by Brett Shavers

Introduction

Figure 1: WWW.FORENSICS-INTL.COM

As a quick introduction to the Windows Forensics Environment (WinFE); it is a bootable CD, based on the Windows Pre-Installed Environment (PE), with a few changes to create a forensically sound boot CD in which a variety of forensic tasks can be conducted on a suspect machine. Many current forensic software applications can be run in this environment where imaging, analysis, or triage can be done without altering the evidence drive. It is not a complete replacement for every imaging tool, but certainly deserves its place in your toolbox.

In the beginning….there was the forensic DOS floppy boot disk. Placed into the suspect computer floppy disk drive, the hard drive could be accessed and imaged at the speed of…DOS. An entire 1.44mb of storage space to be had storing all the forensic apps you could squeeze onto it. The life of imaging was wonderful. At least that’s what I remember anyway.

Given the loss of floppy drives in newer computers coupled with the speed of imaging in Windows with hardware write blockers, it was only a short matter of time before DOS boot disks went the way of the dinosaur. With the hardware imaging devices of advertised speeds up to 7GB per minute, imaging through Windows may have also started down the road to being obsolete. Why would anyone want to image through Windows at 1 or 2 GB/min when you can directly image at up to 7GB per minute with a hardware device? You have to look a little closer at WinFE to get the answer.

Understanding the Neatness Factor of Windows Forensic Environment

So here comes WinFE, comparable to many of the forensic Linux Boot CDs, with one important difference; it’s not a Linux Operating System…it’s Windows! This is not a small point because many of your everyday Windows forensics applications can be run on the WinFE disk whereas with the Linux CD, you must accept only those applications that run on Linux. Given the vast number of examiners being more proficient with Windows than Linux, the ease to which the WinFE CD can be modified with drivers and software compared with a Linux CD cannot be overstated.

Probably the hesitation I had in even thinking to get started creating a WinFE CD was the fear of how much time, effort, and testing to get it right, particularly since there are so many freely downloaded Linux Boot CDs. However, after several failures with my favorite Linux Boot CD (which was not free…), I committed myself to try the WinFE. My only regret is not having done this sooner. My suggestion is that if you are looking for a forensic boot CD that can do so much more than just image, then the time you spend making your own will not only be worth it, but you will wonder why you also hesitated so long as well.

I followed Troy Larson’s (of Microsoft fame) instructions of creating a bootable Windows Forensic Environment CD a few years ago. Granted, at the time, I was quite content with the then current system of using hardware write blockers, an occasional use of a hardware imaging tool, and the even fewer occasions of using a variety of forensic Linux boot CDs. As neat as WinFE sounded and looked, I just didn’t put a lot of effort into it as I didn’t see the value of building the disk it at the time compared to what I was already using. But as usual, Troy was ahead of his time with his ideas and work and the rest of us play catch up.

As the number of computers that were being imaged onsite nowadays increased, coupled with the problems of using Linux Boot CDs that seem to be sporadically (if ever) updated or configured for what I needed onsite, WinFE has come to the top of my first choices of imaging. With WinFE, I can quite easily add the specific drivers needed for most imaging work in minutes. Most impressive however, is the ability to use the forensic tools I use every day in a forensically sound environment in a bootable Windows OS. As you read through the instructions and see the dreaded command line, have no fear, this is all easily put into a batch file and automated.

For those that have not yet grasped why the WinFE CD may be a better (faster) option compared to hardware imaging, consider the comparison of imaging speeds. Hardware imaging may get you up to an advertised 7.0GB/min for imaging while the WinFE may get you only 2.5 to 3.0GB/min. But the real speed difference starts when you have more hard drives to image than you have hardware imaging devices. At the WinFE speeds of up to 3.0GB/min and being able to image as many computer hard drives as you have WinFE CDs, your practical image speed increases much faster if you have only a few hardware imaging devices.

As an example, with two hardware imaging devices, two hard drives can be imaged very quickly at 7GB/min. With five or more hard drives to image, you will need more than double that time because you can only image 2 drives at a time, or bear the expense of buying more hardware imager devices. With a WinFE boot CD, you can image them all practically at the same time, limited by only the number of WinFE disks you have and destination drives for the images. Given an entire office of computers to image, you can see where the time savings begin to add up quickly with the least expense.

And yes, you can still output to multiple drives, in multiple formats, using multiple types of Windows based tools. On top of that, you can even triage the computer using the tools you know best to determine if it needs to be imaged in the first place. That is time savings that beats any hardware imaging device.

Booting a non-Windows disk may cause writes to the evidence disk. These changes are well documented and do not affect the integrity of the user data (WinFE is not going to create a user generated file…it may just write a disk signature). Of course, knowing that an evidence hard drive is non-Windows, simply choose another method to capture the image, or document the changes that are knowingly made. This paper does not provide any testing data as it is merely a write-up on creating the WinFE boot CD.

Using any method of booting an evidence machine runs the risk of inadvertently booting the operating system. As with any bootable media, take the same precautions of ensuring the system boots to the CD rather than the evidence hard drive through changes to the BIOS. Once booted to WinFE, you will be presented with a command shell. The program DISKPART is used to access your evidence drive and destination drives. There are only a few commands that need to be used.

A recommendation on the use and development of your WinFE CD…it is always a good idea to understand the licensing agreements for any of the software you choose to use with the WinFE CD. Although a great deal of freeware/shareware is available, much of it has limitations on its commercial use unless explicitly stated or you have a license of the software. Beyond that warning, the limitation of what you can do with WinFE is limited only by your imagination.

Building Your Very Own WinFE

You can have your very own WinFE today after a few minutes of effort. One download, two registry changes, some copying of files, and burn your WinFE CD. In many of the to be described steps, you can choose your own folder structure and names of the folders as to where to store your WinFE files, but for simplicity of explanations, you may want to use the structure set out in this guide at first. Create a folder at the root of C:\ as below:

Figure 2

As you can see, you will have a set of batch files, drivers, software, and an ISO which is not only bootable to WinFE, but also has a ‘live’ side for running machines. This is not a daunting task, so hang in there as it is a lot easier than it sounds. Keep in mind that is folder you create is separate from a folder structure that will be automatically created once your run the first command line (# 2 below).

1) Download and install Windows Automated Installation Kit (AIK) from www.microsoft.com
2) From the AIK command line (run as Administrator) copy the winpe files to your computer with the command:

a. copype.cmd x86 C:\WinFE
b. You may choose to replace the “x86” with either “amd64”, or “ia64”

c. After completed, the directory structure on your C:\ drive will look like:

Figure 4