Law enforcement agencies strive to equip first responders with the tools and training they need to investigate a crime scene that has a technology component. WinFE (Windows Forensic Environment) is a tool that helps with that. By using a USB thumb drive that has been preconfigured with WinFE, investigators can preview a suspect computer in the field to determine if the device holds any evidence of criminal activity. WinFE is forensically sound, meaning it does not alter the suspect computer in any way. Having the ability to run a preview in the field saves agencies both time and money. This course walks investigators through the steps of building a bootable USB device that can be used in the field to rule out a computer’s role in a case. Through discussion and hands-on training, students learn how to build forensic environments for Microsoft Windows versions 7 and 8.1.
Audience: Law enforcement officers, investigators, analysts and forensic examiners
Prerequisites: Background in online investigations; Understand and have experience with the basic computer crime scene.
Length: 2.5 days
Introduction to the Windows Forensic Environment
The course begins with some of the history behind the WinFE project. You’ll see what makes WinFE forensically sound and why it can be used in investigations. You’ll learn about the different kinds of WinFE builds you may need and we’ll explain about the pieces that go into making a build.
WinBuilder Setup and Configuration
WinBuilder is the software application that we use to build and customize bootable versions of the Windows operating system. We’ll provide you with a preconfigured version of the software so that you can build your own version of WinFE (based on Windows 8.1) in class. Note that we use a trial version of Windows 8.1 Enterprise in the course and you will need your own version of Windows 8.1 Professional once you leave the class.
Building WinFE 8.1
Once we’ve got our folder structure and scripts in place, we’ll walk you through the steps of running WinBuilder to create a bootable USB device. We’ll also show you how to create an ISO (.iso) file that can be burned to a CD/DVD—this is an alternative to using a USB device. An ISO image is an exact copy of an operating system, in a compressed format. During investigations, there may be times when you encounter an older computer that does not support USB, thus you will need to use a WinFE CD/DVD instead.
The On-Scene Decision Tree
You arrive on a crime scene and there’s a computer in the room. Do you know the steps to take so that you properly secure the potential evidence? Digital evidence can be found on media attached to a computer: an external hard drive, a flash drive, a floppy disk. It can also be found in the computer’s memory, if the system is powered on. We’ll walk you through the steps you should take when confronted with a computer on-scene. Your actions will differ, depending on whether it’s a live (on) box or a dead (off) box.
Adding Live Response Tools to WinFE 8.1
Once we’ve created a WinFE 8.1 USB drive, “live” tools can be added to the build to create a live box vs. dead box investigative tool. We’ll walk you through the steps of making our WinFE 8.1 USB drive a dual purpose triage tool that can be used to 1) triage a live system to detect encryption/capture a RAM image; and 2) conduct a forensically sound triage of a rebooted or dead system.
Live System Triage
Volatile data is what’s found in a computer’s random access memory (RAM). It requires power to survive, and is lost if it’s not recovered before powering down. RAM can include important information that may help your case: past and present network settings, passwords, browser history, documents or document fragments, segments of chats, evidence of P2P file sharing activity, and more. We’ll walk you through the steps of capturing RAM, and introduce you to two free tools that can be used for RAM capture. We’ll also talk about encryption, and show you some tools you can use to detect encryption on a suspect computer.
Previewing with Field Search and osTriage2
Now that we’ve got our forensic environment created, we can safely preview a suspect’s computer to determine if it contains evidence of criminal activity. We’ll show you how to use Field Search, a free tool that was developed by the National Law Enforcement and Corrections Technology Center. It was developed for field use by non-technical law enforcement personnel, and is especially useful in assisting probation and parole officers in sex offender management. We’ll also show you osTriage2, another powerful previewing tool. Running an osTriage2 scan will yield valuable information about the computer, the network, and computer content. Having this information will help you conduct a more informed interview with your suspect.
Booting WinFE 8.1, Previewing and Validation
In this course block, we’ll show you some of the more technical aspects of how WinFE works. We start by demonstrating how to control the computer’s boot sequence so that you preserve the suspect computer in its current state. Then we’ll show you how to launch WinFE 8.1 and you’ll see how the write protect tool works in accessing the evidence device. We’ll walk you through the steps of mounting a device, and you’ll learn the distinctions between read-only and read/write drives. We’ll demonstrate how to validate that a device is read-only and write-protected, thus making it forensically sound. We’ll also show you how to image a drive, so that you can make an exact duplicate of the drive. You’ll see how to add a device to hold your evidence files or a duplicate image of a device.
WinFE 7: Introduction, Building, Booting, Previewing and Validation
Each version of Windows requires its own version of Windows forensic environment. On our final day, we will repeat the steps taken earlier in the course and build a WinFE for Windows 7. While many of the steps are similar to those taken to create WinFE 8.1, there are differences that you will need to note. We’ll walk you through the boot sequence, startup, mounting a device, changing attributes, imaging a drive, and running a preview using WinFE 7.