WinPE 3.0 & Forensics

glass1

It is a common task for a computer forensics investigator to boot a machine using boot-able media in the form of DVD or USB and there are countless options available. This tutorial is not intended to replace your favorite Helix CD or preferred method, but you may find this analysis interesting if you are a Windows expert performing a forensics analysis.

Windows PE (Pre-installation Environment) is a minimal Win32 based operating system, typically used for automating deployments by booting into PE via local or PXE boot methods and then imaging or running installations of various operating systems. Version 3.0 of PE included in the latest Windows Automated Installation Kit (AIK) is based on the Windows 7 kernel.

Getting Started

To get started, you need the AIK which can be downloaded from the Microsoft web site. After the installation, you will need to begin working on creating and customizing a WinPE image for your forensics boot disc/drive.

Make WinPE into WinFE

If you used WinPE as is and booted it up, it would mount available disks and may lead you in the wrong direction in terms of preserving evidence by changing the state of the drives. WinFE, which stands for Windows Forensics Environment, is based on a document written by Troy Larson, a Forensics Specialist at Microsoft. When this document was written, it was geared toward WinPE 2.1, so there are a few differences in some of the steps I will document in this post, which is intended for version 3.0.

The point of WinFE is that the PE environment boots without mounting physical disks. You can then use imaging tools to capture the disk or mount it in read-only mode to run some tools against the target OS immediately without modification to data in the environment, which in this case could be evidence.

Let’s get to it

copype

CopyPE Command

Begin by launching the Deployment Tools Command Prompt (as an administrator). In the following examples, I am using c:\temp\winFE as the path where my PE image is processed, built, etc. The first step is to generate the basic structure and .wim file:

copype.cmd x86 c:\temp\winFE

This command will create the Windows PE customization working directory. The next step is to mount the default image file so that you can then make some necessary changes: including changing the registry settings to ensure disks are not mounted at bootup and to add any tools or software you need. AIK Version 3.0 includes dism.exe, which replaces peimg.exe, and can be used to mount and unmount images like imagex.exe:

Dism /Mount-Wim /WimFile:c:\temp\winFE\winpe.wim /index:1 /MountDir:c:\temp\winFE\mount
Mounting Image

Mounting Image

This command mounts the PE image in the c:\temp\winfe\mount directory. If you navigate there, you’ll see a Windows directory which is the instance of PE that will boot when you finish the process. We need to make some registry changes to the PE registry to prevent mounting disks on start up.

  • Open up the registry editor, highlight HKEY_LOCAL_MACHINE and click on File, Load Hive.
  • Browse to the mounted PE image and in the Windows\System32\Config directory, choose the file SYSTEM (no extension).
  • Choose a friendly name such as PE-System.

Now under HKEY_LOCAL_MACHINE there will be another hive called PE-System. Make the following changes in this hive:

  • Add NoAutoMount key to \ControlSet001\Services\MountMgr\ with a DWORD value 1
  • Add SanPolicy key to \ControlSet001\Services\partmgr\Parameters with a DWORD value 3

Unload the hive by selecting it and clicking on File, Unload Hive.

Branding

Now with our registry changes made, we can make any additional customizations prior to closing up the image. You can “brand” your forensics boot with custom wallpaper by adding winpe.bmp to the mount\Windows\System32 directory.

Required Tools

With the image mounted, anything you add to c:\temp\winFE\mount (or if you modified it, the directory you used for the mount) will be a part of the image and boot with your PE boot. For example, I like to create a Tools directory under mount, and in there place tools such as FTK Imager Lite, dd, and netcat. You can of course add any tools of your choice.

If you are familiar with Regripper, this would be a good place to have it as you can get some information from the registry before starting any imaging process. You can add a portable version of Perl, such as Strawberry Perl to the tools directory, and add the Regripper tools. I’ll show Regripper in an example later when booting WinFE.

For tools that require a CYGWIN environment, you can add use this portable version of CYGWIN and have this environment available in PE.

Custom Scripts

Being that this is a Windows environment, you can write some VBS/WMI scripts to gather some information as well. Since WMI is not added by default to the base WinPE image, you have to add this package:

dism.exe /image:c:\temp\winFE\mount /add-package
/packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-wmi.cab"
Adding WMI Package

Adding WMI Package

I also added hta and scripting support:

dism.exe /image:c:\temp\winFE\mount /add-package
/packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-hta.cab"
/packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-scripting.cab"
Add Scripting and HTA packages

Add Scripting and HTA packages

Here are two examples of some WMI queries you can use in your forensics boot:

  • BIOS.vbs – Retrieves information about the system BIOS.
  • disk.vbs – Retrieves information about disks.

Powershell?

A major issue I have with WinPE is Microsoft’s failure to provide a supported dotNet option. This removes any possibility of using powershell or creating custom applications with VB.Net. This leaves us with vbs/wmi/VB6 until dotNet support is available.

Finalize the Image

Once the registry changes are made and you’ve added all your tools and software into the mounted directory, you write and close the image:

Unmount the Image

Unmount the Image

Dism /Unmount-Wim /MountDir:C:\winpe_x86\mount\ /Commit

Note that this isn’t final, you can always mount the image again, make changes, add new analysis software, etc. using the same steps above, then commit the changes and create a new ISO file.

Copy the resulting winpe.wim file (c:\temp\winfe) into ISO\Sources\boot.wim:

copy c:\temp\winfe\winpe.wim c:\temp\winfe\iso\sources\boot.wim /Y

Generate the ISO

With our image ready, it’s time to generate the ISO. First, we don’t want the usual “Hit any key to boot from CD message” as we don’t want to risk booting from the local disks. To eliminate this message, delete the file bootfix.bin from the ISO\boot directory (c:\temp\winFE\ISO\boot).

oscdimg -n -bc:\temp\winFE\etfsboot.com c:\temp\winFE\ISO c:\temp\winFE\forensics-boot.iso

This ISO file can now be burned to CD/DVD or used in a VM environment to test it out. If you intend to use a USB drive, you can prepare it by doing the following:

  • In a command prompt, run diskpart
    • select disk # (the # should refer to the USB disk, use “list disk” to determine)
    • clean
    • create partition primary
    • select partition 1
    • active
    • format fs=fat32
    • assign
  • Then, copy the contents of the ISO directory to the USB disk
    • xcopy c:\temp\winFE\iso\*.* /s /e /f e:\ (change e: to reflect the drive of your USB key)

Let’s Boot

Booting WinFE

Booting WinFE


Take your WinFE boot-ready device and boot a workstation, VM, or machine of your choice. I had a Windows XP VMWare instance which was my target device to investigate. I configured VMWare to use the ISO for the CD-ROM device and rebooted it.

At first glance, it will look just like Windows 7 booting. Remember, WinPE 3.0 is based on the Windows 7 kernel. When booted, your custom wallpaper configured earlier in the post will display with a command prompt and you will be in the \Windows\System32 directory. This directory is part of the PE operating system, not the target OS which we will analyze. Change to the root directory and will you will see any directories created (such as Tools) when we customized the PE.



Checking drives in Diskpart

Checking drives in Diskpart



We can double check that the registry key worked and did not mount our target drive. Run diskpart, then type “list vol”. You will see a Volume which is Offline and has no drive letter, perhaps more than one. These are drives we may want to mount read-only and analyze. My VM has a single 8GB drive which is Volume 1, so that is my target.

Set your disk to Read-only

Set your disk to Read-only

Let’s get this mounted in read-only mode so we can poke around and get some preliminary information prior to imaging. In diskpart, select the target volume (select vol), then set it to readonly (att vol set readonly). Now we can double check with the “detail vol” command where ‘Read-only’ should specify ‘Yes’. We can mount this by assigning a drive letter (let’s assign letter=F). The F: drive is not available in read-only mode, preserving the evidence but giving access to the data that can be beneficial. In testing this process, try to write to the mounted drive (see screenshot for example). The message will come back “The media is write protected” if everything is set up properly.

Analyze This

Depending on how you customized your WinFE image, and what tools you added, you have many options to gather some information that can be useful prior to the potential time consuming imaging process. I mentioned RegRipper before, this tool can be used to get valuable information from the registry of our target. You could use other varieed tools to gather initial data or go straight to imaging software such as FTK Imager Lite. Here are some screenshots of the various tools running in WinFE:

RegRipper in WinFE w/ Strawberry Perl

RegRipper in WinPE w/ Strawberry Perl

FTK Imager Lite

FTK Imager Lite



CygWin in WinFE

CygWin in WinFE

VolumeDump from George M. Garner Jr's FAU

VolumeDump from George M. Garner Jr's FAU

Finally

Ultimately, this was an exercise in reviewing ways that WinPE can be used for forensic purposes. It is another option to be aware of, and for those who are more apt to a Microsoft environment this may be your preferred boot method. Hopefully, Microsoft will create a dotNet cab file that can be added as a package to WinPE, as this would create further options for creating Win32 dotNet programs to run within the WinFE environment and opening up Powershell for scripting within WinPE.


UPDATES

16 April 2010 – Brett Shavers shared a link with us that includes a great instructional PDF and even a batch file to create the WinFE ISO for you.

Filed Under: Forensics

Tags: , ,

Comments (20)

Trackback URL | Comments RSS Feed

  1. [...] more here: WinPE 3.0 & Forensics Posted in Security News Tags: custom, data, forensics, image, microsoft, mounted, program-files, [...]

  2. Neo_L says:

    uhhh…too hard for me(

  3. novunix says:

    good post, i’m going to try this

  4. [...] in UseSimon posted to the Praetorian Prefect blog recently regarding WinPE. In his post, Simon described installing and using RegRipper from the [...]

  5. Brett Shavers says:

    Nice write up on WinFE. Regarding the comment of this being too hard, I have a similar paper on WinFE that details a sample batch file that automates nearly the entire process. http://www.forensicfocus.com/downloads/WinFE.pdf

    And its good to see that Windows FE is finally getting the attention I believe it deserves as a tool in the forensic toolbox.

  6. [...] WinPE 3.0 & Forensics – praetorianprefect.com You may find this analysis interesting if you are a Windows expert performing a forensics analysis. [...]

  7. Howard Patterson says:

    When I have attempted this, using both a Vista SP1 and Win7 machine, the resultant iso won’t boot properly and doesn’t contain the tools I copied to the mount directory. I have used both the imagex and dism methods, and both fail.

    • Brett Shavers says:

      A potential cause could be that the files were copied onto the other .wim file. I send you a batch file that automates the entire process (send me an email so I know where to share the file). I’ve not had any problems using the batch file I wrote, you are free to use it.

  8. Tom says:

    Brett,

    One thing I am missing is the concept of how to add tools to the \Winfe folder. I would like to start with something simple like FTK Imager.

    Can you help or provide some direction? I would really like to try this as proof as concept before jumping ship to WINE.

    Thanks!

  9. I’ve received enough requests about WinFe and a batch file to put it online at; http://winfe.tk/ Feel free to use the information and download the batch file and notes as needed. Most everyone that tried WinFE, says they won’t use anything else ;)

  10. Troy says:

    Thanks.

    I have held off on publishing Windows FE 3 instructions while I was researching some differences in volume mounting behavior between Vista and Windows 7. However, it was always my wish that the forensics community build on Windows FE–that is why I only put out the most basic instructions.

  11. You definitely started something (your wish has been granted…).

  12. ELDI says:

    I make this small program in java for use the Dism.exe present in Windows 7 with GUI or Visual Mode,

    Download Link: GDism ELDI v2.2 Final: mediafire : ?uvxd4dk6kuv9ian (…fire.com/?uvx…) Commands you can use on GUI or Visual Mode: * Mount-Wim * Commit-Wim * Unmount-Wim * Get-WinInfo * Get-MountedWinInfo * CleanUp-Wim * Get-Packages * Add-Package * Remove-Package * Get-Drivers * Get-DriverInfo * Add-Driver * Remove-Driver * Make ISO You must need the JRE installed (Java Runtime Enviroment).

    @ByELDI

    v2.2 Progress Bar Time Counter

    v2.1 Fixed iso making Menu translated Button Cancel Process

    v2.0 Better Interface for results text Make iso image with oscdimg Support WAIK Support x64 Better Config File Size reduced

    v1.4 Fixed Process on wait list Config File

    v1.3 Translate English-Espanol Multiples Process Waiting

    v1.2 Fixed Drivers Functions

    http://www.mediafire.com/?uvxd4dk6kuv9ian

  13. Thanks. Definately going to try this.

  14. [...] answer has come from a this site, to edit the registry hive from regedit itself.  Here is how I have done it (thus [...]

  15. JK says:

    I enjoyed this article. Very well written and informative.

    I have a related question that I can’t find an answer to thus far. Maybe somebody in this area can comment as it is very closely related.

    Is it possible with Win PE to do the following:

    1) Boot a PC to a small disk (C:) running Win PE 2) Do some calcuations 3) Then using Win PE, or some script/whatever/however, start a Windows 7 boot from logical drive (D:) where D: has a full copy of Windows 7 installed

    This is a key thing in being able to build something very muchneeded here. I have read where Win PE will reboot after 72 hours automatically. I only want it to boot, do a calculation, then activate my Windows 7 OS, then simply exit Win PE

    Thanks for any help or direction