Since my 'how to' guide and batch file that does the entire build for you hasn't been posted on the forum yet, send me an email and I'll reply with both files. It'll save you a ton of time.
You can get a guide to create your own in Hackin9 - Vol 4 No 6 (6/2009) issue.
Plus Harlan Carvey has a great article in there about Windows Timeline Analysis - Part 2.
Not to sound like I sell it (it is free..).
Compared to a non-Windows boot disk (any version of a Linux boot CD);
….
You do put across a compelling 'case for'. I remember the last F3 conference though where a speaker was due to talk about Windows FE but skipped it as they thought it was overly burdensome? Perhaps someone who was there can recall better?
Easter treats, Windows FE and F-Response
https://
A great example of showing the ease of adding an application to Windows FE (after all, you just have to copy the program folder…).
I've now added Brett's guide to the downloads section. It can also be downloaded directly from http//www.forensicfocus.com/downloads/WinFE.pdf
Congratulations to Brett for doing a truly outstanding job with this!
Jamie
A (free) program not mentioned in the paper is "SetRes" from
http//
This works well for setting the display resolution without having to inject a video driver. Its a command line app, but very easy, such as "X\setres.exe h1024 v768" sets the display to 1024 x 768.
Also, to help determine if a program can be copied onto Windows FE and actually function is, "Dependency Walker" http//
Linux must use Linux applications (if you try to make Windows software work, you'll have problems)
You can use non-Linux applications in Linux. And some applications will execute happily while other applications may be grumpy. A few down right obstinate!
But I don't think a blanket statement "if you try to make Windows software work, you'll have problems" is accurate nor helpful to those unfamiliar with Linux.
Modifying a Linux boot CD is difficult (for me…
Good to see you dropped in for you ) Because as you wrote, modifying a Linux boot CD is quite easy for those with the requisite knowledge. Just as modifying a Windows boot CD. Either one, without the knowledge you're going nowhere fast.
Waiting for a Linux CD to be updated in order to download the new version can be a very long wait
I don't know where you got this, or which CD environment you're referring to? But again, if you know what you're doing then updating a Linux boot CD can be completed within minutes. Perhaps there does exist some CD environment that takes dozens of minutes or hours? )
Understanding Windows is just about second nature now
For you, maybe. But for many, including many of the potential users of your CD, maybe not. In fact I will bet that many have very little knowledge of the Windows operating system environment. Instead, their knowledge is built upon interacting with a gui-based application. And without their dongle (FTK, EnCase, etc.), they lose their forensic practitioner status. Simply interacting with a tool or an operating system doesn't translate into understanding.
Triage with a Linux CD is limited by the applications provided on the CD and your ability to add what you need to a Linux OS
I think this goes without saying, and is a repeat to some degree of your first point regarding using Linux applications and problems running Windows applications in Linux. Triage will always be limited. But I don't think the tone should insinuate that an operating system environment will be the root cause of limitation(s).
Triage with the WinFE CD is limited by the tools you currently us
Don't forget to add "your ability to add what you need to a Windows OS" here, too. Additionally, triage will be limited by your knowledge and understanding of the environment and incident. And these two may be more important than the included or missing applications.
Imaging in Linux, your destination drive should be formatted to something other than NTFS (yes, there are exceptions, but also problems writing to NTFS)
Another bad blanket statement. Without citing references or providing your experience I don't think stating writing to the NTFS file system in Linux should be avoided is wise. Obviously I may have experience wherein writing to NTFS from Linux has brought no problems. And so when I read this I find it a disservice to those who may not know nor have the experience. We all know too many simply read something and take it verbatim.
When the Linux CD doesn't have a driver you need, you are back to figuring out another way to image unless you know how to re-master your Linux CD.
A couple of things here. One, how many times have you come across a hardware device where your Linux environment did not have the driver necessary to recognize and interact with that hardware? I've a couple years of experience with Linux and can count on two hands the number of times I've run into a missing driver issue. Is it a possibility that you may run into a piece of hardware not recognized? Absolutely. How often? In my experience, rarely.
Two, you should keep apples and apples in the same basket. If you have access to the driver, be it Windows or Linux, you're half way there to getting that hardware recognized.
Knowing which applications are on a Linux CD can be a problem if some have EULA's which you can't comply (NirSoft tools, as an example, are free, but free only for non-commercial work).
I'm uncertain as to why this was even made a point? Again, it should go without saying, and it's not operating system dependent. Know your licenses no matter the platform should be the point.
The live side of a Linux CD will run the programs it was created to run (you may or may not like what is automatically being run)
What? I mean, true, anything set to execute may execute. But you as the user have the capability to set your environment, much more so in Linux than in Windows. Be it on a CD, hard drive, thumb drive, ETC. You, the user, have the ability to configure the Linux environment. Execute what you wish, stop what you dislike.
If you're curious as to why I took time to reply to your post … First and foremost I think a few statements left as they are will give FUD to those unfamiliar with Linux and/or those who don't question and verify what they read. So I felt compelled to respond. Second, my reply should not be taken in any negative way. I love Linux. That's no secret. I am not bashing the Windows CD nor trying to convert anyone. Go back to my first reason for posting my reply. ) I just think that left as-is those reading this thread in the future could possibly leave with the mindset that Linux CDs are bad and Windows CDs are good. 😉
Cheers!
farmerdude
Thanks for the comments. You have great points (which is what I was hoping for). I do have some bias toward the Windows environment, only because that is the most dominant OS I see in examinations, as well as being the OS I use in examinations. As a side note, I like Linux quite a bit and run Ubuntu at home. Even as I type this, I'm preparing to go onsite for imaging and in my grab bag, I have my usual assortment of Linux boot CDs.
My point in the EULAs was referring only to those freely available CD's in which the developer/s have software from 3rd parties which limit the commercial use. As an example, the older Helix (not Pro version) has NirSoft apps on it, which clearly state non-commercial use. I'm aware of a civil case where an examiner used NirSoft apps commercially (wasn't a good result…). With the Linux CDs in which you can purchase from the developer without this worry, I'd say are better choices, your's included 😉
It would be bad advice to say one OS is better than another in this field. Actually, whichever OS gets the job done right, works for me. The technical points of using Linux vs Windows does come down to familiarity to configure to your needs. I do think the Windows FE CD is a good addition to the forensic bag o' tricks, but certainly not the solution to everything.
And I truly appreciate the comments!
I received an email on how to make Windows FE bootable to a flashdrive. Here are the steps after you have created your WinFE ISO files.
Run Diskpart with the following commands
- Diskpart
- List disk
- Select Disk 1 (whichever number is your flashdrive)
- Clean
- Create par primary
- Sel par 1
- Act
- format fs=fat32
- assign
- exit
- xcopy c\winfe\iso\*.* /s /e /f e\ (where "e\" is your USB drive)
You now have Windows FE that is bootable to a USB Flashdrive.