After some advise or assistance so putting this one out there to the forensic community.
Has anyone has much success in using Windows To Go in the field configured as "Forensically Sound" as possible. Specifically with Windows 8.1 or 10? If so can you provide any advise as to what settings you modified?
I'm in the process of attempting to create a "forensically sound" WinToGo USB drive for use in the field for live booting and analysis of a target system.
I'm experiencing an issue with 8.1 and 10 when setting the SAN policy to "4" which sets the internal disks to offline. It appears once this is set it has no effect and WinToGo 8.1 and 10 still mount, assign a drive letter and show the physical internal disks as online. For obvious reasons this is not ideal.
Does anyone have any suggestions or has experienced this issue? I've googled a lot with little success.
Thanks in advance.
townsie
The default behaviour of Windows To Go is to keep internal disks offline. If you don't actually use the Enterprise feature but a removable media installation of Windows, runreg add HKLM\SYSTEM\CurrentControlSet\Control /v PortableOperatingSystem /t REG_DWORD /d 1
Thanks. I forgot to mention, Windows 8.1 and 10 were both Enterprise versions. The "PortableOperatingSystem" key already existed with a value of "1".
Having said that it appears I've sorted the issue.
I used originally used Rufus to create a WinToGo USB via a Win 10 Enterprise ISO. Internal disks showed as online with a SAN policy value of "4" and "PortableOperatingSystem" key with the value set to "1".
I recreated the WinToGo USB via the WinToGo wizard in Win 10 Enterprise via mounting the Win 10 Enterprise ISO. After first boot all internal disks now show as offline with a SAN policy value of "4" and "PortableOperatingSystem" key with the value set to "1".
Windows-To-Go (WTG) is a reliable, forensically sound boot disk provided these conditions are adhered to
1. Use a trusted thumb drive. Microsoft has a recommend list on their site. I have used the Talent with good success.
2. Create the WTG disk with the utility built into Windows 8/10. Do not use any other method. Rufus cannot be trusted to build a forensically-sound WTG boot stick. Use an Enterprise version iso.
In every instance that I have booted various devices with the WTG stick - desktops, laptops, tablets - the internal drives were kept offline.
I would be interested in hearing other opinions on this matter.
Update I stand corrected. Windows-To-Go is NOT a forensically sound boot disk without the addition of a software write-blocker. I have found instances where WTG would not take drives offline but rather leave them online. I have tested WTG with the SAFE Block To Go write-blocker from
Regards,
Alan Harper
Homeland Security Investigations
I'm have been testing WinFE, Win2Go, and about a dozen Linux forensic distros and will be finished about 3 more weeks with something written up and in an online class format by March. Good and bad news for all of them; depends on how you use it. fyi
In every instance that I have booted various devices with the WTG stick - desktops, laptops, tablets - the internal drives were kept offline.
I would be interested in hearing other opinions on this matter.
It is possible to trick a Windows To Go installation into executing code from an internal drive. However, an attacker needs to know contents of a partition table of the Windows To Go drive. So, it is possible to mount this type of attack (without mentioning that it requires prior knowledge of contents of the partition table) against your tool in a courtroom, if a defense attorney plans to subvert evidence you collected. Be prepared.
I'm experiencing an issue with 8.1 and 10 when setting the SAN policy to "4" which sets the internal disks to offline. It appears once this is set it has no effect and WinToGo 8.1 and 10 still mount, assign a drive letter and show the physical internal disks as online. For obvious reasons this is not ideal.
Does anyone have any suggestions or has experienced this issue? I've googled a lot with little success.
Thanks in advance.
townsie
My personal coming out this article at ForensicFocus was written by me
https://articles.forensicfocus.com/2017/01/06/windows-10-pe-for-digital-forensics/
Windows PE might be an alternative to "Windows to Go" for you. SAN Policy settings are the same, and SAN Policy 0 is forensic sound- from all what i have tested. If you encounter any trouble creating your own Windows 10 PE Forensic media, i can assist you.
I usually take SAN Policy 3 and mount all drives r/w at boot time- but only on the 3rd or 4th copy of my evidence or in a confirmed malware/ threat hunting scenario which will never see a court room.
best regards,
Robin