±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36209
New Yesterday: 3 Visitors: 153

±Latest Articles

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Videos

±Latest Jobs

Windows Forensic Environment

The (Nearly) Perfect Forensic Boot CD - Windows Forensic Environment

Page: 2/7

3) The boot.wim image (Windows Imaging File Format)

a. Instead of an ISO image, you will first be working with a .wim image. In order to modify this image and make it forensically sound, you need to mount it.
b. There are two .wim images in the folder structure above.
i. WinFE\ISO\sources\boot.wim
ii. WinFE\winpe.wim
c. The boot.wim will be used to create your final ISO. You can mount the winpe.wim or the boot.wim to install your tools. If you use the winpe.wim, simply delete the current boot.wim and move/rename winpe.wim to WinFE\ISO\sources (in order to replace the non-modified boot.wim).
d. Mount the .wim image through the AIK command line (this will mount the image under the “mount” folder in order to make modifications and add your forensic applications).

imagex /mountrw C:\winFE\ISO\sources\boot.wim 1 C:\winFE\mount

Figure 5

4) Modify the registry of the winpe mounted image

a. Using Regedit, there are two registry modifications to be made for a forensically sound boot process.
c. In Regedit, Choose File – Load Hive
d. Select the System file located at: C:\WinFE\mount\Windows\System32\config
e. Name it WinFE
f. HKEY_LOCAL_MACHINE\WinFE\ControlSet001\services\mountmgr
1. Create a DWORD named NoAutoMount if it doesn’t exist already by “right clicking” in Regedit and change the DWORD value to 1

Figure 6

Figure 7

ii. HKEY_LOCAL_MACHINE\WinFE\ControlSet001\services\partmgr\Parameters

1. Sans Policy -change the DWORD value to 3

iii. Unload the WinFE SYSTEM HIVE

1. Select the WinFE hive.
2. With Regedit, choose File – Unload Hive – “yes”

5) Options: Add your tools

Create a WinFE folder in the mounted winpe image at the root of the mounted image. Copy your tools into this folder. Generally, only those programs that can run without installation can be successfully used with WinFE, such as most portable applications. Detailed instructions for specific software are outlined further in this paper.

6) Options: Drivers

Common or specific video drivers can be injected (aka..installed) into the mounted image through the AIK command line (AIK command line (where “drivers\*.inf is the location of your drivers to be injected). As needed, drivers can be added just as easily, to include RAID drivers and other hardware specific drivers. WinRAR can be used to extract drivers (.inf) files from driver installation executables.

peimg.exe /inf=C:\drivers\*.inf C:\winFE\mount\Windows

Figure 8

7) Unmount your winpe.wim image (commit changes or you will have lost your work)

imagex.exe /unmount /commit C:\winFE\mount

8) Delete bootfix.bin located in C:\WinFE\ISO\boot (deleting this file will prevent the warning of ‘press any key to boot from cd’)
9) Create ISO from the AIK command line (this command uses the boot.wim image):

oscdimg -n -m -o -bC:\WinFE\etfsboot.com C:\WinFE\ISO C:\WinFE\WinFE.iso

10) And finally, burn the ISO to a CD and test it.

How to Use WinFE

You now have created a basic WinFE Boot CD. More advanced features are described further, but first and more importantly, how to use it.

The first step after booting to the CD is prepping the hard drives attached to the system. For sake of clarity, the “evidence” drive will be the hard drive contained in your suspect/custodian machine. The “destination” drive will be the external drive to which your image of the evidence drive will be stored.

X:\windows\system32\DISKPART is the first command to use to prep the drives. As can be seen, you are only given a command prompt, not a GUI, but your GUI tools will run normally.

Figure 9

Figure 10

Previous Page Previous Page (1/7) - Next Page (3/7) Next Page