winfe: the (almost) perfect triage tool
DESCRIPTION
Overview of Windows Forensic Environment (WinFE)TRANSCRIPT
Windows Forensic Environment (WinFE)
The (Almost) Perfect Triage Tool
Brent Muir – 2014 Version 1.0
2
Topics
Benefits of WinFE
History of WinFE
Building WinFE
“Live” Vs.
Booting Using WinFE:
Encryption Testing Imaging▪ RAM▪ HDs
Triage
3
Benefits of WinFE Ability to boot on all x86 devices regardless of OS
Windows Linux OSX (requires optical drive)
Runs Windows compatible tools
The price is right Cost of Windows OS licence
Highly customisable
4
History of WinFE BartPE (2003)
Live version of Windows based on XP/2003 Utilised Windows Presinstallation Environment (PE)
http://www.nu2.nu/pebuilder/screenshots/
5
History of WinFE
Microsoft (SysInternals) created first “official” WinFE guide (2008) Highly modified OS▪ No GUI interface, CMD based only▪ Registry keys modified to not mount devices by
default▪ Basic functionality, required batch scripts or plenty
of DOS commands ▪ Based on Vista, compatible with Windows 7
6
History of WinFE
Shavers, B. (2010)
7
History of WinFE
WinBuilder - Windows PE building utility WinFE script created by Brett Shavers that
modified the same registry keys as SysInternals instructions (2010)
Retained GUI interface Write Protect Tool Management Console
(replacement Disk Manager)
8
History of WinFE
http://winbuilder.net/screenshots
9
Building WinFE Microsoft Windows (32bit or 64bit) ISO
Provides the baseband core OS files
Windows Automated Installation Kit (AIK) Provides Windows PE bootable image that WinFE is based upon WIM (Windows Image) mounting tools
WinBuilder with WinFE scripts Provides advanced interface features of WinFE (desktop GUI
support, etc)
10
Building WinFE
Two modes for third-party applications: Run from RAM▪ Stops end-users modifying installed programs ▪ Takes up more RAM when booting (if working
with low-specced PCs) Run from Disk▪ Easier to update (no more recompiling the full
WIM)
11
Building WinFE
12
Building WinFE Steps to compile your own version of WinFE:
1. Install Windows AIK2. Mount Windows 7 ISO and remember the drive letter3. Install WinBuilder and point it to the drive letter of the mounted ISO4. Configure the scripts required through WinBuilder (including Tweaks
WinFE)5. Prepare any third-party software you require on WinFE6. Run the WinBuilder program and set desired options This should
output a WinFE ISO as well as the files necessary to copy to a USB dongle
7. Edit the Boot loader (BCD) to allow a maximum timeout and require user input into selecting WinFE from a boot menu
8. Test the WinFE release to ensure that it is forensically sound
13
Building WinFESlip streaming drivers into WinFE requires 2 tools (AIK):
Imagex - used to mount WIM located in C:\Program Files\Windows AIK\Tools\x86\Servicing
DISM - used to install drivers located in C:\Program Files\Windows AIK\Tools\x86\Servicing\
1. imagex /mountrw C:\WinFE\Target\Win7PE_SE\sources\boot.wim 1 C:\winFE\mount
2. dism.exe /image:C:\WinFE\Mount\ /add-driver /driver:"C:\WinFE\Files to inject\Hasp\Hasp" /recurse
3. imagex.exe /unmount /commit C:\winFE\mount
14
Building WinFE In order to copy the WinFE files to a USB Thumb Drive you must first
prepare the thumb drive so that it is clean and bootable. Follow these steps:
1. Plug-in USB thumb drive into computer2. Start CMD3. Start Diskpart (type: diskpart)4. Select the relevant USB thumb drive (to see available drives, type: list disk) (to
select disk type: select disk #) - where # is the relevant disk number5. Clean the USB thumb drive (type: clean)6. Create a primary partition (type: create partition primary)7. Set the USB thumb drive as bootable (type: active)8. Format the USB thumb drive (type: format fs=NTFS quick label="WinFE")9. Exit Diskpart (type: exit)
15
Two Modes: “Live” Vs Booting
Live:
The software on WinFE can also be run on a live system, w/o booting into the WinFE OS (assuming portable apps). Conducting an encryption test Ability to image RAM, Disks, mounted encrypted partitions
Tools can all be updated on the fly
Booting:
Booting into the WinFE environment conforms to industry best practice in that it maintains the forensic state of the hard drives within the suspect’s computer.
16
List of Known Working Tools EnCase - v6 & v7 (requires
licence dongle and slip-streaming HASP drivers)
X-Ways / WinHex – all versions (requires licence dongle)
TrueCrypt
FTK Imager
VirtualBox Wireshark
RegistryBrowser
Volatility – standalone version
All Nirsoft tools
Many more
17
WinFE – Booting1. Power down computer
2. Insert WinFE USB device into suspects computer
3. Power on computer and enter the BIOS or UEFI While in the BIOS it is recommended to take note of the system’s date and time.
4. Once in the BIOS change the boot order to the WinFE USB device – this should show up in the BIOS as a USB device (or choose the optical drive if booting from CD)
5. Save the changes to the BIOS and let the computer reboot
6. The computer should now boot into WinFE boot menu.
18
WinFE – BootingWrite Protect Tool Management Console Mount / unmount physical drives attached to the
computer as read-only or read-write. Add custom drivers (e.g. software RAID drivers)
19
WinFE – Desktop
20
Use Cases
Encryption Test HD / RAM Imaging Triage
21
Use Cases – Live Encryption Test Windows Linux OSX
22
WinFE (live) – Encryption Windows
WINDOWS OS – CryptHunter (LE only)
1. Plug in the WinFE USB thumb drive into the suspect's computer
2. The WinFE USB drive should now be visible in Explorer (My Computer). Browse to the directory titled "CryptHunter" and double-click on the file called "crypthunter". This will begin the encryption test.
3. If anything of note is discovered a pop-up box will appear warning that encryption may be present.
23
CryptHunter (screenshot)
24
WinFE (live) – Encryption Linux
LINUX OSes – quick and dirty
Method 1 – Terminal
1. Open the terminal (console / konsole) and type mount and hit enter (return)
2. This command will list all currently mounted drives on the computer, look for the word "crypt“
25
WinFE (live) – Encryption Linux
Method 2 – System Monitor
26
WinFE (live) – Encryption OSX
MAC OSX – quick and dirty
Method 1 – Identify FileVault
1. Browse to "Computer" "Users". If the user account has the following icon then "FileVault" is enabled. FileVault encrypts all of the user's files.
27
WinFE (live) – Encryption OSX
Method 2 – Activity Monitor
1. Other 3rd part encryption tools are available for Mac OSX. In order to check if these encryption programs are running. Browse to "Applications“ "Utilities" "Activity Monitor“
2. Once the Activity Monitor is displayed use the drop-down menu to select "All Processes“
3. Look for any process that includes the word "crypt". If any of the processes mention the word "crypt" then it is likely that the computer features encryption.
28
WinFE (live) – Encryption OSX Method 2 – Activity Monitor
29
WinFE – Imaging Windows (live)
RAM: DumpIt
Simple executable, puts output in same directory as EXE Has some issues with RAM larger than 8GB
WinPMEM CMD based Supports RAM larger than 8GB Supports RAW & Crashdump formats
FTK Imager GUI version only Supports RAW acquisition as well as Pagefile.sys & Hiberfil.sys Larger footprint than DumpIt & WinPMEM
HD: FTK Imager
30
WinFE – Imaging Linux (live)
RAM: FMEM
Creates kernel mirror driver Then use dd commands to capture
HD: DD
Built-in
FTK Imager CLI Debian Ubuntu (x32 & x64) Fedora (x32 & x64)
31
WinFE – Imaging OSX (live)
RAM: OSXPMEM
Supports up to and including 10.9.x Creates kernel mirror driver (must be extracted onto local
machine to run or from HFS+/exFAT partition) Supports Raw, Mach-O, and ELF formats
1. copy OSXPMem.tar.gz to local directory2. tar xvf OSXPMem.tar.gz3. ./osxpmem -h to give help4. ./osxpmem memory.dump
32
WinFE – Imaging OSX (live)
HD: FTK Imager for Mac
CLI only, no GUI Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
Mac OSX Forensic Imager Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
33
WinFE - Imaging HDs (booted)
1. Connect an external hard drive (via USB) to the suspect's computer
2. Open "WinFE Write Protect Tool Management Console " and mount this new drive as read/write
NOTE – if this is the first drive you are mounting in WinFE it will be given the drive letter “C”
This drive will now be visible in Windows Explorer
3. Open FTK Imager and image normally
34
Use Cases – Triage
Even w/o X-Ways or EnCase dongles there are a number of tools to facilitate triage of devices
Apple Bootcamp script allows HFS+ partitions to be seen through WinFE w/o third party tools
35
Use Cases – Triage XnView:
Graphic files Recursively look at directories Tag files create reports
36
Use Cases – Triage XnView
37
Use Cases – Triage
Nirsoft SearchMyFiles Keyword searching Advanced Filtering:▪ Date range▪ File type▪ File size
Context search (binary or text) Identify encrypted files Identify duplicates Create reports (CSV, HTML)
38
Use Cases – Triage Nirsoft SearchMyFiles
39
Use Cases – Triage Email viewing programs:
MiTec MailView▪ DBX, MBX, EML, Thunderbird DB
Kernel Exchange EDB Viewer▪ EDB, STM
Kernel OST Viewer▪ OST
Kernel Outlook PST Viewer▪ PST
Windows MBOX Viewer▪ MBOX
40
Use Cases – Triage
SQLite SQLite DB Browser SQLiteQ
Microsoft ESE/EDB/JET Blue DB files Nirsoft ESEDatabaseView
41
Use Cases – Triage
Web browser history Nirsoft BrowsingHistoryView▪ IE (including 10/11), Firefox, Chrome, Safari
Windows Registry Lock And Code RegistryBrowser▪ Mount the suspect's drive as read-only using
Write Protect Tool first
42
Questions
43
References
Larson, T. (2008) “How To Build Windows FE With The Windows Preinstallation Environment 2.1”, SysInternals, Microsoft Law Enforcement Portal
Shavers, B. (2010) “The (Nearly) Perfect Forensic Boot CD”, URL: http://www.forensicfocus.com/downloads/WinFE.pdf
44
Resources CryptHunter (LE only) - http://www.cert.org/digital-intelligence/tools/crypthunter.cfm?
Kernel Data Recovery Tools - http://www.nucleustechnologies.com/
MiTeC (MailView, SQLiteQ) - http://www.mitec.cz
Nirsoft Suite - http://nirsoft.net/
RegistryBrowser - https://lockandcode.com/software/registry_browser
SQLite Database Browser - http://sourceforge.net/projects/sqlitebrowser/
WinBuilder - http://reboot.pro/files/file/4-winbuilder/
Windows Assessment and Deployment Kit (Windows ADK) - http://www.microsoft.com/en-us/download/details.aspx?id=39982&751be11f-ede8-5a0c-058c-2ee190a24fa6=True
Windows Automated Installation Kit (Windows AIK) - http://www.microsoft.com/en-au/download/details.aspx?id=5753
Windows MBOX Viewer - http://sourceforge.net/projects/mbox-viewer/
WinFE Blog (Brett Shavers) - http://winfe.wordpress.com/
XnView - http://www.xnview.com/en/