How many are too many tools in a computer forensic examiner’s toolbox? I say “More the better!” In today’s technological world, one can never have too many tools. In most cases examiners do not have enough tools or better yet the right tool for the job. They find a way to try and make do because of budgetary issues or administration decisions.
Now when I say “More the better!” that is to say one is trained and practiced with said tool. That is another article all together. We all know that we should validate our tools and keep a log of said validation. With all this said to get to the reason we are here. Yes, Oh Yes another tool for your tool box.
You ask but how much is this tool going to cost me? I tell you, nothing more than time. Is it worth my time? You decide and let me know. It is called WinFE (Windows Forensic Environment) and there are many ways on the net and many versions. All one has to do is scour the net and find all downloads, as well as instructions (Correct one for your build). Once you have done this, within the hour you will have a Windows Forensic Boot Disk. Well I say within the hour but that is what it took me after finding all the downloads and instructions needed. I spent about three days researching and testing before finding the right one that I liked.
With the build of your WinFE, you are only limited by your willingness to do some research to find the right tools to put in this great forensic boot disk. Your only limitation is yourself! You may ask but why another boot disk and I say it is not just another boot disk. Most people are accustom to using Windows versus Linux. If you are that person, then this disk is for you. Good news, not only can you have a boot disk when done but you can also have a bootable USB drive when you get done.
There are many great tools that are considered open source and freely downloadable from the net for use with your WinFE. One that I love which is created and put out by Harlan Carvey is RegRipper. I would also suggest his book “Windows Registry Forensics” to go hand in hand with this tool. Who said you have to spend thousands to find evidence? There are many more tools out there for use with this boot disk, all one must do is a little research to find them. Another option will be a one day class that will be put on by atldfa.org in the near future, to teach how to build your very own WinFE disk. Keep a check or follow up with the President of the organization.
This will be a good tool for not just computer forensic examiners but also for home users. Why home users, for the simple fact that you as a home user of a computer may have a hard drive die or data loss. This bootable disk or USB drive will allow you to get to a desktop that you are familiar with and get online to order new parts if needed. Maybe you need to get online to research your disk error or blue screen error. No matter what, this tool is for you.
Thank you for coming by and we look forward to hearing back from you. We also look forward to seeing you at our next DFA meeting.
Author - Emory Mullis has been in Law Enforcement for roughly 19 years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00.Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!