
 Steps to compile your own version ofWinFE:
1. InstallWindows AIK
2. Mount Windows 7 ISO and remember the drive letter
3. InstallWinBuilder and point it to the drive letter of the mounted ISO
4. Configure the scripts required throughWinBuilder (includingTweaks 
WinFE)
5. Prepare any third-party software you require on WinFE
6. Run the WinBuilder program and set desired options This should output a
WinFE ISO as well as the files necessary to copy to a USB dongle
7. Edit the Boot loader (BCD) to allow a maximum timeout and require user
input into selectingWinFE from a boot menu
8. Test the WinFE release to ensure that it is forensically sound
12
Slip streaming drivers intoWinFE requires 2 tools (AIK):
 Imagex - used to mount WIM
 located in C:Program FilesWindows AIKToolsx86Servicing
 DISM - used to install drivers
 located in C:Program FilesWindows AIKToolsx86Servicing
1. imagex /mountrw C:WinFETargetWin7PE_SEsourcesboot.wim 1 C:winFEmount
2. dism.exe /image:C:WinFEMount /add-driver /driver:"C:WinFEFiles to injectHaspHasp"
/recurse
3. imagex.exe /unmount /commit C:winFEmount
13
 In order to copy the WinFE files to a USBThumb Drive you must first prepare the
thumb drive so that it is clean and bootable. Follow these steps:
1. Plug-in USB thumb drive into computer
2. Start CMD
3. Start Diskpart (type: diskpart)
4. Select the relevant USB thumb drive (to see available drives, type: list disk) (to select disk
type: select disk #) - where # is the relevant disk number
5. Clean the USB thumb drive (type: clean)
6. Create a primary partition (type: create partition primary)
7. Set the USB thumb drive as bootable (type: active)
8. Format the USB thumb drive (type: format fs=NTFS quick label="WinFE")
9. Exit Diskpart (type: exit)
14
Live:
 The software onWinFE can also be run on a live system, w/o booting into
theWinFEOS (assuming portable apps).
 Conducting an encryption test
 Ability to image RAM, Disks, mounted encrypted partitions
 Tools can all be updated on the fly
Booting:
 Booting into theWinFE environment conforms to industry best practice
in that it maintains the forensic state of the hard drives within the
suspect’s computer.
15
 EnCase - v6 & v7 (requires licence
dongle and slip-streaming HASP
drivers)
 X-Ways /WinHex – all versions
(requires licence dongle)
 TrueCrypt
 FTK Imager
 VirtualBox
 Wireshark
 RegistryBrowser
 Volatility – standalone version
 All Nirsoft tools
 Many more
16
1. Power down computer
2. InsertWinFE USB device into suspects computer
3. Power on computer and enter the BIOS or UEFI
 While in the BIOS it is recommended to take note of the system’s date and time.
4. Once in the BIOS change the boot order to the WinFE USB device – this should
show up in the BIOS as a USB device (or choose the optical drive if booting
from CD)
5. Save the changes to the BIOS and let the computer reboot
6. The computer should now boot intoWinFE boot menu. 17
Write ProtectTool Management Console
 Mount / unmount physical drives attached to the computer
as read-only or read-write.
 Add custom drivers
(e.g. software RAID drivers)
18
19
 EncryptionTest
 HD / RAM Imaging
 Triage
20
 Windows
 Linux
 OSX
21
WINDOWS OS – CryptHunter (LE only)
1. Plug in the WinFE USB thumb drive into the suspect's computer
2. The WinFE USB drive should now be visible in Explorer (My
Computer). Browse to the directory titled "CryptHunter" and
double-click on the file called "crypthunter". This will begin the
encryption test.
3. If anything of note is discovered a pop-up box will appear
warning that encryption may be present.
22
23
LINUX OSes – quick and dirty
 Method 1 –Terminal
1. Open the terminal (console / konsole) and type
mount and hit enter (return)
2. This command will list all currently mounted drives
on the computer, look for the word "crypt“
24
 Method 2 –
System Monitor
25
MAC OSX – quick and dirty
 Method 1 – Identify FileVault
1. Browse to "Computer"  "Users". If the user
account has the following icon then "FileVault" is
enabled. FileVault encrypts all of the user's files.
26
 Method 2 – Activity Monitor
1. Other 3rd part encryption tools are available for Mac OSX. In
order to check if these encryption programs are running. Browse
to "Applications“  "Utilities"  "Activity Monitor“
2. Once the Activity Monitor is displayed use the drop-down menu
to select "All Processes“
3. Look for any process that includes the word "crypt". If any of the
processes mention the word "crypt" then it is likely that the
computer features encryption.
27
 Method 2 –
Activity Monitor
28
RAM:
 DumpIt
 Simple executable, puts output in same directory as EXE
 Has some issues with RAM larger than 8GB
 WinPMEM
 CMD based
 Supports RAM larger than 8GB
 Supports RAW & Crashdump formats
 FTK Imager
 GUI version only
 Supports RAW acquisition as well as Pagefile.sys & Hiberfil.sys
 Larger footprint than DumpIt & WinPMEM
HD:
 FTK Imager
29
RAM:
 FMEM
 Creates kernel mirror driver
 Then use dd commands to capture
HD:
 DD
 Built-in
 FTK Imager CLI
 Debian
 Ubuntu (x32 & x64)
 Fedora (x32 & x64)
30
RAM:
 OSXPMEM
 Supports up to and including 10.9.x
 Creates kernel mirror driver (must be extracted onto local
machine to run or from HFS+/exFAT partition)
 Supports Raw, Mach-O, and ELF formats
1. copy OSXPMem.tar.gz to local directory
2. tar xvf OSXPMem.tar.gz
3. ./osxpmem -h to give help
4. ./osxpmem memory.dump
31
HD:
 FTK Imager for Mac
 CLI only, no GUI
 Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
 Mac OSX Forensic Imager
 Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
32
1. Connect an external hard drive (via USB) to the
suspect's computer
2. Open "WinFEWrite ProtectTool Management
Console " and mount this new drive as read/write
 NOTE – if this is the first drive you are mounting in WinFE it will
be given the drive letter “C”
 This drive will now be visible inWindows Explorer
3. Open FTK Imager and image normally
33
 Even w/o X-Ways or EnCase dongles there
are a number of tools to facilitate triage of
devices
 Apple Bootcamp script allows HFS+
partitions to be seen throughWinFE w/o third
party tools
34
 XnView:
 Graphic files
 Recursively look at directories
 Tag files  create reports
35
 XnView
36
 Nirsoft SearchMyFiles
 Keyword searching
 Advanced Filtering:
▪ Date range
▪ File type
▪ File size
 Context search (binary or text)
 Identify encrypted files
 Identify duplicates
 Create reports (CSV, HTML)
37
 Nirsoft
SearchMyFiles
38
 Email viewing programs:
 MiTec MailView
▪ DBX, MBX, EML,Thunderbird DB
 Kernel Exchange EDBViewer
▪ EDB, STM
 Kernel OSTViewer
▪ OST
 Kernel Outlook PSTViewer
▪ PST
 Windows MBOXViewer
▪ MBOX
39
 SQLite
 SQLite DB Browser
 SQLiteQ
 Microsoft ESE/EDB/JET Blue DB files
 Nirsoft ESEDatabaseView
40
 Web browser history
 Nirsoft BrowsingHistoryView
▪ IE (including 10/11), Firefox, Chrome, Safari
 Windows Registry
 LockAnd Code RegistryBrowser
▪ Mount the suspect's drive as read-only usingWrite Protect
Tool first
41
42
 Larson,T. (2008) “HowTo BuildWindows FEWithThe
Windows Preinstallation Environment 2.1”, SysInternals,
Microsoft Law Enforcement Portal
 Shavers, B. (2010) “The (Nearly) Perfect Forensic Boot CD”,
URL: http://www.forensicfocus.com/downloads/WinFE.pdf
43
 CryptHunter (LE only) - http://www.cert.org/digital-intelligence/tools/crypthunter.cfm?
 Kernel Data Recovery Tools - http://www.nucleustechnologies.com/
 MiTeC (MailView, SQLiteQ) - http://www.mitec.cz
 Nirsoft Suite - http://nirsoft.net/
 RegistryBrowser - https://lockandcode.com/software/registry_browser
 SQLite Database Browser - http://sourceforge.net/projects/sqlitebrowser/
 WinBuilder - http://reboot.pro/files/file/4-winbuilder/
 Windows Assessment and Deployment Kit (Windows ADK) - http://www.microsoft.com/en-us/download/details.aspx?id=39982&751be11f-
ede8-5a0c-058c-2ee190a24fa6=True
 Windows Automated Installation Kit (Windows AIK) - http://www.microsoft.com/en-au/download/details.aspx?id=5753
 Windows MBOX Viewer - http://sourceforge.net/projects/mbox-viewer/
 WinFE Blog (Brett Shavers) - http://winfe.wordpress.com/
 XnView - http://www.xnview.com/en/ 44

Más contenido relacionado

La actualidad más candente

Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
Kranthi
 

La actualidad más candente (20)

Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
 
Know the UNIX Commands
Know the UNIX CommandsKnow the UNIX Commands
Know the UNIX Commands
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Unix OS & Commands
Unix OS & CommandsUnix OS & Commands
Unix OS & Commands
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
LINUX DISTRIBUTIONS.pptx
LINUX DISTRIBUTIONS.pptxLINUX DISTRIBUTIONS.pptx
LINUX DISTRIBUTIONS.pptx
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Presentation on linux
Presentation on linuxPresentation on linux
Presentation on linux
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
An Introduction to Linux
An Introduction to LinuxAn Introduction to Linux
An Introduction to Linux
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
File system
File systemFile system
File system
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power point
 
Email investigation
Email investigationEmail investigation
Email investigation
 

Destacado

Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
CTIN
 
Edrm
EdrmEdrm
Edrm
CTIN
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Raidprep
RaidprepRaidprep
Raidprep
CTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 

Destacado (20)

Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Edrm
EdrmEdrm
Edrm
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensics
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
File carving tools
File carving toolsFile carving tools
File carving tools
 
Raidprep
RaidprepRaidprep
Raidprep
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on Twitter
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 

Similar a WinFE: The (Almost) Perfect Triage Tool

Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
fm2008
 

Similar a WinFE: The (Almost) Perfect Triage Tool (20)

Windows Embedded in the Real World
Windows Embedded in the Real WorldWindows Embedded in the Real World
Windows Embedded in the Real World
 
windows.pptx
windows.pptxwindows.pptx
windows.pptx
 
2.Accessing the Pi
2.Accessing the Pi2.Accessing the Pi
2.Accessing the Pi
 
Building
BuildingBuilding
Building
 
Lec9chap8f04
Lec9chap8f04Lec9chap8f04
Lec9chap8f04
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
 
Embedded project
Embedded projectEmbedded project
Embedded project
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal Bootloader
 
Embedding Linux On The Encore Simputer
Embedding Linux On The Encore SimputerEmbedding Linux On The Encore Simputer
Embedding Linux On The Encore Simputer
 
Linux
LinuxLinux
Linux
 
Windows 8 Client Part 1 "The OS internals for IT-Pro's"
Windows 8 Client Part 1 "The OS internals for IT-Pro's"Windows 8 Client Part 1 "The OS internals for IT-Pro's"
Windows 8 Client Part 1 "The OS internals for IT-Pro's"
 
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
 
101 1.1 hardware settings v2
101 1.1 hardware settings v2101 1.1 hardware settings v2
101 1.1 hardware settings v2
 
BITS: Introduction to linux, distributions and installation
BITS: Introduction to linux, distributions and installationBITS: Introduction to linux, distributions and installation
BITS: Introduction to linux, distributions and installation
 
os.ppt
os.pptos.ppt
os.ppt
 
groupProject-1-Win8
groupProject-1-Win8groupProject-1-Win8
groupProject-1-Win8
 
Unix fundamentals
Unix fundamentalsUnix fundamentals
Unix fundamentals
 
1.1 hardware settings v2
1.1 hardware settings v21.1 hardware settings v2
1.1 hardware settings v2
 
Let’s talk virtualization
Let’s talk virtualizationLet’s talk virtualization
Let’s talk virtualization
 

Más de Brent Muir

Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud   forensic challenges with cloud computingTrying to bottle the cloud   forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
Brent Muir
 

Más de Brent Muir (15)

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security Issues
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying Markers
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud   forensic challenges with cloud computingTrying to bottle the cloud   forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

WinFE: The (Almost) Perfect Triage Tool

  • 1. The (Almost) PerfectTriageTool Brent Muir – 2014 Version 1.0
  • 2.  Benefits ofWinFE  History ofWinFE  BuildingWinFE  “Live”Vs. Booting  UsingWinFE:  EncryptionTesting  Imaging ▪ RAM ▪ HDs  Triage 2
  • 3.  Ability to boot on all x86 devices regardless of OS  Windows  Linux  OSX (requires optical drive)  RunsWindows compatible tools  The price is right  Cost ofWindows OS licence  Highly customisable 3
  • 4.  BartPE (2003)  Live version ofWindows based on XP/2003  UtilisedWindows Presinstallation Environment (PE) http://www.nu2.nu/pebuilder/screenshots/ 4
  • 5.  Microsoft (SysInternals) created first “official” WinFE guide (2008)  Highly modified OS ▪ No GUI interface, CMD based only ▪ Registry keys modified to not mount devices by default ▪ Basic functionality, required batch scripts or plenty of DOS commands ▪ Based onVista, compatible with Windows 7 5
  • 7.  WinBuilder -Windows PE building utility  WinFE script created by Brett Shavers that modified the same registry keys as SysInternals instructions (2010)  Retained GUI interface  Write ProtectTool Management Console (replacement Disk Manager) 7
  • 9.  Microsoft Windows (32bit or 64bit) ISO  Provides the baseband core OS files  Windows Automated Installation Kit (AIK)  Provides Windows PE bootable image thatWinFE is based upon  WIM (Windows Image) mounting tools  WinBuilder withWinFE scripts  Provides advanced interface features ofWinFE (desktop GUI support, etc) 9
  • 10.  Two modes for third-party applications:  Run from RAM ▪ Stops end-users modifying installed programs ▪ Takes up more RAM when booting (if working with low- specced PCs)  Run from Disk ▪ Easier to update (no more recompiling the fullWIM) 10
  • 11. 11
  • 12.  Steps to compile your own version ofWinFE: 1. InstallWindows AIK 2. Mount Windows 7 ISO and remember the drive letter 3. InstallWinBuilder and point it to the drive letter of the mounted ISO 4. Configure the scripts required throughWinBuilder (includingTweaks  WinFE) 5. Prepare any third-party software you require on WinFE 6. Run the WinBuilder program and set desired options This should output a WinFE ISO as well as the files necessary to copy to a USB dongle 7. Edit the Boot loader (BCD) to allow a maximum timeout and require user input into selectingWinFE from a boot menu 8. Test the WinFE release to ensure that it is forensically sound 12
  • 13. Slip streaming drivers intoWinFE requires 2 tools (AIK):  Imagex - used to mount WIM  located in C:Program FilesWindows AIKToolsx86Servicing  DISM - used to install drivers  located in C:Program FilesWindows AIKToolsx86Servicing 1. imagex /mountrw C:WinFETargetWin7PE_SEsourcesboot.wim 1 C:winFEmount 2. dism.exe /image:C:WinFEMount /add-driver /driver:"C:WinFEFiles to injectHaspHasp" /recurse 3. imagex.exe /unmount /commit C:winFEmount 13
  • 14.  In order to copy the WinFE files to a USBThumb Drive you must first prepare the thumb drive so that it is clean and bootable. Follow these steps: 1. Plug-in USB thumb drive into computer 2. Start CMD 3. Start Diskpart (type: diskpart) 4. Select the relevant USB thumb drive (to see available drives, type: list disk) (to select disk type: select disk #) - where # is the relevant disk number 5. Clean the USB thumb drive (type: clean) 6. Create a primary partition (type: create partition primary) 7. Set the USB thumb drive as bootable (type: active) 8. Format the USB thumb drive (type: format fs=NTFS quick label="WinFE") 9. Exit Diskpart (type: exit) 14
  • 15. Live:  The software onWinFE can also be run on a live system, w/o booting into theWinFEOS (assuming portable apps).  Conducting an encryption test  Ability to image RAM, Disks, mounted encrypted partitions  Tools can all be updated on the fly Booting:  Booting into theWinFE environment conforms to industry best practice in that it maintains the forensic state of the hard drives within the suspect’s computer. 15
  • 16.  EnCase - v6 & v7 (requires licence dongle and slip-streaming HASP drivers)  X-Ways /WinHex – all versions (requires licence dongle)  TrueCrypt  FTK Imager  VirtualBox  Wireshark  RegistryBrowser  Volatility – standalone version  All Nirsoft tools  Many more 16
  • 17. 1. Power down computer 2. InsertWinFE USB device into suspects computer 3. Power on computer and enter the BIOS or UEFI  While in the BIOS it is recommended to take note of the system’s date and time. 4. Once in the BIOS change the boot order to the WinFE USB device – this should show up in the BIOS as a USB device (or choose the optical drive if booting from CD) 5. Save the changes to the BIOS and let the computer reboot 6. The computer should now boot intoWinFE boot menu. 17
  • 18. Write ProtectTool Management Console  Mount / unmount physical drives attached to the computer as read-only or read-write.  Add custom drivers (e.g. software RAID drivers) 18
  • 19. 19
  • 20.  EncryptionTest  HD / RAM Imaging  Triage 20
  • 22. WINDOWS OS – CryptHunter (LE only) 1. Plug in the WinFE USB thumb drive into the suspect's computer 2. The WinFE USB drive should now be visible in Explorer (My Computer). Browse to the directory titled "CryptHunter" and double-click on the file called "crypthunter". This will begin the encryption test. 3. If anything of note is discovered a pop-up box will appear warning that encryption may be present. 22
  • 23. 23
  • 24. LINUX OSes – quick and dirty  Method 1 –Terminal 1. Open the terminal (console / konsole) and type mount and hit enter (return) 2. This command will list all currently mounted drives on the computer, look for the word "crypt“ 24
  • 25.  Method 2 – System Monitor 25
  • 26. MAC OSX – quick and dirty  Method 1 – Identify FileVault 1. Browse to "Computer"  "Users". If the user account has the following icon then "FileVault" is enabled. FileVault encrypts all of the user's files. 26
  • 27.  Method 2 – Activity Monitor 1. Other 3rd part encryption tools are available for Mac OSX. In order to check if these encryption programs are running. Browse to "Applications“  "Utilities"  "Activity Monitor“ 2. Once the Activity Monitor is displayed use the drop-down menu to select "All Processes“ 3. Look for any process that includes the word "crypt". If any of the processes mention the word "crypt" then it is likely that the computer features encryption. 27
  • 28.  Method 2 – Activity Monitor 28
  • 29. RAM:  DumpIt  Simple executable, puts output in same directory as EXE  Has some issues with RAM larger than 8GB  WinPMEM  CMD based  Supports RAM larger than 8GB  Supports RAW & Crashdump formats  FTK Imager  GUI version only  Supports RAW acquisition as well as Pagefile.sys & Hiberfil.sys  Larger footprint than DumpIt & WinPMEM HD:  FTK Imager 29
  • 30. RAM:  FMEM  Creates kernel mirror driver  Then use dd commands to capture HD:  DD  Built-in  FTK Imager CLI  Debian  Ubuntu (x32 & x64)  Fedora (x32 & x64) 30
  • 31. RAM:  OSXPMEM  Supports up to and including 10.9.x  Creates kernel mirror driver (must be extracted onto local machine to run or from HFS+/exFAT partition)  Supports Raw, Mach-O, and ELF formats 1. copy OSXPMem.tar.gz to local directory 2. tar xvf OSXPMem.tar.gz 3. ./osxpmem -h to give help 4. ./osxpmem memory.dump 31
  • 32. HD:  FTK Imager for Mac  CLI only, no GUI  Needs to be copied to local machine to run (or on HFS+/exFAT partition)  Mac OSX Forensic Imager  Needs to be copied to local machine to run (or on HFS+/exFAT partition) 32
  • 33. 1. Connect an external hard drive (via USB) to the suspect's computer 2. Open "WinFEWrite ProtectTool Management Console " and mount this new drive as read/write  NOTE – if this is the first drive you are mounting in WinFE it will be given the drive letter “C”  This drive will now be visible inWindows Explorer 3. Open FTK Imager and image normally 33
  • 34.  Even w/o X-Ways or EnCase dongles there are a number of tools to facilitate triage of devices  Apple Bootcamp script allows HFS+ partitions to be seen throughWinFE w/o third party tools 34
  • 35.  XnView:  Graphic files  Recursively look at directories  Tag files  create reports 35
  • 37.  Nirsoft SearchMyFiles  Keyword searching  Advanced Filtering: ▪ Date range ▪ File type ▪ File size  Context search (binary or text)  Identify encrypted files  Identify duplicates  Create reports (CSV, HTML) 37
  • 39.  Email viewing programs:  MiTec MailView ▪ DBX, MBX, EML,Thunderbird DB  Kernel Exchange EDBViewer ▪ EDB, STM  Kernel OSTViewer ▪ OST  Kernel Outlook PSTViewer ▪ PST  Windows MBOXViewer ▪ MBOX 39
  • 40.  SQLite  SQLite DB Browser  SQLiteQ  Microsoft ESE/EDB/JET Blue DB files  Nirsoft ESEDatabaseView 40
  • 41.  Web browser history  Nirsoft BrowsingHistoryView ▪ IE (including 10/11), Firefox, Chrome, Safari  Windows Registry  LockAnd Code RegistryBrowser ▪ Mount the suspect's drive as read-only usingWrite Protect Tool first 41
  • 42. 42
  • 43.  Larson,T. (2008) “HowTo BuildWindows FEWithThe Windows Preinstallation Environment 2.1”, SysInternals, Microsoft Law Enforcement Portal  Shavers, B. (2010) “The (Nearly) Perfect Forensic Boot CD”, URL: http://www.forensicfocus.com/downloads/WinFE.pdf 43
  • 44.  CryptHunter (LE only) - http://www.cert.org/digital-intelligence/tools/crypthunter.cfm?  Kernel Data Recovery Tools - http://www.nucleustechnologies.com/  MiTeC (MailView, SQLiteQ) - http://www.mitec.cz  Nirsoft Suite - http://nirsoft.net/  RegistryBrowser - https://lockandcode.com/software/registry_browser  SQLite Database Browser - http://sourceforge.net/projects/sqlitebrowser/  WinBuilder - http://reboot.pro/files/file/4-winbuilder/  Windows Assessment and Deployment Kit (Windows ADK) - http://www.microsoft.com/en-us/download/details.aspx?id=39982&751be11f- ede8-5a0c-058c-2ee190a24fa6=True  Windows Automated Installation Kit (Windows AIK) - http://www.microsoft.com/en-au/download/details.aspx?id=5753  Windows MBOX Viewer - http://sourceforge.net/projects/mbox-viewer/  WinFE Blog (Brett Shavers) - http://winfe.wordpress.com/  XnView - http://www.xnview.com/en/ 44

Notas del editor

  1. Very basic: No write-protection of devices No Windows Explorer - all tools were 3rd party
  2. No GUI but could run GUI software (for example FTK Imager or XWF)
  3. Windows 8/8.1 WinFE require Windows Assessment and Deployment Kit (Windows ADK) http://www.microsoft.com/en-us/download/details.aspx?id=39982&751be11f-ede8-5a0c-058c-2ee190a24fa6=True
  4. Example of slip-streaming the HASP dongle drivers (for EnCase)
  5. Dependant on host PC resources, there is the ability to boot the suspect’s PC as a forensically sound VM with VirtualBox (requires 64bit WinFE, lots of RAM and MIP to mount physical disk) mount image write-cached function)
  6. If this menu is not displayed then the computer is trying to boot into another OS  pull the power cord!
  7. If you are LE I recommend that you get access to the US CERT program CryptHunter (free): Small footprint, able to detect many encryption programs as well as boot sector abnormalities Supports: BestCrypt, DriveCrypt, Sophos SafeGaurd, Paragon Encrypted Disk, PGPDisk, TrueCrypt, BitLocker
  8. If non-LE (or CryptHunter is not available) it is useful to check Task Manager for running processes
  9. Can also look at running processes to determine if any encryption programs are running
  10. Latest version of FileVault allows for full disk encryption and therefore the symbol may not be present on the user directory
  11. Windows imaging HDs live, there is FTK Imager (including CLI), Cygwin DD, also EnCase acquisition / imager, XWF if dongle present
  12. As well as Nirsoft Opera History View, cache view, etc
  13. Additional tools: Cygwin (dd, NetCat) Nirsoft live password recovery tools Wireshark