Saturday, August 16, 2008

Windows Forensic Environment

Not much coverage on this yet...and I don't really know why.

The Windows Forensic Environment is based on the Windows OPK or AIK depending on your affiliation. I'm not an OEM so I got to use the AIK. I can't share many details on building this environment right now as I don't have my documentation on hand however consider the possibilities. We may have something on our hands now that can give Windows users a fair chance at reasonable forensics using a bootable CD. Sure we've had Helix for quite a while now and it's been great, but if you've ever trained people in using linux when they are completely unfamiliar with it, the odds that you'll get blank stares is high. Dos prompts are more familiar to many people, as are programs like encase (which works really well in the environment). X-ways Forensics works as well, as does F-response - which provides an interesting opportunity for using this as a known clean environment in a VM and a live capture scenario. Unfortunately FTK does not function as a result of the codemeter USB key. At least Imager Lite works though. It's been noted that the environment has a strong affinity for modifying the disks in the system so if you're using this, do some heavy testing. I'll have more information on this later.

3 comments:

Anonymous said...

Thanks. Let me know if you have any questions. I am working on the next version of the documentation. The first version doesn't do much more than explain how to make Windows FE.

Windows FE usage mostly revolves around Diskpart. In fact Diskpart is what makes Windows FE possible.

Anonymous said...

You should be aware that Windows FE is not "forensically sound". You can prove this by booting any non-Windows system and take a hash of the drive(s) before and after booting the system with Windows FE.

ForensicSoft makes the only forensically sound write-blocked Windows boot disk in existence.

Anonymous said...

How do you know that the hash difference is attributable to Windows FE as opposed to the changes that normally take place each time a system boots. For example, each new boot would have changes such as different DHCP leases, Event log entries and so on.