Wednesday, 6 August 2008

Windows FE saves the day with a Dell Inspiron 530

Dell boxes (both laptop and desktop) seem to be more difficult to image every week. We had a Dell Inspiron 530 midi tower with a Seagate 320GB sata hard disk submitted to us. Our normal method of imaging this drive with a Tableau T35i write blocker and FTK Imager failed as the drive seemed to turn off after about ten minutes. An attempt with a Tableau T3u and FTK Imager also failed. Both Tableau write blockers had the latest firmware.

Next we tried to image the drive in situ by utilising a Helix 1.9a boot disc. Despite trying a variety of cheat codes we could not get the Helix disc to work.

So I decided to try out Windows FE in anger. Step one involved trying to identify the necessary drivers to build into the WinFE iso. I plumped for the relevant Intel Matrix Storage Manager sata driver for Vista which downloads as a self extracting zip file (R154092.exe) and loaded the two inf files into my WinFE iso. I also decided to add a chipset driver and downloaded the relevant Intel Chipset software Installation Utility. This also downloads a self extracting zip (R154069.exe) however when you run it as well as extracting a large number of drivers it also (on the Vista side my Macbook Pro at least) tried to begin an installation which I canceled. The chipset utility contains drivers for a large number of chipsets. The Inspiron 530 has an Intel G33 chipset so I loaded g33q35.inf into my WinFE iso.

With the drivers loaded I added my imaging tool. In my earlier Windows FE posting I alluded to FTK Imager not working. The author of the WinFE paper Troy Larson kindly advised me that one of his colleagues - Andrew Choy had been able to get FTK Imager to work. In addition to the dlls identified by Access Data as being required in the same folder as the FTK Imager.exe, a dll oledlg.dll from C:\Windows\system32\ needs to be added.

We added another sata drive onto a spare sata port within the Inspiron 530 and booted to the Windows FE boot disc. Some Dell boxes including this one provide a boot menu by holding down F12. After following the guide to using Diskpart in my earlier posting and assigning a drive letter to the additional sata collection drive we utilised FTK Imager to image the drive in record time. We imaged to Encase evidence files with maximum compression and the whole process completed including verification in less than four hours. Windows FE worked like a dream.

4 comments:

Anonymous said...

You should be aware that Windows FE is not "forensically sound". You can prove this to yourself by booting any non-Windows system with it and hashing the drive(s) before and after booting with Windows FE.

ForensicSoft makes the only forensically sound write-blocked Windows boot disk in existence.

DC1743 said...

It is easy to take issue with sweeping statements.

Windows FE may write a disk signature to a partitioned disk, if the disk does not already have a signature. The disk signature starts at 0x01B8. The partitioned space—volumes—are not written to.

The read-only switch in Diskpart also writes a byte to the hard drive that makes that hard drive read-only to Windows.

For these reasons the whole device hashing approach may result in differing hash values - however this behavior does not necessarily make the use of Windows FE forensically unsound.

Claus said...

Hi DC1743.

Loved your round of Win FE posts. Your great posts actually inspired me to dig and pull out the details (and how to create) a Win FE disk of my own.

I'm not a forensics expert, instead just a lowly sysadmin, but my work with Win PE building and understanding the value of forensic techniques in the sysadmin grind keeps me actively following the best of the Windows forensics blogs.

Anyway, I also got a comment on my Win FE blog post similar to the one you received above.

Your response and the comment challenged me to validate the statement made and see with my own eyes what the case was.

I posted the results of my limited testing on my blog to see if the claims against Windows FE not being “forensically sound” were true.

Posted the results here:

Windows FE: Forensically Sound? - Grand Stream Dreams blog

In summary: based on my humble and simple test Win FE appeared to come out clean in my MD5 hashing tests of both a Windows system and a non-Windows system and matched the same MD5’s generated by DEFT Linux forensics LiveCD results.

I'd be honored to have your review and perspective of my observations as you seem to be a real Windows forensics specialist and quite knowledgeable on these matters.

If I've made any glaring omissions or mistakes, I would value them so I could be accurate.

Cheers.

–Claus V.

cheap computers said...

The read-only switch in Diskpart also writes a byte to the hard drive that makes that hard drive read-only to Windows.