Saturday, February 14, 2009

Windows FE – Details Teased out of the Web

As long as I have been acquainting myself with both Window PE building and forensics LiveCD’s I keep stumbling over references to something known as Windows FE (aka. Win FE and WinFE) .

Now, I’m sure if I was a professional forensics investigator I would already have realms of info with this tool.

I’m not and I don’t so I will only speak to what I have discovered so any other curious Win PE builders who come across this reference will have some more detailed information.

Windows FE

From all indications, Windows FE (forensic environment) is a Windows PE based custom build that is offered by Microsoft to forensic examiners and law enforcement officers.  It is not publically available.

The official information regarding it seems to suggest that it (and supporting tools) can be obtained from Microsoft only through their “LE Portal”

It provides a Windows PE LiveCD boot environment that allows Windows software to run, along with specific command-line tools that will assist and benefit the forensic examiner.

From all I have read, one of the “special” features is the ability to safely mount media to receive the captured image from a system as well as safe mounting of the host disk to prevent write-back that could harm the integrity of the recovered disk as evidence.

After much work, I finally was able to dig out a link that seems to describe exactly how the Windows FE base disk is built.

The Smoking Gun

You might want to download it now just in case it is removed in the future.

That Word doc file is very interesting (to Win PE builders like me) and specifically outlines what makes WinFE (or Win FE) so special: it’s a registry mod (two actually) that prevents modification of any of the media on the booted system.

5. In regedit, go to the HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\MountMgr key, and if the NoAutoMount dword does not exist, create a dword named "NoAutoMount" with a setting of 1. If the key already exists, change the setting to 1 if it is any other value.

6. Next, go to HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\partmgr\Parameters and change the SanPolicy setting to 3. (If the Parameters key does not exist, create it.) At this point, the registry in the mounted .wim file is set to boot and operate without mounting volumes or modifying media.

The rest of the document pretty much is just standard Win PE building stuff you have already read here at GSD blog or other sources.

There was also a link in it to this:

Last updated September 2008, it contains a collection of tools for Windows-based forensics work. 

I haven’t picked through them, but according to the “what’s included” there are at least nine modules that might be worth looking into for forensics students as well as sysadmins (like me) who seek to leverage the tools and techniques of the forensics pros for dealing with system issues, imaging, and malware incidence response events.

Win FE in the Field

Win FE has come up in the Windows Incident Response blog and the comments from time to time.

I also saw mention of it at this post Windows Forensic Environment by Hogfly over at his Forensic Incident Response blog.

I swear I also saw on another forensics-blog and had previously bookmarked/blogged a reference to a third-party sponsored Win FE inspired package that might even have been USB based. However I have been unsuccessful at re-locating it.

However, while hunting this info down, I found a great forensics blog from the UK that made multiple “live-fire” references to using Win FE: Forensics from the sausage factory

I know Win FE is being used and touted in the forensics community. It showed up as a topic at the PFIC 2008 conferenceTroy Larson is (still ?) a senior forensics investigator in Microsoft’s IT Security group.  I’m sure he’s a cool and knowledgeable guy and his association with Microsoft makes perfect sense from the Win PE foundation angle.

My educated guess is that the “troyla” noted in the Word document I found and Troy Larson are one and the same.  Cool!

I only wish he would release more gems on Win FE as they might be great for us Win PE builders.  I understand the need to keep most of it under wraps for the “LE” (law enforcement) professionals but I bet there is some good stuff in there for system administrators who use Win PE builds in their daily applications.

I also suspect Windows 7 and the enhanced Win PE 3.0 environment will only bring more power and flexibility to this Win FE technique.

New Forensic Blog Finds

And here are some more interesting forensics-related blogs I found (or re-discovered) in the search-process:

Hope this helps clarify (and expand) the base knowledge about Win FE.

As a Win PE / VistaPE building nut, this is great info to know!

Hope I got the fact right for the Win FE pros.


--Claus V.


ForensicSoft said...

Windows FE is not a "forensically sound" Windows boot disk. You can prove this by booting any non-Windows system with Windows FE and take a hash of the drive(s) before and after booting with Windows FE.

ForensicSoft makes the only forensically sound write-blocked Windows boot disk in existence.

Claus said...

@ ForensicSoft - No, I was not aware of the claim that Windows FE still modifies the system even when "read-blocked" with the required registry tweaks.

Is this only for "non-Windows" system off-line booting or does it apply also to Windows system off-line booting?

I haven't had the time to build my own Win FE boot disk, but it's on my considerable "to-do" list.

I'll have to take your advice and run a hash test as you suggest.

Thank you for sharing.

--Claus V.

Troy said...

Slow to check up, sorry. ForensicSoft is quite correct. In fact, I believe I have shared more than a few emails with a person at ForensicSoft. However, I don't consider the issue as fatal to the forensic soundness of Windows FE, but then I take the position that it's how tools are used and not the tool itself that makes for forensic soundness. Windows FE can be used in a forensically sound manner.

Windows FE will write a disk signature to a non-Windows disk. Windows FE writes a disk signature to any disk that doesn't have a disk signature. This is a well documented behavior of Windows, and, as such, is predictable. As predictable, the behavior can be expected and explained by the forensic investigator. Thus, one could use Windows FE on non-Windows disk, and have forensically sound findings--as long as the four bytes at the disk signature location are not at issue. I have seen nothing that indicates that Windows FE writes to any partitioned space--Windows or non-Windows.

I have a great deal of respect for the people at ForensicSoft. I appreciate that they have taken the time to advise the forensic community of a potential issue in Windows FE. Windows FE is a tool that came out of Microsoft's forensics team. It is not a product. As you note, it is a customization of Windows PE v.2.1.