Tuesday, November 6, 2012

Creating WinFE Boot Disc

Dec 2011
Updated 4 Jan 2012
Updated Nov 2014

Creating a forensic bootable environment to run tools on a target system using WinPE.
1. Download Windows AIK iso.  This file will aid in providing necessary files to create the winFE.
2. Mount Windows AIK file KB3AIK_EN.iso.
a. Use a .iso mounter like Virtual Clone drive. After installing right-click on the icon.

b.  Mount the downloaded KB3AIK_EN.iso file.
3. Open the contents, locate StartCD.exe and execute.



4. Install Windows AIK Setup.



5. Default installation path.

6. Open Administrator command prompt.  Right click command prompt and run as administrator.



7. Change directory in the PRTools area.

cd "c:\Program Files\Windows AIK\Tools\PETools"



8. Copy the necessary files to your winFE creation area.

copype x86 c:\winFE



9. Mount the bootable area.

Dism /Mount-Wim /WimFile:c:\winFE\winpe.wim /index:1 /MountDir:c:\winFE\mount



10. Should see the mount area is populated.



11. Time to mod the registry so that the disc will not automount onboard drives.  Open regedit.  Start –> regedit.exe –> <enter>.



12.  Highlight HKLM



13. Select File –> Load Hive …



14.  Locate c:\winFE\mount\Windows\System32\config\system –> Open



15.  Name it “winFE”



16. Under HKLM should be winFE



17. Locate the following key HKLM\winFE\ControlSet001\Services\mountmgr –> Right click right panel and select New –> DWORD.



18. Name it NoAutoMount = 1



19.  Modify HKLM\winFE\ControlSet001\Services\partmgr\parameters\sanpolicy = 3

***Some other people have also been using # 4 ***


***Additional item to change as OPTIONS ***
HKLM\winFE\ControlSet001\Control\FileSystem /v DisableDeleteNotification /t REG_DWORD /d 1 /f


20. Highlight winFE



21. Select File –> Unload Hive…  Confirm  Close



22. Modify the wallpaper if you like.  Name the BMP winpe.bmp and overwrite existing under c:\winFE\mount\Windows\System32


23. Add directory tools under c:\winFE\mount\

 

24. Drop tools like RegRipper, Cygwin, FTK Imager Lite, NetCat, Winrar unplugged, IrfanView, etc in this location.

Update 31 Dec 2012;  I had to change from long file name to short for some reason even though I had the correct path.  You might be able to use long file names with quotes starting at the "c:\...winpe-wmi.cab".  Short is what worked for me and I can only guess that it was something to do with the dism.exe program.

25. Add VBS scripting capability:

dism.exe /image:c:\winFE\mount /add-package /packagepath:C:\Progra~1\WI4A4E~1\Tools\PETools\x86\WinPE_FPs\winpe-wmi.cab



26. (Hint use the arrow up key in the keyboard and change wmi to hta) Add HTA:

dism.exe /image:c:\winFE\mount /add-package /packagepath:C:\Progra~1\WI4A4E~1\Tools\PETools\x86\WinPE_FPs\winpe-hta.cab



27. Add scripting:

dism.exe /image:c:\winFE\mount /add-package /packagepath:C:\Progra~1\WI4A4E~1\Tools\PETools\x86\WinPE_FPs\winpe-scripting.cab



28. Add .vbs scripts (props: http://praetorianprefect.com/archives/2010/04/winpe-3-0-forensics/) under tools.

***Additional item to modify would be to set the scratch space ***
Dism.exe /image:c:\winfe\mount /Set-ScratchSpace:512

This would mean the system your booting requires at least 1GB RAM.  You could modify to 256 and so on but 512 is the max.  Most new systems these days have over 1GB RAM.

29. Add driver packs that way what ever system you come across should boot and see the onboard drives without issue.  I have had issues in the past with Linux bootCDs that would not recognize hardware raids specifically SAS Dell blade servers.  This winFE was able to see the hardware raid and image them without issue using the existing hardware.  I extracted them to my c:\ drive root.

dism.exe /image:c:\winFE\mount /add-driver /driver:c:\DP_MassStorage_wnt6-x86_1110 /recurse


30.  I ran the following driver packs.  The only reason you would need the LAN or WLAN is if you planned on using NetCat to maybe transfer and image file over the network.  CardReader for high capacity drives to store images maybe.  Chipset and MassStorage are the two most important. Download the latest and greatest.
a. DP_CardReaders_wnt6-x86_11041
b. DP_Chipset_wnt6-x86_11051
c.  DP_LAN_wnt6-x86_1109
d.  DP_MassStorage_wnt6-x86_1110
e. DP_WLAN_wnt6-x86_1104
31. Closing the image.  ***Make sure you close all related windows linked to c:\winFE***  If you dont the image will not close properly.

32. Make sure your not in the command prompt c:\winFE area when you issue the command.

cd c:\
dism /unmount-wim /mountdir:c:\winFE\mount /commit

33.  Should get a successful completion.

34.  Copy file
copy c:\winfe\winpe.wim c:\winfe\iso\sources\boot.wim /Y

35. Remove bootfix.bin so that you are not prompted to hit any key to boot from disc.  This would be bad if we forgot and booted the operating system.

del /f /q c:\winFE\ISO\boot\bootfix.bin

36. Create ISO

cd "c:\Program Files\Windows AIK\Tools\x86"

oscdimg -n -bc:\winFE\etfsboot.com c:\winFE\ISO c:\winFE\winFE.iso

37. Should have your .iso file.

38. Dont forget to test it out…through vmware or live test system before using it within production.

39. To add additional tools, drivers, scripts etc start at step 9 and follow until creating the .iso.

Editing Existing WinFE


Continuation from the Creating WinFE Boot Disc
***WHILE TESTING ENSURE BIOS IS SET TO BOOT CD/DVD***
***ON REAL TARGETED SYSTEMS IT IS A GOOD PRACTICE TO DISCONNECT THE HARD DRIVE BEFORE CHANGING THE BIOS***
1.  Edit the existing image.
Dism /Mount-Wim /WimFile:c:\winFE\winpe.wim /index:1 /MountDir:c:\winFE\mount

***SPECIAL NOTE***
If you ever get this message because you failed to properly exit out of a mounted area of c:\winFE utilize the following command:

dism /cleanup-wim

2. Should be able to see the mounted image under c:\winFE\mount

3.  I would recommend creating a text document that runs through the diskpart commands if you plan on using diskpart to enable your storage device read/write capability.

4. Lets get the menu system up and running.  Download PStart.

5. ***Optional*** I had a spare 4GB USB drive lying around and decided to use that and install PStart to.  Reasoning was my attempt at keeping things in order.  No other purpose other than that.

6. The winFE disc when booted will be “X:\” so we will have to make sure when we install the programs we give it the right drive letter to run from.

7. ***Optional*** I installed PStart to my 4GB USB drive.  If you have an SD drive that is fine too or use your OS c:\.  Additionally if you don’t have any issues with permissions you could just install right to c:\winFE\mount\ -or- c:\winFE\mount\t0olz

8.***Optional*** I decided to change the drive letter of my 4GB USB drive to “x:\” just like the winFE disk.  This can be done under computer management.

9. Lets download Notepad++ portable and install to get it working in our winFE and PStart.

10. Install notepad++ and copy the contents to the winFE tools area
 

11. Start PStart by executing the .exe file.  The window will appear but of course your menu screen will be blank.  Right click in the blank area and select add group…


12.  Call it Office or whatever.
13.  Right click on the Office folder and select Add file…
14. Locate  Notepad++Portable.exe under c:\winFE\mount\tools\Notepad++Portable or where ever you installed it on the mounted winFE image and select open.



15.  Change the application path to x:\<where ever its installed in the winFE directory structure> –> OK
The icon shouldn’t appear because x:\ doesnt exist yet until winFE is run.  Sometime a folder icon doesn’t appear also and that can be downloaded as well and added later.  It's possible that without the x:\ could work also but haven't tried.


16. This step can be repeated to add additional programs. If the purpose for winFE is to take forensic images it would be good to install FTK Imager Lite to the winFE tools area.  Remember to copy c:\windows\system32\oledlg.dll to c:\winFE\mount\windows\system32\ (Props to Brett Shavers)

When I added FTK Imager Lite I still had to add the following files.
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll

Also might want to load Colin's Write Protect Application.  This will aid in making hard drives online and writable like your storage device.  Takes the place of diskpart.  Update 4 Jan 13; dont know that its a full replacement for diskpart.  Issue with Win7 installations is that a System Reserve partition is created by default of 100MB and when you tell WProtect to read-only and mount, it just mounts the first partition.  This is only relevant if your thinking about using RegRipper to get information from it.  Not an issue with FTK Imager because your probably imaging the physical drive anyway.

The other additional program I thought nice to have was an Explorer like program.  I chose Explorer++.

17. Lets make PStart automatic when winFE starts.

18. Locate the file c:\winFE\mount\windows\system32\startnet.cmd

19. Edit the file with notepad or like program.  Add the following line:
wpeinit
start x:\PStart.exe

20. “start x:\Pstart.exe” will execute the program to run and move on to the next command.  Make sure your PStart location is correct under c:\winFE\mount.

21. Many automated other programs maybe run from this locations

22. When finished and if you used  a thumb drive to organize your tools.  Copy the root contents over to the root of c:\winFE\mount\.   Copy the t0olz contents if used to c:\winFE\mount\t0olz\

23. If you’ve finished adding additional programs lets complete the image.  Make sure you exit out of any programs that are accessing c:\winFE.  This includes shutting Pstart off.  It might be in your icon tray still active.  If you make a mistake go back up to 1 to fix under special note.

dism /unmount-wim /mountdir:c:\winFE\mount /commit

24. Copy the boot image over.

copy c:\winfe\winpe.wim c:\winfe\iso\sources\boot.wim /Y

25. I had an issue where oscdimg.exe could not be located.  In case you come across this also its found under \program files\windows aik\tools\x86

cd "c:\Program Files\Windows AIK\Tools\x86"

oscdimg -n -bc:\winFE\etfsboot.com c:\winFE\ISO c:\winFE\winFE.iso

Received an error because the image exceeds the allowable space for a CD but not DVD.  Change the command to:
***NOTE XX increment your .iso files created.***

oscdimg -m -n -bc:\winFE\etfsboot.com c:\winFE\ISO c:\winFE\winFEXX.iso

26. Boot using VMware etc or burn to DVD for testing.

Working with WinFE


This is a continuation from Editing Existing WinFE.
***ENSURE BIOS BOOTS FROM CD/DVD***
1.  Attached a storage device to a target system that will be used to store your forensic image.
2.  I attached a 64GB thumb drive to take a 60GB operating system hard drive.  Just going to simulate.
3. Set the bios to boot from cd/dvd.
4. Started winFE. Since we told Pstart to load automatically it should have opened up.  Your background will be different.


6. Open WProtect.exe



7.  What you will notice is that the operating system hard drive appears as mounted and not read-only.  From all I can tell this isn't the issue because we have taken Troy's registry hacks to prevent this.  To make sure we should set it properly.  Highlight the OS drive and select dismount.  Now select read-only.


8. Dont worry FTK Imager will still be able to see it.

9. Hopefully your storage device is already formatted.  We need to make it writable.  Select your storage device --> Read/Write --> Mount


10. Open Explorer++ and make sure you can see the storage device.  Take note of the drive letter.


11.  Now open FTK Imager.  Add the OS drive.


12. Add the drive letter for the destination.  Add an image file name.


13. Start the imaging



14. After FTK Imager verifies the image you can power off the system.