Use

Using WinFE

After creating the WinFE media, usage is just the same as any other forensic boot disk. Firstly, you must establish how to make the computer boot from external media such as USB or CD/DVD. click here to view common manufacturers boot menu option keys.

Once loaded, you will be presented with a menu to select your language and keyboard layout. By default, it's English (UK) language and English (UK) keyboard.

You will now be shown a warning with regards to applications that if used, may change the read/write status of attached disks. It should be noted that this list is not exhaustive.

WinFE will display the disks that it was possible to enumerate, and the current state of these disks. Ideally, all disks should be in a state of read-only and dismounted.

You should now change the status of your bootable WinFE USB HDD/Flash Drive to be mounted and read-write (this step is not applicable to optical media). Then click Continue to allow WinFE to load, when loaded multiple tools and applications are available from the menu located at the top of the screen.

If no other disks, or an incorrect number of disks are displayed, this could be because of several reasons.

1. The Hard Disk Drive or RAID controller requires a driver.

2. There are no other Hard Disk Drives present or they are not connected.

3. The Hard Disk Drive within the computer maybe broken.

Disk Tools

The write-protect tool can be accessed from the Disk Tools menu to allow you to change the status of Hard Disk Drives beyond the initial changes that you may have made.

Within this menu option is a basic disk imaging tool, there is no real need to use this tool on Intel x86 or x64 builds, it was designed for the ARM build where FTK Imager does not (yet) exist. This is currently the only viable option for forensically imaging an ARM computer or server.

Password Tools

The Windows Password Tool has been incorporated in to all builds (ARM/x86/x64). This tool requires the volume where the Operating System is located to be mounted and placed into read-write mode, obviously this is not forensically sound, however, there may be occasions that you need to access a suspect's computer live or boot the system with a cloned Hard Disk Drive.

The standard reset tool allows the removal of Windows local account login passwords from Windows NT until the latest version of Windows 10/Server. It should be pointed out that the newer Microsoft online accounts are also supported within this tool. Any passwords that are removed, can subsequently be restored by running this tool again and checking the boxes that you previously removed.

The advanced reset tool allows the removal of passwords from Active Directory domain joined computers. If using this tool, ensure that the target computer is not connected to the domain network after the password has been removed. Again, the password can be restored by running the tool again, however, it is likely that the computer will be blocked from authenticating against the domain in future as the cached credentials will have most likely been trashed.

It should be noted that the Windows Password Tool is a paid for application (free for LE or Government). Please see the About or Contact pages for more information

Other Tools

These will be covered in brief, as many of them have multiple functions or it is obvious what they do.

Command Prompt - Standard Windows Command Line Interface.

Configure Network - PE Network has been included should you wish to utilise a wired network.

File Explorer - Explorer++ has been included as Windows Explorer is not available within WinPE.

Install Driver - Will allow you to install a driver for missing hardware, the .inf file along with any dependencies is required for this to work.

Notepad - This is the standard Microsoft Windows Notepad application.

Registry Editor - This is the standard Microsoft Windows Registry Editor application.

Windows Defender - This is no longer included within the build process, it is entirely possible to achieve, however, it a laborious, convoluted process that would have taken too long to write a guide for.

BitLocker Encryption

Support is included for BitLocker encryption, either implemented on the harvest Hard Disk Drive or capturing an encrypted source drive.

In order to capture an encrypted source drive, it must NOT be imaged as a physical disk. It must first be brought online (mounted) with the write-protect tool, there is no need to make the source drive read-write, then image as a logical volume using FTK Imager.

BitLocker encrypted ARM systems must be imaged as a physical disk, then retrospectively decrypted.

The steps to capture a BitLocker source drive are as follows:

1. Identify the disk which contains the BitLocker encrypted volume.

2. Use the write-protect tool to mount the entire physical disk, leaving it as read-only.

3a. Open a Command Shell window, if you have the BitLocker recovery key, type:

manage-bde.exe -unlock <Volume Letter>: -recoverypassword 123456-123456-123456-123456-123456-123456-123456-123456 <Enter>

3b. Open a Command Shell window, if you have the BitLocker password, type:.

manage-bde.exe -unlock <Volume Letter>: -password <Enter>

4. You will now be prompted to enter the BitLocker password.

5. Image the unlocked logical volume using FTK Imager.

To mount your own BitLocker protected harvest Hard Disk Drive, follow these steps:

1. Identify the Hard Disk Drive which contains your harvest volume.

2. Use the write-protect tool to mount and change the status to read-write.

3. Open a Command Shell window, and type the following:

manage-bde.exe -unlock <Volume Letter>: -password <Enter>

You will now be prompted to enter the BitLocker password.

The harvest Hard Disk Drive unlocked volume can now be used as an imaging destination.

Manufacturer	Model(s)	Boot Menu Key(s)	Settings Key(s)
Acer	Generic	Escape, F12, F9	Delete, F2
Acer	Aspire One zg5, zg8, Aspire Timeline, Aspire v3, v5, v7	F12	F2
Asus	VivoBook f200ca, f202e, q200e, s200e, s400ca, s500ca, u38n, v500ca, v550ca, v551, x200ca, x202e, x550ca, z202e	Escape	Delete
Asus	Generic	F8	F9
Asus	N550JV, N750JV, N550LF, Rog g750jh, Rog g750jw, Rog g750jx, Zenbook Infinity ux301, Infinity ux301la, Prime ux31a, Prime ux32vd, R509C, Taichi 21, Touch u500vz, Transformer Book TX300, Eee PC 1015, 1025c	Escape	F2
Asus	k25f, k35e, k34u, k35u, k43u, k46cb, k52f, k53e, k55a, k60ij, k70ab, k72f, k73e, k73s, k84l, k93sm, k93sv, k95vb, k501, k601, R503C, x32a, x35u, x54c, x61g, x64c, x64v, x75a, x83v, x83vb, x90, x93sv, x95gl, x101ch, x102ba, x200ca, x202e, x301a, x401a, x401u, x501a, x502c, x750ja	F8	Delete
Compaq	Presario	Escape	F9, F10
Dell	Dimension, Inspiron, Latitude, Optiplex, Precision, Vostro, XPS	F12	F2
Dell	PowerEdge Servers	F11	F2
eMachines	Generic	F12	Tab, Delete
Fujitsu	Generic	F12	F2
HP	Generic	Escape, F9	Escape, F10, F1
Intel	Generic	F10
Lenovo	Generic	F18, F10, F12	F1, F2
NEC	Generic	F5	F2
Packard Bell	Generic	F8	F1, Delete
Samsung	Generic	Escape, F12	F2
Samsung	NC10, np300e5c, np300e5e, np350v5c, np355v5c, np365e5c, np550p5c, Series 5 Ultra, Series 7 Chronos, Series 9 Ultrabook	Escape	F2
Sony	VAIO Duo, Pro, Flip, Tap, Fit	Assist Button	Assist Button
Sony	VAIO, PCG, VGN	Escape, F10, F11	F1, F2, F3
Toshiba	Kira, Kirabook 13, Ultrabook, Qosmio g30, g35, g40, g50, Qosmio x70, x75, x500, x505, x870, x875, x880	F12	F2
Toshiba	Protege, Satellite, Tecra	F12	Escape, F1
Toshiba	Equium	F12	F12
VMware	Workstation	Escape	F2

Windows Forensic Environment

Use

Using WinFE

Disk Tools

Password Tools

Other Tools

BitLocker Encryption