HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 72 guests and 2 members online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Resourcesarrow Toolsarrow Windows FE
EH-Net
February 09, 2012, 08:30:22 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
EH-Net > Resources > Tools (Moderator: don) > Windows FE
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Windows FE  (Read 8585 times)
0 Members and 1 Guest are viewing this topic.
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 3845


Editor-In-Chief


View Profile WWW
« on: February 26, 2009, 01:37:01 PM »
Quote

Windows FE is a forensic edition of Windows PE boot CD. It is forensic because it is not supposed to mount anything automatically. This post will not detail how to create a Windows FE disc because this can be found at the MS LE Portal however I want to discuss some elements of why one would use it and also help to get over one or two gremlins.

I have been asked Is it another Helix disc? The answer is - it is similar but it offers some advantages in certain situations. The main advantage is being able to inject drivers into the ISO prior to burning. This allows you to add drivers for the latest SAS raid controller or Dell SATA drive controller for example which is not always possible in Linux (working on the principle that there are generally more Windows drivers than Linux ones).

You can also add your own forensic tools. I have been able to successfully add a full working copy of Encase 6.11 (including Dongle drivers). Strangely I have not been able to get FTK Imager to work (subsequently I have - see newer post). I imaged a 149GB hard disk in an Apple MacBook Pro to a 500gb external usb hdd in 2 hours 6 minutes.


For more info:
http://forensicsfromthesausagefactory.blogspot.com/2008/07/windows-fe.html

For an outside opinion, see John Sawyer's article on Dark Reading:
http://darkreading.com/blog/archives/2009/02/winfe_windows_b.html

Don
Logged
CISSP, MCSE, CSTA, Security+ SME
Ketchup
Hero Member
*****
Offline Offline

Posts: 1006



View Profile
« Reply #1 on: February 26, 2009, 02:01:53 PM »
Don, this seems like an interesting idea.  Most folks doing forensics these days are ex-government employees.   For some reason our government doesn't do much linux training.  This would be a very valuable tool in the forensics world. 

I guess we just need a couple of precedents of where a Windows FE CD was used and the testimony stood in court.

I was thinking about this after I posted this.  One thing that worries me is that Windows is closed source.  It also has way too many parts that are completely undocumented.   How can we ever be certain that some registry value we didn't consider won't allow an evidence drive to be formatted or that scandisk won't automatically kick in.   With Nix, we can at least look at the source code and reasonable say that no, we can't write to the drive if this flag is set.   
« Last Edit: February 26, 2009, 03:27:37 PM by Ketchup » Logged
~~~~~~~~~~~~~~
Ketchup
timmedin
Sr. Member
****
Offline Offline

Posts: 470



View Profile WWW
« Reply #2 on: February 26, 2009, 09:07:33 PM »
Quote
I was thinking about this after I posted this.  One thing that worries me is that Windows is closed source.  It also has way too many parts that are completely undocumented.   How can we ever be certain that some registry value we didn't consider won't allow an evidence drive to be formatted or that scandisk won't automatically kick in.   With Nix, we can at least look at the source code and reasonable say that no, we can't write to the drive if this flag is set.

Encase isn't open source and it is the big dog in the forensics industry. To be admissable you don't have to look at the source code to prove it, you just have to recreate it in court. If you do the same process over and over again your results are provably the same.


What ever happened to Coffee (sp?) that Microsoft released to certain segments of the  forensic arena? I can't find much on it.
« Last Edit: February 26, 2009, 09:16:30 PM by timmedin » Logged
twitter.com/timmedin | http://blog.securitywhole.com
Ketchup
Hero Member
*****
Offline Offline

Posts: 1006



View Profile
« Reply #3 on: February 26, 2009, 09:35:24 PM »
I definitely get you point about EnCase.   Windows FE would be a little different however.   The idea is that you would be able to boot from a CD and conduct imaging and investigations on an internal drive.   This is particularly useful when it comes to those annoying 12" Sony Vaio laptops.   The CD is supposed to make certain that no data gets written to your evidence.   It's a software-based write protection method.

With Encase, you would either use an image, or connect a drive on a hardware write protector.   
Logged
~~~~~~~~~~~~~~
Ketchup
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.143 seconds with 24 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge Training: Build Security Skills to Protect and Defend

offsec_130x200-2_jan-feb2012.png
Offensive Security
AWE Live in the Caribbean!
March 5 - 9, 2012

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: Refer_EHN
Including SANS Phoenix 2012, SANS 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.