Notifications
Clear all

WinBook TW800

9 Posts
4 Users
0 Likes
808 Views
(@bjh505)
Posts: 10
Active Member
Topic starter
 

Hello,

Have a WinBook that I am having trouble imaging. Cannot get it to boot into the Paladin 32 bit or 64 bit OS. The device is also password protected with no available password. The storage is eMMC so no possibility to remove. Anyone image one of these devices successfully? Cellebrite, of course, has no options either. Thank you.

 
Posted : 16/10/2018 4:26 pm
(@dpathan)
Posts: 28
Eminent Member
 

Try using Hiren Boot Disk. Updated version now have live windows 10 to run various tools for imaging storage. I am expecting it should not give issues in booting live Win10.

Also, you can bypass windows password by renaming utiman.exe to cmd.exe but this is not forensically accepted as it changes the data.

 
Posted : 16/10/2018 4:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Try using Hiren Boot Disk.

Where can I buy a license for that?

jaclaz

 
Posted : 16/10/2018 5:18 pm
(@bjh505)
Posts: 10
Active Member
Topic starter
 

Try using Hiren Boot Disk. Updated version now have live windows 10 to run various tools for imaging storage. I am expecting it should not give issues in booting live Win10.

Also, you can bypass windows password by renaming utiman.exe to cmd.exe but this is not forensically accepted as it changes the data.

Yeah, unfortunately, we are accredited and cannot use tools not validated internally. (

 
Posted : 16/10/2018 5:25 pm
(@dpathan)
Posts: 28
Eminent Member
 

Try using Hiren Boot Disk.

Where can I buy a license for that?

jaclaz

The iso is available for free to download. Link https://www.hirensbootcd.org
It has various tools for Imaging(Acronis, Lazesoft), Recovery, Testing etc tools. I use it from now and then depending on situation. But it is not an exclusive forensic tool.

The developer had compiled various opensource, freeware tools, HDD Diagnostics utilities and put them on a WIN PE os for live boot. There is not a lot of documentation on the website.

 
Posted : 16/10/2018 6:16 pm
(@dpathan)
Posts: 28
Eminent Member
 

Yeah, unfortunately, we are accredited and cannot use tools not validated internally. (

You can use the boot disc and install FTK Imager on live Win os or use Encase Imager to acquire the image.

Or the other workaround I can think of is to build your own bootable windows IoT os with minimum features and run encase imager or ftk imager on it.

Just some ideas! May be someone have better options than this.

 
Posted : 16/10/2018 6:37 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 


It has various tools for Imaging(Acronis, Lazesoft), Recovery, Testing etc tools. I use it from now and then depending on situation. But it is not an exclusive forensic tool.

The developer had compiled various opensource, freeware tools, HDD Diagnostics utilities and put them on a WIN PE os for live boot. There is not a lot of documentation on the website.

Sure.

Point being that last time I checked the Windows PE itself was not redistributable anyway, as well as a number of the softwares included.

Besides the above, a "normal" PE - unless special provisions are implemented - will modify hard disks and similar devices when booting/mounting, so "as-is" it is NOT forensic sound.

Or the other workaround I can think of is to build your own bootable windows IoT os with minimum features and run encase imager or ftk imager on it.

Just some ideas! May be someone have better options than this.

So the ideas are
1) build your own PE
2) build a forensic sound PE, i.e. a WinFE, *like*
http//mistyprojects.co.uk/mistype/mini-winfe.docs/readme.files/intro.htm

jaclaz

 
Posted : 16/10/2018 6:40 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Some potentially useful sources

https://articles.forensicfocus.com/2017/01/06/windows-10-pe-for-digital-forensics/

https://www.osforensics.com/tools/create-disk-images.html

 
Posted : 16/10/2018 6:59 pm
(@bjh505)
Posts: 10
Active Member
Topic starter
 

Thanks, everyone. I will look a bit more into these and let you know what I get.

 
Posted : 16/10/2018 9:02 pm
Share: