WinFE: The (Almost) Perfect Triage Tool
-
Upload
brent-muir -
Category
Technology
-
view
3.431 -
download
3
description
Transcript of WinFE: The (Almost) Perfect Triage Tool
![Page 1: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/1.jpg)
Windows Forensic Environment (WinFE)
The (Almost) Perfect Triage Tool
Brent Muir – 2014 Version 1.0
![Page 2: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/2.jpg)
2
Topics
Benefits of WinFE
History of WinFE
Building WinFE
“Live” Vs.
Booting Using WinFE:
Encryption Testing Imaging▪ RAM▪ HDs
Triage
![Page 3: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/3.jpg)
3
Benefits of WinFE Ability to boot on all x86 devices regardless of OS
Windows Linux OSX (requires optical drive)
Runs Windows compatible tools
The price is right Cost of Windows OS licence
Highly customisable
![Page 4: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/4.jpg)
4
History of WinFE BartPE (2003)
Live version of Windows based on XP/2003 Utilised Windows Presinstallation Environment (PE)
http://www.nu2.nu/pebuilder/screenshots/
![Page 5: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/5.jpg)
5
History of WinFE
Microsoft (SysInternals) created first “official” WinFE guide (2008) Highly modified OS▪ No GUI interface, CMD based only▪ Registry keys modified to not mount devices by
default▪ Basic functionality, required batch scripts or plenty
of DOS commands ▪ Based on Vista, compatible with Windows 7
![Page 6: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/6.jpg)
6
History of WinFE
Shavers, B. (2010)
![Page 7: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/7.jpg)
7
History of WinFE
WinBuilder - Windows PE building utility WinFE script created by Brett Shavers that
modified the same registry keys as SysInternals instructions (2010)
Retained GUI interface Write Protect Tool Management Console
(replacement Disk Manager)
![Page 8: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/8.jpg)
8
History of WinFE
http://winbuilder.net/screenshots
![Page 9: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/9.jpg)
9
Building WinFE Microsoft Windows (32bit or 64bit) ISO
Provides the baseband core OS files
Windows Automated Installation Kit (AIK) Provides Windows PE bootable image that WinFE is based upon WIM (Windows Image) mounting tools
WinBuilder with WinFE scripts Provides advanced interface features of WinFE (desktop GUI
support, etc)
![Page 10: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/10.jpg)
10
Building WinFE
Two modes for third-party applications: Run from RAM▪ Stops end-users modifying installed programs ▪ Takes up more RAM when booting (if working
with low-specced PCs) Run from Disk▪ Easier to update (no more recompiling the full
WIM)
![Page 11: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/11.jpg)
11
Building WinFE
![Page 12: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/12.jpg)
12
Building WinFE Steps to compile your own version of WinFE:
1. Install Windows AIK2. Mount Windows 7 ISO and remember the drive letter3. Install WinBuilder and point it to the drive letter of the mounted ISO4. Configure the scripts required through WinBuilder (including Tweaks
WinFE)5. Prepare any third-party software you require on WinFE6. Run the WinBuilder program and set desired options This should
output a WinFE ISO as well as the files necessary to copy to a USB dongle
7. Edit the Boot loader (BCD) to allow a maximum timeout and require user input into selecting WinFE from a boot menu
8. Test the WinFE release to ensure that it is forensically sound
![Page 13: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/13.jpg)
13
Building WinFESlip streaming drivers into WinFE requires 2 tools (AIK):
Imagex - used to mount WIM located in C:\Program Files\Windows AIK\Tools\x86\Servicing
DISM - used to install drivers located in C:\Program Files\Windows AIK\Tools\x86\Servicing\
1. imagex /mountrw C:\WinFE\Target\Win7PE_SE\sources\boot.wim 1 C:\winFE\mount
2. dism.exe /image:C:\WinFE\Mount\ /add-driver /driver:"C:\WinFE\Files to inject\Hasp\Hasp" /recurse
3. imagex.exe /unmount /commit C:\winFE\mount
![Page 14: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/14.jpg)
14
Building WinFE In order to copy the WinFE files to a USB Thumb Drive you must first
prepare the thumb drive so that it is clean and bootable. Follow these steps:
1. Plug-in USB thumb drive into computer2. Start CMD3. Start Diskpart (type: diskpart)4. Select the relevant USB thumb drive (to see available drives, type: list disk) (to
select disk type: select disk #) - where # is the relevant disk number5. Clean the USB thumb drive (type: clean)6. Create a primary partition (type: create partition primary)7. Set the USB thumb drive as bootable (type: active)8. Format the USB thumb drive (type: format fs=NTFS quick label="WinFE")9. Exit Diskpart (type: exit)
![Page 15: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/15.jpg)
15
Two Modes: “Live” Vs Booting
Live:
The software on WinFE can also be run on a live system, w/o booting into the WinFE OS (assuming portable apps). Conducting an encryption test Ability to image RAM, Disks, mounted encrypted partitions
Tools can all be updated on the fly
Booting:
Booting into the WinFE environment conforms to industry best practice in that it maintains the forensic state of the hard drives within the suspect’s computer.
![Page 16: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/16.jpg)
16
List of Known Working Tools EnCase - v6 & v7 (requires
licence dongle and slip-streaming HASP drivers)
X-Ways / WinHex – all versions (requires licence dongle)
TrueCrypt
FTK Imager
VirtualBox Wireshark
RegistryBrowser
Volatility – standalone version
All Nirsoft tools
Many more
![Page 17: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/17.jpg)
17
WinFE – Booting1. Power down computer
2. Insert WinFE USB device into suspects computer
3. Power on computer and enter the BIOS or UEFI While in the BIOS it is recommended to take note of the system’s date and time.
4. Once in the BIOS change the boot order to the WinFE USB device – this should show up in the BIOS as a USB device (or choose the optical drive if booting from CD)
5. Save the changes to the BIOS and let the computer reboot
6. The computer should now boot into WinFE boot menu.
![Page 18: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/18.jpg)
18
WinFE – BootingWrite Protect Tool Management Console Mount / unmount physical drives attached to the
computer as read-only or read-write. Add custom drivers (e.g. software RAID drivers)
![Page 19: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/19.jpg)
19
WinFE – Desktop
![Page 20: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/20.jpg)
20
Use Cases
Encryption Test HD / RAM Imaging Triage
![Page 21: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/21.jpg)
21
Use Cases – Live Encryption Test Windows Linux OSX
![Page 22: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/22.jpg)
22
WinFE (live) – Encryption Windows
WINDOWS OS – CryptHunter (LE only)
1. Plug in the WinFE USB thumb drive into the suspect's computer
2. The WinFE USB drive should now be visible in Explorer (My Computer). Browse to the directory titled "CryptHunter" and double-click on the file called "crypthunter". This will begin the encryption test.
3. If anything of note is discovered a pop-up box will appear warning that encryption may be present.
![Page 23: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/23.jpg)
23
CryptHunter (screenshot)
![Page 24: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/24.jpg)
24
WinFE (live) – Encryption Linux
LINUX OSes – quick and dirty
Method 1 – Terminal
1. Open the terminal (console / konsole) and type mount and hit enter (return)
2. This command will list all currently mounted drives on the computer, look for the word "crypt“
![Page 25: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/25.jpg)
25
WinFE (live) – Encryption Linux
Method 2 – System Monitor
![Page 26: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/26.jpg)
26
WinFE (live) – Encryption OSX
MAC OSX – quick and dirty
Method 1 – Identify FileVault
1. Browse to "Computer" "Users". If the user account has the following icon then "FileVault" is enabled. FileVault encrypts all of the user's files.
![Page 27: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/27.jpg)
27
WinFE (live) – Encryption OSX
Method 2 – Activity Monitor
1. Other 3rd part encryption tools are available for Mac OSX. In order to check if these encryption programs are running. Browse to "Applications“ "Utilities" "Activity Monitor“
2. Once the Activity Monitor is displayed use the drop-down menu to select "All Processes“
3. Look for any process that includes the word "crypt". If any of the processes mention the word "crypt" then it is likely that the computer features encryption.
![Page 28: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/28.jpg)
28
WinFE (live) – Encryption OSX Method 2 – Activity Monitor
![Page 29: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/29.jpg)
29
WinFE – Imaging Windows (live)
RAM: DumpIt
Simple executable, puts output in same directory as EXE Has some issues with RAM larger than 8GB
WinPMEM CMD based Supports RAM larger than 8GB Supports RAW & Crashdump formats
FTK Imager GUI version only Supports RAW acquisition as well as Pagefile.sys & Hiberfil.sys Larger footprint than DumpIt & WinPMEM
HD: FTK Imager
![Page 30: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/30.jpg)
30
WinFE – Imaging Linux (live)
RAM: FMEM
Creates kernel mirror driver Then use dd commands to capture
HD: DD
Built-in
FTK Imager CLI Debian Ubuntu (x32 & x64) Fedora (x32 & x64)
![Page 31: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/31.jpg)
31
WinFE – Imaging OSX (live)
RAM: OSXPMEM
Supports up to and including 10.9.x Creates kernel mirror driver (must be extracted onto local
machine to run or from HFS+/exFAT partition) Supports Raw, Mach-O, and ELF formats
1. copy OSXPMem.tar.gz to local directory2. tar xvf OSXPMem.tar.gz3. ./osxpmem -h to give help4. ./osxpmem memory.dump
![Page 32: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/32.jpg)
32
WinFE – Imaging OSX (live)
HD: FTK Imager for Mac
CLI only, no GUI Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
Mac OSX Forensic Imager Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
![Page 33: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/33.jpg)
33
WinFE - Imaging HDs (booted)
1. Connect an external hard drive (via USB) to the suspect's computer
2. Open "WinFE Write Protect Tool Management Console " and mount this new drive as read/write
NOTE – if this is the first drive you are mounting in WinFE it will be given the drive letter “C”
This drive will now be visible in Windows Explorer
3. Open FTK Imager and image normally
![Page 34: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/34.jpg)
34
Use Cases – Triage
Even w/o X-Ways or EnCase dongles there are a number of tools to facilitate triage of devices
Apple Bootcamp script allows HFS+ partitions to be seen through WinFE w/o third party tools
![Page 35: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/35.jpg)
35
Use Cases – Triage XnView:
Graphic files Recursively look at directories Tag files create reports
![Page 36: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/36.jpg)
36
Use Cases – Triage XnView
![Page 37: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/37.jpg)
37
Use Cases – Triage
Nirsoft SearchMyFiles Keyword searching Advanced Filtering:▪ Date range▪ File type▪ File size
Context search (binary or text) Identify encrypted files Identify duplicates Create reports (CSV, HTML)
![Page 38: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/38.jpg)
38
Use Cases – Triage Nirsoft SearchMyFiles
![Page 39: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/39.jpg)
39
Use Cases – Triage Email viewing programs:
MiTec MailView▪ DBX, MBX, EML, Thunderbird DB
Kernel Exchange EDB Viewer▪ EDB, STM
Kernel OST Viewer▪ OST
Kernel Outlook PST Viewer▪ PST
Windows MBOX Viewer▪ MBOX
![Page 40: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/40.jpg)
40
Use Cases – Triage
SQLite SQLite DB Browser SQLiteQ
Microsoft ESE/EDB/JET Blue DB files Nirsoft ESEDatabaseView
![Page 41: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/41.jpg)
41
Use Cases – Triage
Web browser history Nirsoft BrowsingHistoryView▪ IE (including 10/11), Firefox, Chrome, Safari
Windows Registry Lock And Code RegistryBrowser▪ Mount the suspect's drive as read-only using
Write Protect Tool first
![Page 42: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/42.jpg)
42
Questions
![Page 43: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/43.jpg)
43
References
Larson, T. (2008) “How To Build Windows FE With The Windows Preinstallation Environment 2.1”, SysInternals, Microsoft Law Enforcement Portal
Shavers, B. (2010) “The (Nearly) Perfect Forensic Boot CD”, URL: http://www.forensicfocus.com/downloads/WinFE.pdf
![Page 44: WinFE: The (Almost) Perfect Triage Tool](https://reader035.fdocuments.in/reader035/viewer/2022062405/555f37aed8b42a65118b5050/html5/thumbnails/44.jpg)
44
Resources CryptHunter (LE only) - http://www.cert.org/digital-intelligence/tools/crypthunter.cfm?
Kernel Data Recovery Tools - http://www.nucleustechnologies.com/
MiTeC (MailView, SQLiteQ) - http://www.mitec.cz
Nirsoft Suite - http://nirsoft.net/
RegistryBrowser - https://lockandcode.com/software/registry_browser
SQLite Database Browser - http://sourceforge.net/projects/sqlitebrowser/
WinBuilder - http://reboot.pro/files/file/4-winbuilder/
Windows Assessment and Deployment Kit (Windows ADK) - http://www.microsoft.com/en-us/download/details.aspx?id=39982&751be11f-ede8-5a0c-058c-2ee190a24fa6=True
Windows Automated Installation Kit (Windows AIK) - http://www.microsoft.com/en-au/download/details.aspx?id=5753
Windows MBOX Viewer - http://sourceforge.net/projects/mbox-viewer/
WinFE Blog (Brett Shavers) - http://winfe.wordpress.com/
XnView - http://www.xnview.com/en/