Windows Forensic En...
 
Notifications
Clear all

Windows Forensic Environment

41 Posts
16 Users
0 Likes
2,233 Views
bshavers
(@bshavers)
Posts: 210
Estimable Member
Topic starter
 

I've been familiar with and have been using Windows FE since Troy Larson started speaking about a few short years back. I personally really like it, enough to wonder why I still come across examiners that haven't tried it yet…

So, to maybe bring out the interest to try it, I have written a 'how to' make your own WinFE bootable CD (and asked Jamie to post it on FF), with a live forensics side also (like the venerable Helix CD). I also added the batch file to the paper that I use to automate nearly all the process of building the WinFE ISO, as it can be done in about 10-15 minutes, start to finish.

 
Posted : 01/04/2010 11:29 am
(@brede)
Posts: 64
Trusted Member
 

I would gladly try it.

 
Posted : 01/04/2010 1:53 pm
(@rich2005)
Posts: 536
Honorable Member
 

My guess would be there's a fair amount of doubt about what windows 'does behind your back'. With that in mind, it's probably not unreasonable to take the view that why 'risk' it, when the tools you already have at your disposal 'do the job'.
You could I suppose argue that the same would apply to Linux based discs, though at least with the open-source nature, it would be easier to look into the exact nature of what is going on. However i guess the counter-argument to that would be thatt how many people 'really' do that, or have the knowledge to do so.
In essence, I think it'd be what people feel 'comfortable' with relying on (or perhaps lack of knowledge of its existence).
Rich

 
Posted : 01/04/2010 3:08 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
Topic starter
 

You hit right on with the point of not knowing what Windows (or Linux) does and that both need to be tested by the examiner.

 
Posted : 01/04/2010 5:46 pm
rjpear
(@rjpear)
Posts: 97
Trusted Member
 

I look forward to playing with this..Not sure what the implications are ..but making a bootable WinFE disk for on-scene preview tools that users are familiar with (as opposed to Helix)… would save alot of time and energy..
I sat through a MS Presentation on FE a year or so ago and saw the potential but I fell short of actually playing with it..

And validating it shouldn't be a huge issue after you customized it..

Thanks,,

 
Posted : 01/04/2010 7:35 pm
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

Agree with Rich2005. Aside from not knowing what Windows does in the background, Windows is not a reliable platform as compared to Linux. We can start whole discussion on this, but remember the days when NT4 would shutdown itself. Windows has gotten better but the common perception is that you risk more with Windows than with other operating systems.

 
Posted : 01/04/2010 8:47 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
Topic starter
 

If Windows FE can be tested on various drives (hash comparisons of before and after imaging, setting disks to readonly, readwrite, etc..), and it is found that Windows does not alter the evidence drive, is there then any problem with it?

And if the majority of examiners are more familiar (comfortable) with the Windows OS than a non-Windows such as Linux, wouldn't the likelihood of user created errors be less with a forensic boot of Windows versus non-Windows?

 
Posted : 01/04/2010 9:32 pm
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

Brett, since you use it, can you mention what you like, or how it compares to other similar tools?

 
Posted : 01/04/2010 9:55 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
Topic starter
 

Not to sound like I sell it (it is free..).

Compared to a non-Windows boot disk (any version of a Linux boot CD);

-Linux must use Linux applications (if you try to make Windows software work, you'll have problems)
-WinFE can run Windows applications such as Encase, XWF, FTK Imager, ProDiscover, and others

-Modifying a Linux boot CD is difficult (for me, maybe others it is easy, but I'd suspect it's easy for a small segment of examiners)
-Modifying the WinFE CD is easy (only have to copy program folders onto it for the programs to run)

-Waiting for a Linux CD to be updated in order to download the new version can be a very long wait
-Updating a WinFE CD can be done quickly with an empty CD to burn (just copy the updated program folder or one command line to inject a driver and burn a new CD)

-Understanding the OS of Linux is lower on my list of knowledge compared to Windows (yes, a jpg is a jpg, but the system is different)
-Understanding Windows is just about second nature now (I can't count how many Windows systems I've examined to date, but certainly more than Linux systems. I've definitely become more comfortable with Windows than other OS's)

-Triage with a Linux CD is limited by the applications provided on the CD and your ability to add what you need to a Linux OS (again, this is a problem only if you aren't able to re-master your Linux CD or need to spend hours doing so if not proficient with it)
-Triage with the WinFE CD is limited by the tools you currently use (some of which are listed above).

-Imaging in Linux, your destination drive should be formatted to something other than NTFS (yes, there are exceptions, but also problems writing to NTFS)
-Imaging in WinFE, NTFS is no problem, it is Windows.

-When the Linux CD doesn't have a driver you need, you are back to figuring out another way to image unless you know how to re-master your Linux CD.
-When WinFE doesn't have the driver you need, if you have access to the driver, you can inject it into the image/ISO with one command line.

-Knowing which applications are on a Linux CD can be a problem if some have EULA's which you can't comply (NirSoft tools, as an example, are free, but free only for non-commercial work). If a Linux CD has these programs on it, you have an intermingled OS with tools you can legally use commercially side by side with tools you legally cannot use commercially.
-The tools on the WinFE are added by the user, so the user knows which tools are on the CD (and if you have the dongle to Encase/XWF, then more than likely, it's your license to use)

-The live side of a Linux CD will run the programs it was created to run (you may or may not like what is automatically being run)
-The live side of a WinFE can be made not to run any program at all (so you can choose the program/s needed), or can be made to only auto run programs you want to run.

As far as to how it is like to use, you can almost compare it to booting your forensic machine and examining/imaging your own hard drive, without altering your hard drive. That's about the difficulty of it all and probably the best comparison with another method.

As a side note, I have been using Linux Boot CDs for quite a while, and still do. One tool doesn't do everything perfectly. I'm sure I can't be the only examiner that has a pack of CDs with every version of every forensic boot CD available and a few DOS floppies just in case…I also have one non-Linux boot CD in the CD case as well (WinFE). I'm sure a list of comparisons opposite to the above can be made. For my personal gain (and for the forensic community as well), I'd like to know everything negative with WinFE to be aware of problems with its use or misuse, but I'm having a difficult time of finding the negatives.

 
Posted : 01/04/2010 11:24 pm
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

I'll give Windows FE a try.

 
Posted : 01/04/2010 11:55 pm
Page 1 / 5
Share: