Jump to content

Win PE and other live media OSes as forensic tools


CharlotteTheHarlot

Recommended Posts

FYI ... I asked the mods to split this off from another thread ( "Is it Legal to run Windows PE as a general operating system" ) as we kind of drifted off topic ( my fault, sorry! ). Anywho, we can discuss bootable tools for salvaging FUBAR'd Windows systems.

Note: I suggest commenters should probably only mention legal tools ( :yes: ) or else the mods will most likely make you walk the plank!

Below this line is the original discussion already in progress ...

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

In any case, settings and configurations like those written to registry, are not kept over a reboot when in WinPE. It is only kept in memory.

May not be entirely true. Certain PE implementations like the earlier System Internals ERD and the later DaRT leave something, at least a folder and possibly some registry entry. I never did do a formal test of this so I am just guessing that it is a date/time/stamp tattoo. A proper audit should be done to see what if anything persists. A perfectly sterile forensic PE tool should leave nothing on the target system without prompting.

EDIT: fixed typo

Edited by CharlotteTheHarlot
Link to comment
Share on other sites


A perfectly sterile forensic PE tool should leave nothing on the target system without prompting.

As a matter of fact a sterile forensic PE tool cannot even mount hard disks like devices, as windows (also a PE ) will write the Disk Signature to the disk (if there isn't already one).

http://www.forensicswiki.org/wiki/WinFE

http://www.ramsdens.org.uk/

http://winfe.wordpress.com/

But the point is different, the kernel is loaded with the /minint switch that makes a lot of things (including the Registry) "volatile", thus you need an "external" way/method/tool/whatever to "keep" the changes.

As an example you can install a program in a PE alright, but unless you run a backup tool on the Registry (and you replace the previous Registry with the saved one before rebooting to that PE through some "other" OS), at reboot everything that was in the Registry will be gone.

Do not confuse "completely read only" with "volatile" ;).

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

A perfectly sterile forensic PE tool should leave nothing on the target system without prompting.

As a matter of fact a sterile forensic PE tool cannot even mount hard disks like devices, as windows (also a PE ) will write the Disk Signature to the disk (if there isn't already one).

[...]

Do not confuse "completely read only" with "volatile" ;).

In other words: the PE itself is guaranteed to remain unchanged, being identical before and after use (obviously, when it's in a Read-Only Medium like a CD or DVD, much less so, when it's in a pendrive), while the target machine may (and usually, in fact, does) change becoming different before and after being host of a PE OS. The PE caters for it's own unchangeability, the forensic OS (not necessarily a PE) caters for the host machine's unchangeability. They're, therefore, totally different animals. There is, however, at least one project that creates a reliable sterile forensic PE (findable at reboot.pro), and there are classics like Tin Hat Linux (which is based on Gentoo), for those requiring forensic tools, among other options.

Link to comment
Share on other sites

Just to clarify, I don't want to come off as beating up WinPE implementations or especially ERD and DaRT. I just wanted to mention that vague observation of possible breadcrumbs as they were implemented in the Windows XP thru 7 era ( I haven't used it since 8 was hatched ). Such a trail may be what tipped off System Internals during the Best Buy fiasco.

I am a true supporter of the masterful ERD / DaRT tools, with a small bit of fine tuning they could be the most valuable product ever never released by Microsoft. :lol: Half joking because of the myriad restrictions on it, it should have been released long ago to everyone. And it should be easily insertable as a Recovery Console type add-in to the local computer boot menu as well ( CmdCons without offline registry editing or GUI file management :no: ).

Having used many Linux flavored "PE" recovery discs over the years ( because you have to for paying customers if you choose to stay legal ), it is stunning just how half-baked this entire field is. The maddening thing with almost every canned Linux bootable CD is the insanity of having timer-based prompts for such serious questions as "Hello user! Shall I boot from this CDROM or shall I mount that possibly infected and FUBAR'd hard disk I see here? You have 5 seconds to type your answer!". :lol: Try to guess what they typically duhfault to.

Dear Microsoft, by all means save us from this carnage and free up these tools for everyone.

Link to comment
Share on other sites

Did you ever use Tin Hat?

Can't say that I have. Are there any good pre-cooked ISO's for use on problem Windows installations?

I mean, similar to DaRT with registry and file functions? Add in an antivirus and forensics and we'll have a winner.

P.S. I realize this is bordering on a threadjack, feel free to spin it of if necessary!

Link to comment
Share on other sites

Tin Hat is the most non-interfering linux there is. It mounts nothing by default on boot. It's available as an .ISO, from the place I linked in my previous post. But some apps surely must be added to it for it to become a true maintenence/forensic tool.

Changing subjects, I split the thread just below joakim's post, because, up to now this new thread has bean a discussion among you, jaclaz and me, so it maks sense that one of the 3 should get the 1st post, that gives control over the thread title, and you were the lucky one... That being the case, please take your time to rename the thread properly, I merely gave it a provisional title, as required to split a new thread, OK?

Link to comment
Share on other sites

Charlotte, sorry to say so :unsure: , but you are seemingly talking of things that you have (evidently) not much experience with, mixing liberally different things.

There are tens of valid "forensic" Linux Distro's.

And at least one, the WinFE, based on NT PE technology.

Everyone can build a WinFE from their (licensed) Windows 7 (or 8 :ph34r:) sources or WAIK, contrary of what dencorso thinks :w00t:not only through the Winbuilder .scripts/projects, but also "manually", after all the "whole" thing are a couple Registry keys, a couple references:

http://praetorianprefect.com/archives/2010/04/winpe-3-0-forensics/

Among the forensics Linux distro's I personally like Caine:

http://www.caine-live.net/

BUT the WHOLE point of a "sterile forensics tool" is that it is READ ONLY on the "target" PC's devices, so it is NOT suitable for "repair" (which a "normal" PE or ERD is).

Carpenter's comparison ;):

A syringe (and it's needle) is a sterile medical tool, a hammer is a non-sterile carpenter's tool, to plant nails into wood you use hammers and not syringes.

jaclaz

Link to comment
Share on other sites

Charlotte, sorry to say so :unsure: , but you are seemingly talking of things that you have (evidently) not much experience with, mixing liberally different things.

Jaclaz, my friend, it looks like you are doing exactly what you think I did!

What I "have experience with" is exactly what I said above, no mystery, and those things include the Windows PE tools mentioned, and various Linux pre-cooked solutions, all for accessing sick Windows systems. Nothing exceptional, just average end-user knowledge sprinkled with a few odd stabs at Bart customization. Now by the numbers ...

  • The very first comment I made in the original thread ( now Post #1 here ) was just a mention that "I believe" there remains some breadcrumbs when using certain famous WinPE tools, specifically about them leaving no trace I said: "May not be entirely true" . Either my suspicion is correct or not. The next time I use them I will determine it for sure but if you have some knowledge on that issue, please spill it. In that same comment I said "A perfectly sterile forensic PE tool should leave nothing on the target system without prompting." which is hardly controversial or demonstrative of either "not much experience" or "mixing liberally different things".
  • In the next comment ( now Post #4 here ) all I did was refine that to not sound critical of these tools, because I think they are very important, I said among other things: "I am a true supporter of the masterful ERD / DaRT tools, with a small bit of fine tuning they could be the most valuable product ever never released by Microsoft. ". That was true, and also funny ( well I thought so ). Moving on, I then decried certain Linux boot CD's that use a timer for user input before they mount the first available HDD they see: "Hello user! Shall I boot from this CDROM or shall I mount that possibly infected and FUBAR'd hard disk I see here? You have 5 seconds to type your answer! ". Now that is also true ( for some discs I have used ) and I think really funny ( that means laugh! ). Finally I suggested Microsoft just release their excellent tools for everyone. Nothing there looks to me to like "not much experience" or "mixing liberally different things".
  • In the final comment ( now Post #6 here ) I only responded to Dencorso's question of ever using Tin Hat. From reading that page he linked I can't say that I have, but it is possible. I then asked for any pre-cooked distros. Some day I may get a chance to try them! So once again nothing there looks to me to like "not much experience" or "mixing liberally different things".

So in conclusion, to paraphrase your own comment I'm sorry to say I don't know what you're going on about. And if I may, it looks like you are speaking with "not much experience" about what I actually said, and "mixing liberally different things" about something I said here or perhaps somewhere else! But it's all good. Just like myself you sound like a ornery old coot from time to time even though we are both actually quite spry, happy and cheerful when not commenting on Microsoft issues! I won't say "lighten up" because at our age that becomes very difficult, in every sense of the phrase. :yes:

Link to comment
Share on other sites

I will try again to disambiguate (or at least find a common dictionary :) , I will readily agree to disagree on *anything* :yes: , as long as the thing on which we disagree is clearly identified).

You are seemingly confusing "volatile" (in the sense of "volatile environment" with "read only").

A "repair tool" may (or may not) be "volatile" but CANNOT be "read only".

A "forensic sterile tool" may (or may not) be "volatile" but MUST be "read only".

A repair tool even if "volatile" may well leave behind "traces", or change *something* on the "internal" PC's hard disk as you reported for ERD / DaRT and the link I provided about the WinPE 4.x that jtalbot35 reported.

There is nothing "good" nor "bad" about it, it is simply the way a given tool behaves (by design or otherwise), someone using that tool should be aware of what is changed on the target system.

A "forensic sterile tool" by definition, and no matter if "volatile" or not, needs to change NOTHING on the target.

A "forensic sterile tool" is used for forensics.

A "repair tool" is used for repairs.

You can - generally speaking - use a "forensics" tool for "repairs" (by disabling the settings/filters/whatever that make it originally "sterile").

You can - generally speaking - use "repair" tool for "forensics" (by enabling the settings/filters/whatever in order to make it "sterile").

A windows based PE is ALWAYS (by definition) "volatile", it can be tweaked towards "forensics" (and thus made READ ONLY and "sterile"), or tweaked towards "repair" (and thus forfaiting the "sterile" and READ ONLY).

A Linux Live is also (by definition) "volatile".

Both a Windows PE and a Linux Live distro can be booted from CD/DVD (and the CD/DVD is NOT changed in any way="volatile") whether they will "leave traces" on the hard disk is another matter, which is very relevant for "forensics" but of little or no importance for "repairs".

BTW you can have a "volatile" environment also with a "full" XP:

which you can use for "repairs" but that you CANNOT for "forensics" (as it is evidently NOT "sterile").

ERD or MSDart are intended for "repairs" and they are "volatile" and they may well leave traces on the PC's hard disk.

Your reply to joakim:

In any case, settings and configurations like those written to registry, are not kept over a reboot when in WinPE. It is only kept in memory.

May not be entirely true. Certain PE implementations like the earlier System Internals ERD and the later DaRT leave something, at least a folder and possibly some registry entry. I never did do a formal test of this so I am just guessing that it is a date/time/stamp tattoo. A proper audit should be done to see what if anything persists. A perfectly sterile forensic PE tool should leave nothing on the target system without prompting.

seemed to imply that anything in the original thread or specifically in joakim's reply was related to "a perfectly sterile forensic tool" or that you considered ERD or MSDart a "perfectly sterile forensic PE tool" (which they are not).

Hence the idea that you were mixing together different things.

Consider this carpenter's example :w00t::ph34r: :

joakim: When you paint your walls, no traces are left once you have removed the bucket of paint, the ladder, the brushes and the paper you used to protect the floor.

CTH: Hah, but last time I spray painted my room I found tiny drops of paint on the windows. A perfect sanitization of a hospital room should leave no traces.

jaclaz: CTH, joakim was talking of painting the walls, and of painting them with brushes, not about spray painting them and not about hospital rooms.

jaclaz

Link to comment
Share on other sites

Okay I see now. It was that first comment I made that got you going.

"A perfectly sterile forensic PE tool should leave nothing on the target system without prompting."

I didn't really mean anything critical of any of our commenters by it, and especially nothing at all was meant at Joakim ( important forum member and author of some important NTFS utilities ).

Notice I never used those more precise words "volatile" or "read-only" which you have utilized. My use of the term "sterile" was figurative, perhaps from having spent far too much time in hospitals lately, and was meant to paint a picture ( admittedly not a good one ). As such you can realize I wasn't attempting clinical precision, just an observation which I can now see thanks to your definitions, is incorrect. For the record, I obviously do NOT want read-only ( and obviously "sterile" ) because being able to edit the registry and files offline is critically important. I just want any changes to be approved by the user, which precludes breadcrumbs left in secret. I don't know what ERD or DaRT was aiming for, all I can say is I don't like it ( the breadcrumbs ). But compared to the other stuff out there they still come out miles ahead.

And I do appreciate those definitions of forensic tools as you listed them, and I do bow to your superior knowledge on this.

Anyway, if we come up with a list of useful tools we can now use those precise definitions to describe their strengths and failings :thumbup I suggest a a sub-definition further defining forensic tools that are volatile that do not leave traces, and another for those that do. Perfect read-only tools are obviously a completely separate category unto themselves and includes stuff that only allows gathering of data, copying to external media, but making no changes whatsoever to the patient, even outside of the proper file system. "Sterile" was clearly a bad choice of words for all these scenarios because a completely sterile doctor could still take a completely sterile scalpel and jab a hole in the patient's liver. :yes:

Link to comment
Share on other sites

"Sterile" was clearly a bad choice of words for all these scenarios because a completely sterile doctor could still take a completely sterile scalpel and jab a hole in the patient's liver. :yes:

Not really, as a matter of fact you have it right :yes: : a WinFE ("sterile forensics PE") or Linux Live Forensic distro ("sterile forensics Linux") can still have (as an example) direct access to a hard disk (and both R/W) so you can use them to dig big holes :w00t::ph34r: in your filesystems alright, and you would find NO TRACES of what made those "holes" as much as you won't find any bacteria in your real life case.

It's the OS (and it's mechanisms) that do not write to the filesystem or to the device (because it is not mounted and/or offline).

Imagine to use DOS (booted from a floppy) on a PC with a single partition formatted as NTFS (and without having any third party tool capable of reading NTFS in the DOS floppy).

Such a floppy won't do any changes to the hard disk (because DOS is a good, simple, non-multitasking OS :thumbup without a few tens of mostly unuseful services or daemons runnning in the background, largely undocumented and doing *anything* by their free will ) but also it won't do any changes to the NTFS filesystem/partition, because additionally it doesn't know anything about that filesystem AND it has been designed to consider a (not so casually called properly "protective") partition ID in the MBR as "non plus ultra" or "hic sunt leones".

Still, you can use (say) DEBUG to write to the disk alright or use FDISK to remove the "HPFS/NTFS partition".

Now imagine the other way round, you draw from the scrapyard an old (DOS only) 386 machine, and it's hard disk that never "saw" a NT based OS.

As soon as the hard disk is connected to a new machine running *any* Nt based OS or PE, a disk signature will be written to the MBR.

Though this is not a real issue for "substantial" forensics (it is only four bytes, it is not like it creates out of thin air a compromising chat message or a an illegal picture ) it is enough to invalidate the MD5 (or other hash) of the whole disk, enough for a clever lawyer to raise an issue about the managing of the evidence.

As soon as the filesystem is mounted, Windows may decide to create new artifacts in the filesystem, or change file access date, theoretically allowing to overwrite some potentially accusing or exculpatory data, this is not acceptable even in "substantial" forensics.

No actual surprise that many digital forensic professionals prefer to ONLY use write blockers to connect hard disks for imaging (though even write blockers have been, at least in one occasion, found to be not write blocking properly).

jaclaz

Link to comment
Share on other sites

Are there any decent write-blocker priced below US$ 100?

And thanks for the heads up... maybe I'll try my hand some day at building WinFE by hand. Seems interesting. :yes:

Define "decent". :w00t:

However ;) :

http://www.forensicfocus.com/Forums/viewtopic/t=10557/

In theory they all work alright :yes: .

Please check attentively the signature I have on Forensic Focus :angel .

jaclaz

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...