Notifications
Clear all

Testing WinPE  

WarlocK88
(@warlock88)
New Member

Hey guys,

I compiled my own WinFPE (based on Win 7), and I'm wondering how to double (and even triple) check that it's forensically sound.
I fixed the registry and I didn't see any changes that were made to the evidence I was testing it on.
Still, I want to be as sure as one can ever be )
Check the HASH sets? Other things that I can do and change?

Thanks

Quote
Topic starter Posted : 17/11/2011 12:53 pm
athulin
(@athulin)
Community Legend

I compiled my own WinFPE (based on Win 7), and I'm wondering how to double (and even triple) check that it's forensically sound.

In what context? I guess mount drives read-only?

I fixed the registry and I didn't see any changes that were made to the evidence I was testing it on.

I don't understand what the fixes you mentioned are … so I can't say if they are any good.

But the testing I do understand … and unless you state the scope this platform should work within, and your testing plan, noone can say if you tested the right things or not.

Did you test USB, Firewire, PATA and SATA drives? How about floppy drives, DVD-RAM and such? All types of FAT, exFAT, NTFS and other file systems support by the platform? What file operations did you test? And how did you look for changes – hashed the drive, or … ?

For an idea of what testing could cover, take a look at the reports on various soft write blocker tools that the US National Institute for Justice has published. The specifications and test methods are found on http// www . cftt . nist . gov/ .

ReplyQuote
Posted : 17/11/2011 1:19 pm
WarlocK88
(@warlock88)
New Member

Thanks athulin!
When I wrote that I fixed the registry, I meant that the drive isn't mounted automatically.
Right now I don't want to get into drivers or different file systems. I want to see that nothing is modified/changed on my suspect drive.

I will look into the specifications you mentioned.

ReplyQuote
Topic starter Posted : 17/11/2011 1:37 pm
jaclaz
(@jaclaz)
Community Legend

A Windows NT based systems will check when a disk is connected to it if a valid disk signature exists.
If it doesn't, it will write one.

Then, when a drive (volume) is mounted it may decide to write on it any kind of things, including a pagefile.
The essence of the WinFE is that the "automount" key in the Registy is disabled, so that NO drives (volumes) are mounted automatically.
Additionally you can put the disk "offline".

This ONLY relates to the actual WinFE environment, what you run from it is alltogether different thing.

Refer to the existing documentation of the tool
http//winfe.wordpress.com/
http//reboot.pro/forum/109/

The only way to test is

  1. hash the disk with whatever tool you already trust
  2. connect the disk to a WinFE booting PC
  3. do whatever you want to do in WinFE
  4. switch off the WinFE booting PC
  5. re-hash the disk with the same tool that you already trust
  6. [/listo]

    If the hash is the same, now you know that the exact actions you carried/programs you have run in WinFE (and ONLY those) do not alter the disk contents.

    jaclaz

ReplyQuote
Posted : 20/11/2011 8:04 pm
WarlocK88
(@warlock88)
New Member

Hey jaclaz,
Thanks for replying. I figured out that hashing would probably be the best solution. Just wanted to see if there are any other procedures that I should consider. The NIST reference is also a great place to look into.

ReplyQuote
Topic starter Posted : 23/11/2011 3:45 pm
Share: