As long as I have been acquainting myself with both Window PE building and forensics LiveCD’s I keep stumbling over references to something known as Windows FE (aka. Win FE and WinFE) .
Now, I’m sure if I was a professional forensics investigator I would already have realms of info with this tool.
I’m not and I don’t so I will only speak to what I have discovered so any other curious Win PE builders who come across this reference will have some more detailed information.
Windows FE
From all indications, Windows FE (forensic environment) is a Windows PE based custom build that is offered by Microsoft to forensic examiners and law enforcement officers. It is not publically available.
The official information regarding it seems to suggest that it (and supporting tools) can be obtained from Microsoft only through their “LE Portal”
- FAQ: Computer Online Forensic Evidence Extractor (COFEE) – Microsoft Government page
It provides a Windows PE LiveCD boot environment that allows Windows software to run, along with specific command-line tools that will assist and benefit the forensic examiner.
From all I have read, one of the “special” features is the ability to safely mount media to receive the captured image from a system as well as safe mounting of the host disk to prevent write-back that could harm the integrity of the recovered disk as evidence.
After much work, I finally was able to dig out a link that seems to describe exactly how the Windows FE base disk is built.
The Smoking Gun
- Windows FE – Twine
You might want to download it now just in case it is removed in the future.
That Word doc file is very interesting (to Win PE builders like me) and specifically outlines what makes WinFE (or Win FE) so special: it’s a registry mod (two actually) that prevents modification of any of the media on the booted system.
5. In regedit, go to the HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\MountMgr key, and if the NoAutoMount dword does not exist, create a dword named "NoAutoMount" with a setting of 1. If the key already exists, change the setting to 1 if it is any other value.
6. Next, go to HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\partmgr\Parameters and change the SanPolicy setting to 3. (If the Parameters key does not exist, create it.) At this point, the registry in the mounted .wim file is set to boot and operate without mounting volumes or modifying media.
The rest of the document pretty much is just standard Win PE building stuff you have already read here at GSD blog or other sources.
There was also a link in it to this:
- Forensic Acquisition Utilities – George M Garner Jr.
Last updated September 2008, it contains a collection of tools for Windows-based forensics work.
I haven’t picked through them, but according to the “what’s included” there are at least nine modules that might be worth looking into for forensics students as well as sysadmins (like me) who seek to leverage the tools and techniques of the forensics pros for dealing with system issues, imaging, and malware incidence response events.
Win FE in the Field
Win FE has come up in the Windows Incident Response blog and the comments from time to time.
I also saw mention of it at this post Windows Forensic Environment by Hogfly over at his Forensic Incident Response blog.
I swear I also saw on another forensics-blog and had previously bookmarked/blogged a reference to a third-party sponsored Win FE inspired package that might even have been USB based. However I have been unsuccessful at re-locating it.
However, while hunting this info down, I found a great forensics blog from the UK that made multiple “live-fire” references to using Win FE: Forensics from the sausage factory
- Windows FE – Forensics from the sausage factory blog
- Windows FE saves the day with a Dell Inspiron 530 – Forensics from the sausage factory blog
I know Win FE is being used and touted in the forensics community. It showed up as a topic at the PFIC 2008 conference. Troy Larson is (still ?) a senior forensics investigator in Microsoft’s IT Security group. I’m sure he’s a cool and knowledgeable guy and his association with Microsoft makes perfect sense from the Win PE foundation angle.
My educated guess is that the “troyla” noted in the Word document I found and Troy Larson are one and the same. Cool!
I only wish he would release more gems on Win FE as they might be great for us Win PE builders. I understand the need to keep most of it under wraps for the “LE” (law enforcement) professionals but I bet there is some good stuff in there for system administrators who use Win PE builds in their daily applications.
I also suspect Windows 7 and the enhanced Win PE 3.0 environment will only bring more power and flexibility to this Win FE technique.
New Forensic Blog Finds
And here are some more interesting forensics-related blogs I found (or re-discovered) in the search-process:
- int for(ensic){blog;}
- Push the Red Button
- 8 bits
- Computer Forensics, Malware Analysis & Digital Investigations
- MySecured.com Blog
- Matthieu Suiche's blog
Hope this helps clarify (and expand) the base knowledge about Win FE.
As a Win PE / VistaPE building nut, this is great info to know!
Hope I got the fact right for the Win FE pros.
Cheers!
--Claus V.
0 comments:
Post a Comment