Friday, 4 July 2008

Windows FE

Windows FE is a forensic edition of Windows PE boot CD. It is forensic because it is not supposed to mount anything automatically. This post will not detail how to create a Windows FE disc because this can be found at the MS LE Portal (and also here) however I want to discuss some elements of why one would use it and also help to get over one or two gremlins.

I have been asked Is it another Helix disc? The answer is - it is similar but it offers some advantages in certain situations. The main advantage is being able to inject drivers into the ISO prior to burning. This allows you to add drivers for the latest SAS raid controller or Dell SATA drive controller for example which is not always possible in Linux (working on the principle that there are generally more Windows drivers than Linux ones).

You can also add your own forensic tools. I have been able to successfully add a full working copy of Encase 6.11 (including Dongle drivers). Strangely I have not been able to get FTK Imager to work (subsequently I have - see newer post). I imaged a 149GB hard disk in an Apple MacBook Pro to a 500gb external usb hdd in 2 hours 6 minutes.

Gremlin 1
If you have seen the paper dealing with the discs creation and use you will see that it states you should use the Diskpart utility to add and mount hard disks. You will probably need to mount a disk as your harvest or collection drive (i.e the disk you will save your image to). This aspect of the disks use proved to be slightly tricky. In order to save an image to an external drive I had to put it online, assign a drive letter and remove it's read only attribute. A number of Diskpart commands are required to achieve this as discussed below.

Windows FE boots up to a shell. You will have a command prompt on the X drive which is a RAM disk. To launch the Diskpart utility type:


To establish which disks can be seen type:


If you have not yet attached your collection disk you will have to type:


and then List Disk after connecting it. You need to establish a drive number (e.g. disk 1 or disk 2 and so on) for your collection disk. Once you have done this you will need to select this disk:

DISKPART >Select Disk 1

and you may need to put it online:

DISKPART >online

and then clear any readonly attributes:

DISKPART >Attributes disk clear readonly

Then identify the volume upon your collection disk you wish to image to:

DISKPART >List Volume

and then select the volume:
DISKPART >Select Volume 1

and then clear any readonly attributes:

DISKPART >Attributes volume clear readonly

Next - assign a drive letter:

DISKPART >assign letter=k

You should now be able to write an image to your collection disk. If you are getting the error "your disk is write protected" or similar the problem most likely lies with the read only attribute.

Gremlin 2
The disk during the boot process prompts press any key to boot from the CD. This behavior is not very desirable in a forensic boot CD. To prevent this from happening delete the bootfix.bin file from the \ISO\boot folder before creating your WinFE CD.

Gremlin 3
Encase will run happily from the disk but simply copying your Encase folder from Program files will cause some problems with respect to the encase config files and the indexing and parsecache folders. The way round this is to create an X: drive on your local machine and create an WinFE folder within it. Then install a new copy of Encase into this folder. If you then copy the Encase folder from here into the the WinFE tools folder all the paths will be fine.



Troy said...

Excellent. This is the first post I have seen on Windows FE. I will incorporate your suggestions in the next iteration.

Thank you.

Brett Shavers said...

It's been a few years since the last, there is some follow up work done to Windows FE at Mostly based upon the work of Troy and the postings from blogs talking about WinFE.