±Forensic Focus Partners
|New Today: 0||Overall: 36209|
|New Yesterday: 3||Visitors: 153|
Windows Forensic EnvironmentBack to top Back to main Skip to menu
The (Nearly) Perfect Forensic Boot CD - Windows Forensic Environment
a. Instead of an ISO image, you will first be working with a .wim image. In order to modify this image and make it forensically sound, you need to mount it.
b. There are two .wim images in the folder structure above.
c. The boot.wim will be used to create your final ISO. You can mount the winpe.wim or the boot.wim to install your tools. If you use the winpe.wim, simply delete the current boot.wim and move/rename winpe.wim to WinFE\ISO\sources (in order to replace the non-modified boot.wim).
d. Mount the .wim image through the AIK command line (this will mount the image under the “mount” folder in order to make modifications and add your forensic applications).
imagex /mountrw C:\winFE\ISO\sources\boot.wim 1 C:\winFE\mount
4) Modify the registry of the winpe mounted image
a. Using Regedit, there are two registry modifications to be made for a forensically sound boot process.
b. Load SYSTEM HIVE
c. In Regedit, Choose File – Load Hive
d. Select the System file located at: C:\WinFE\mount\Windows\System32\config
e. Name it WinFE
1. Create a DWORD named NoAutoMount if it doesn’t exist already by “right clicking” in Regedit and change the DWORD value to 1
1. Sans Policy -change the DWORD value to 3
iii. Unload the WinFE SYSTEM HIVE
1. Select the WinFE hive.
2. With Regedit, choose File – Unload Hive – “yes”
5) Options: Add your tools
Create a WinFE folder in the mounted winpe image at the root of the mounted image. Copy your tools into this folder. Generally, only those programs that can run without installation can be successfully used with WinFE, such as most portable applications. Detailed instructions for specific software are outlined further in this paper.
6) Options: Drivers
Common or specific video drivers can be injected (aka..installed) into the mounted image through the AIK command line (AIK command line (where “drivers\*.inf is the location of your drivers to be injected). As needed, drivers can be added just as easily, to include RAID drivers and other hardware specific drivers. WinRAR can be used to extract drivers (.inf) files from driver installation executables.
peimg.exe /inf=C:\drivers\*.inf C:\winFE\mount\Windows
7) Unmount your winpe.wim image (commit changes or you will have lost your work)
imagex.exe /unmount /commit C:\winFE\mount
8) Delete bootfix.bin located in C:\WinFE\ISO\boot (deleting this file will prevent the warning of ‘press any key to boot from cd’)
9) Create ISO from the AIK command line (this command uses the boot.wim image):
oscdimg -n -m -o -bC:\WinFE\etfsboot.com C:\WinFE\ISO C:\WinFE\WinFE.iso
10) And finally, burn the ISO to a CD and test it.
How to Use WinFE
You now have created a basic WinFE Boot CD. More advanced features are described further, but first and more importantly, how to use it.
The first step after booting to the CD is prepping the hard drives attached to the system. For sake of clarity, the “evidence” drive will be the hard drive contained in your suspect/custodian machine. The “destination” drive will be the external drive to which your image of the evidence drive will be stored.
X:\windows\system32\DISKPART is the first command to use to prep the drives. As can be seen, you are only given a command prompt, not a GUI, but your GUI tools will run normally.