It is a common task for a computer forensics investigator to boot a machine using boot-able media in the form of DVD or USB and there are countless options available. This tutorial is not intended to replace your favorite Helix CD or preferred method, but you may find this analysis interesting if you are a Windows expert performing a forensics analysis.
Windows PE (Pre-installation Environment) is a minimal Win32 based operating system, typically used for automating deployments by booting into PE via local or PXE boot methods and then imaging or running installations of various operating systems. Version 3.0 of PE included in the latest Windows Automated Installation Kit (AIK) is based on the Windows 7 kernel.
To get started, you need the AIK which can be downloaded from the Microsoft web site. After the installation, you will need to begin working on creating and customizing a WinPE image for your forensics boot disc/drive.
Make WinPE into WinFE
If you used WinPE as is and booted it up, it would mount available disks and may lead you in the wrong direction in terms of preserving evidence by changing the state of the drives. WinFE, which stands for Windows Forensics Environment, is based on a document written by Troy Larson, a Forensics Specialist at Microsoft. When this document was written, it was geared toward WinPE 2.1, so there are a few differences in some of the steps I will document in this post, which is intended for version 3.0.
The point of WinFE is that the PE environment boots without mounting physical disks. You can then use imaging tools to capture the disk or mount it in read-only mode to run some tools against the target OS immediately without modification to data in the environment, which in this case could be evidence.
Let’s get to it
Begin by launching the Deployment Tools Command Prompt (as an administrator). In the following examples, I am using c:\temp\winFE as the path where my PE image is processed, built, etc. The first step is to generate the basic structure and .wim file:
copype.cmd x86 c:\temp\winFE
This command will create the Windows PE customization working directory. The next step is to mount the default image file so that you can then make some necessary changes: including changing the registry settings to ensure disks are not mounted at bootup and to add any tools or software you need. AIK Version 3.0 includes dism.exe, which replaces peimg.exe, and can be used to mount and unmount images like imagex.exe:
Dism /Mount-Wim /WimFile:c:\temp\winFE\winpe.wim /index:1 /MountDir:c:\temp\winFE\mount
This command mounts the PE image in the c:\temp\winfe\mount directory. If you navigate there, you’ll see a Windows directory which is the instance of PE that will boot when you finish the process. We need to make some registry changes to the PE registry to prevent mounting disks on start up.
- Open up the registry editor, highlight HKEY_LOCAL_MACHINE and click on File, Load Hive.
- Browse to the mounted PE image and in the Windows\System32\Config directory, choose the file SYSTEM (no extension).
- Choose a friendly name such as PE-System.
Now under HKEY_LOCAL_MACHINE there will be another hive called PE-System. Make the following changes in this hive:
- Add NoAutoMount key to \ControlSet001\Services\MountMgr\ with a DWORD value 1
- Add SanPolicy key to \ControlSet001\Services\partmgr\Parameters with a DWORD value 3
Unload the hive by selecting it and clicking on File, Unload Hive.
Now with our registry changes made, we can make any additional customizations prior to closing up the image. You can “brand” your forensics boot with custom wallpaper by adding winpe.bmp to the mount\Windows\System32 directory.
With the image mounted, anything you add to c:\temp\winFE\mount (or if you modified it, the directory you used for the mount) will be a part of the image and boot with your PE boot. For example, I like to create a Tools directory under mount, and in there place tools such as FTK Imager Lite, dd, and netcat. You can of course add any tools of your choice.
If you are familiar with Regripper, this would be a good place to have it as you can get some information from the registry before starting any imaging process. You can add a portable version of Perl, such as Strawberry Perl to the tools directory, and add the Regripper tools. I’ll show Regripper in an example later when booting WinFE.
For tools that require a CYGWIN environment, you can add use this portable version of CYGWIN and have this environment available in PE.
Being that this is a Windows environment, you can write some VBS/WMI scripts to gather some information as well. Since WMI is not added by default to the base WinPE image, you have to add this package:
dism.exe /image:c:\temp\winFE\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-wmi.cab"
I also added hta and scripting support:
dism.exe /image:c:\temp\winFE\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-hta.cab" /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-scripting.cab"
Here are two examples of some WMI queries you can use in your forensics boot:
- BIOS.vbs – Retrieves information about the system BIOS.
- disk.vbs – Retrieves information about disks.
A major issue I have with WinPE is Microsoft’s failure to provide a supported dotNet option. This removes any possibility of using powershell or creating custom applications with VB.Net. This leaves us with vbs/wmi/VB6 until dotNet support is available.
Finalize the Image
Once the registry changes are made and you’ve added all your tools and software into the mounted directory, you write and close the image:
Dism /Unmount-Wim /MountDir:C:\winpe_x86\mount\ /Commit
Note that this isn’t final, you can always mount the image again, make changes, add new analysis software, etc. using the same steps above, then commit the changes and create a new ISO file.
Copy the resulting winpe.wim file (c:\temp\winfe) into ISO\Sources\boot.wim:
copy c:\temp\winfe\winpe.wim c:\temp\winfe\iso\sources\boot.wim /Y
Generate the ISO
With our image ready, it’s time to generate the ISO. First, we don’t want the usual “Hit any key to boot from CD message” as we don’t want to risk booting from the local disks. To eliminate this message, delete the file bootfix.bin from the ISO\boot directory (c:\temp\winFE\ISO\boot).
oscdimg -n -bc:\temp\winFE\etfsboot.com c:\temp\winFE\ISO c:\temp\winFE\forensics-boot.iso
This ISO file can now be burned to CD/DVD or used in a VM environment to test it out. If you intend to use a USB drive, you can prepare it by doing the following:
- In a command prompt, run diskpart
- select disk # (the # should refer to the USB disk, use “list disk” to determine)
- create partition primary
- select partition 1
- format fs=fat32
- Then, copy the contents of the ISO directory to the USB disk
- xcopy c:\temp\winFE\iso\*.* /s /e /f e:\ (change e: to reflect the drive of your USB key)
Take your WinFE boot-ready device and boot a workstation, VM, or machine of your choice. I had a Windows XP VMWare instance which was my target device to investigate. I configured VMWare to use the ISO for the CD-ROM device and rebooted it.
At first glance, it will look just like Windows 7 booting. Remember, WinPE 3.0 is based on the Windows 7 kernel. When booted, your custom wallpaper configured earlier in the post will display with a command prompt and you will be in the \Windows\System32 directory. This directory is part of the PE operating system, not the target OS which we will analyze. Change to the root directory and will you will see any directories created (such as Tools) when we customized the PE.
We can double check that the registry key worked and did not mount our target drive. Run diskpart, then type “list vol”. You will see a Volume which is Offline and has no drive letter, perhaps more than one. These are drives we may want to mount read-only and analyze. My VM has a single 8GB drive which is Volume 1, so that is my target.
Let’s get this mounted in read-only mode so we can poke around and get some preliminary information prior to imaging. In diskpart, select the target volume (select vol), then set it to readonly (att vol set readonly). Now we can double check with the “detail vol” command where ‘Read-only’ should specify ‘Yes’. We can mount this by assigning a drive letter (let’s assign letter=F). The F: drive is not available in read-only mode, preserving the evidence but giving access to the data that can be beneficial. In testing this process, try to write to the mounted drive (see screenshot for example). The message will come back “The media is write protected” if everything is set up properly.
Depending on how you customized your WinFE image, and what tools you added, you have many options to gather some information that can be useful prior to the potential time consuming imaging process. I mentioned RegRipper before, this tool can be used to get valuable information from the registry of our target. You could use other varieed tools to gather initial data or go straight to imaging software such as FTK Imager Lite. Here are some screenshots of the various tools running in WinFE:
Ultimately, this was an exercise in reviewing ways that WinPE can be used for forensic purposes. It is another option to be aware of, and for those who are more apt to a Microsoft environment this may be your preferred boot method. Hopefully, Microsoft will create a dotNet cab file that can be added as a package to WinPE, as this would create further options for creating Win32 dotNet programs to run within the WinFE environment and opening up Powershell for scripting within WinPE.
16 April 2010 – Brett Shavers shared a link with us that includes a great instructional PDF and even a batch file to create the WinFE ISO for you.
Filed Under: Forensics