Windows Forensic Environment On-Scene Triage

computer disks and USB flash driveLaw enforcement agencies strive to equip first responders with the tools and training they need to investigate a crime scene that has a technology component. WinFE (Windows Forensic Environment) is a tool that helps with that. By using a USB thumb drive that has been preconfigured with WinFE, investigators can preview a suspect computer in the field to determine if the device holds any evidence of criminal activity. WinFE is forensically sound, meaning it does not alter the suspect computer in any way. Having the ability to run a preview in the field saves agencies both time and money. This course walks investigators through the steps of building a bootable USB device that can be used in the field to rule out a computer’s role in a case. Through discussion and hands-on training, students learn how to build forensic environments for Microsoft Windows versions 7 and 8.1.

Audience: Law enforcement officers, investigators, analysts and forensic examiners
Prerequisites: Background in online investigations; Understand and have experience with the basic computer crime scene.
Length: 2.5 days
Difficulty: Intermediate-to-advanced


Introduction to the Windows Forensic Environment

The course begins with some of the history behind the WinFE project. You’ll see what makes WinFE forensically sound and why it can be used in investigations. You’ll learn about the different kinds of WinFE builds you may need and we’ll explain about the pieces that go into making a build.   

WinBuilder Setup and Configuration

WinBuilder is the software application that we use to build and customize bootable versions of the Windows operating system. We’ll provide you with a preconfigured version of the software so that you can build your own version of WinFE (based on Windows 8.1) in class. Note that we use a trial version of Windows 8.1 Enterprise in the course and you will need your own version of Windows 8.1 Professional once you leave the class. 

Building WinFE 8.1

Once we’ve got our folder structure and scripts in place, we’ll walk you through the steps of running WinBuilder to create a bootable USB device. We’ll also show you how to create an ISO (.iso) file that can be burned to a CD/DVD—this is an alternative to using a USB device. An ISO image is an exact copy of an operating system, in a compressed format. During investigations, there may be times when you encounter an older computer that does not support USB, thus you will need to use a WinFE CD/DVD instead.

The On-Scene Decision Tree

You arrive on a crime scene and there’s a computer in the room. Do you know the steps to take so that you properly secure the potential evidence? Digital evidence can be found on media attached to a computer: an external hard drive, a flash drive, a floppy disk. It can also be found in the computer’s memory, if the system is powered on. We’ll walk you through the steps you should take when confronted with a computer on-scene. Your actions will differ, depending on whether it’s a live (on) box or a dead (off) box. 

Adding Live Response Tools to WinFE 8.1

Once we’ve created a WinFE 8.1 USB drive, “live” tools can be added to the build to create a live box vs. dead box investigative tool. We’ll walk you through the steps of making our WinFE 8.1 USB drive a dual purpose triage tool that can be used to 1) triage a live system to detect encryption/capture a RAM image; and 2) conduct a forensically sound triage of a rebooted or dead system. 

Live System Triage

Volatile data is what’s found in a computer’s random access memory (RAM). It requires power to survive, and is lost if it’s not recovered before powering down. RAM can include important information that may help your case: past and present network settings, passwords, browser history, documents or document fragments, segments of chats, evidence of P2P file sharing activity, and more. We’ll walk you through the steps of capturing RAM, and introduce you to two free tools that can be used for RAM capture. We’ll also talk about encryption, and show you some tools you can use to detect encryption on a suspect computer. 

Previewing with Field Search and osTriage2

Now that we’ve got our forensic environment created, we can safely preview a suspect’s computer to determine if it contains evidence of criminal activity. We’ll show you how to use Field Search, a free tool that was developed by the National Law Enforcement and Corrections Technology Center. It was developed for field use by non-technical law enforcement personnel, and is especially useful in assisting probation and parole officers in sex offender management. We’ll also show you osTriage2, another powerful previewing tool. Running an osTriage2 scan will yield valuable information about the computer, the network, and computer content. Having this information will help you conduct a more informed interview with your suspect. 

Booting WinFE 8.1, Previewing and Validation

In this course block, we’ll show you some of the more technical aspects of how WinFE works. We start by demonstrating how to control the computer’s boot sequence so that you preserve the suspect computer in its current state. Then we’ll show you how to launch WinFE 8.1 and you’ll see how the write protect tool works in accessing the evidence device. We’ll walk you through the steps of mounting a device, and you’ll learn the distinctions between read-only and read/write drives. We’ll demonstrate how to validate that a device is read-only and write-protected, thus making it forensically sound. We’ll also show you how to image a drive, so that you can make an exact duplicate of the drive. You’ll see how to add a device to hold your evidence files or a duplicate image of a device.

WinFE 7: Introduction, Building, Booting, Previewing and Validation

Each version of Windows requires its own version of Windows forensic environment. On our final day, we will repeat the steps taken earlier in the course and build a WinFE for Windows 7. While many of the steps are similar to those taken to create WinFE 8.1, there are differences that you will need to note. We’ll walk you through the boot sequence, startup, mounting a device, changing attributes, imaging a drive, and running a preview using WinFE 7.

Karen Lissy

Ms. Karen Lissy is a Justice Information Services Specialist for the Law and Policy Program of SEARCH, The National Consortium for Justice Information and Statistics. In this position, she provides assistance to state and local justice and public safety agencies to collect, curate, and use National Incident-Based Reporting System (NIBRS) data and computerized criminal history record (CCH/CHRI) information for policy analysis and development.

She also guides justice and related organizations in how to craft and implement laws, policies, practices, and technology applications to effectively collect and use CCH and related justice/public safety data; address legal, policy, and regulatory issues associated with CCH data; better manage and operate criminal justice information and identification systems; and develop security and privacy policies that protect justice information sharing systems.

Ms. Lissy has nearly two decades of research and data analysis experience, having led projects and tasks in support of two agencies within the U.S. Department of Justice’s Office of Justice Programs (the Bureau of Justice Statistics and National Institute of Justice), as well as the Centers of Disease Control and Prevention, and multiple foundations, including Ford, Annie E. Casey, and Hewlett. Prior to joining SEARCH in October 2020, Ms. Lissy served as a Social Science Researcher at RTI International, as a regional Crime Analyst for the Redmond (WA) Police Department, and as Director of a research program with the Harvard Center for Risk Analysis. Beginning in 2012, Ms. Lissy’s work has focused on improving data in law enforcement to answer policy questions and improve community/police relations.

Ms. Lissy earned a Bachelor’s degree in Public Policy from Duke University, and a Master’s in Public Health from the University of North Carolina at Chapel Hill.

Michael Mackay

Mr. Michael Mackay is an Information Sharing Developer for SEARCH, The National Consortium for Justice Information and Statistics. As part of the Software and Data Engineering Program (SDEP) team, he plans, develops, implements, and deploys information sharing systems on behalf of SEARCH clients in local, state, tribal, and Federal government settings. He also provides programming, configuration, and testing assistance, and consults on implementation architecture and design with clients. 

Mr. Mackay supports justice, public safety, and homeland security information sharing nationwide through SDEP services that include software architecture and systems design, application development, deployment and support, data management services, and direct technical assistance and training. These services offer capabilities that include federated query, authentication access/control, subscription/notification, process/workflow automation, data analysis, and more. 

Prior to joining SEARCH in 2021, Mr. Mackay worked as a Software Engineering Intern for TDM Business Toole Suite, where he provided software development support using Java frameworks, implemented relational database models using MySQL, and designed GUI components using NetBeans. 

Mr. Mackay will work in an Agile development environment, a methodology that SEARCH embraces that focuses on incremental development and delivery, collaboration in a team approach, and rapid and flexible response to change throughout the development cycle. 

Mr. Mackay earned a bachelor’s degree in Computer Science and Applied Mathematics and Statistics from Stony Brook University, New York.