Jump to content











Photo

Is WinFE Forensically Sound?


  • Please log in to reply
36 replies to this topic

#26 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 30 September 2013 - 09:42 AM

Good :).

So we can draw a line between WinFE 3.x and both WinFE 4.x and 5.x. :thumbsup:

I have some doubts about calling a Windows PE built from 8.1 sources a WinPE 5.x or more properly a WinPE 4.1, however. :dubbio:

 

To go back to the "probability trap" I made earlier it is time to explain what it was.

 

The calculation made to reduce the number of possibilities from 1:4294967295 to 1:65535 is completely m00t :w00t: :ph34r:, IF (but unfortunately it is not the case :() all signatures would actually be of the type ABAB or even "only" of the type ABCB it would derive that a a signature manually made of the type ABCD (like 01020304 or 0C0D000B or A00CD2FE) will have 0 (zero) probabilities of finding a collision as all automated disk signature would have  a"pattern" that our manually made signature would avoid.

The fact that these patterns, though not compulsory, have been observed in a large enough number of occasions effectively decreases anyway the probabilities of a collision i.e. the 4294967295 is a number estimated (largely) by defect. ;).

 

 

:cheers:

Wonko



#27 misty

misty

    Gold Member

  • Developer
  • 1066 posts
  •  
    United Kingdom

Posted 30 September 2013 - 04:43 PM

Please see http://mistype.reboo...WinFE/winfe.htm for a draft of my results.
 
This link will be changed soon as Nuno has kindly granted a(nother) subdomain request.
 
Regards,
 
Misty
 
P.s. @Wonko - I'll respond to your message later - time is short. Thanks for all the homework - I've had fun!
  • erwan.l likes this

#28 misty

misty

    Gold Member

  • Developer
  • 1066 posts
  •  
    United Kingdom

Posted 30 September 2013 - 10:20 PM

AFAICR it is not a "fixed" position, but I may well be wrong, it is a lot of time I don't check .VDI images ...

@Wonko
Thanks for the information about .vdi files (see post #24). Sadly this was not required as VirtualBox portable was unable to boot a WinPE 5.0 based image. I tested a number of virtual solutions and the only one that booted WinPE 5.0 on my system was VMwarePlayer. Not the most intuitive of software, but it worked. As an added bonus the MBR was contained in the first sector of the .vmdk file.

Slightly off topic -

... I have some doubts about calling a Windows PE built from 8.1 sources a WinPE 5.x or more properly a WinPE 4.1...

I agree. In tests both versions appeared almost identical.
 

... To go back to the "probability trap" I made earlier it is time to explain what it was.

The calculation made to reduce the number of possibilities from 1:4294967295 to 1:65535 is completely m00t ...etc...

No wonder I didn't notice. Due to a current sleep deprived state if anyone starts talking mathematics my brain simply switches off! Your post also mentioned -

The only cases ever recorded of a collision have been related to the accidental connection/mount of a cloned disk (or disk image)

I personally came across this on one occasion after mounting a disk image to a running Windows XP that was using the very same disk image and was booted from RAM (firadisk). I really should pay attention to what I'm doing some times!

Regards,

Misty

P.s. I hope you enjoyed the draft I put together. Thanks for all of the help and encouragement - I doubt it would have happened without you cracking the whip!

#29 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 October 2013 - 07:12 AM

P.s. I hope you enjoyed the draft I put together. Thanks for all of the help and encouragement - I doubt it would have happened without you cracking the whip!

Yep, very nice :), though I object on the "cracking of the whip" :w00t:, I merely kept the rhythm for you on the drum ;) and you rowed (fine BTW) as a free man, we are not (yet) in medieval times, at the very most you could be defined as a "business associate who didn't read the contract very well" :whistling: :

http://tvtropes.org/...ain/GalleySlave

 

I am actually working (though with a low-low priority level) on the little grub4dos batch to check the presence of Disk Signature.

 

:cheers:

Wonko



#30 misty

misty

    Gold Member

  • Developer
  • 1066 posts
  •  
    United Kingdom

Posted 01 October 2013 - 09:37 PM

I am actually working (though with a low-low priority level) on the little grub4dos batch to check the presence of Disk Signature.


I'll look forward to it.

@everyone
Link updated in my previous post (#27) and documentation partially rewritten.

Regards

Misty

#31 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 02 October 2013 - 01:24 PM

I'll look forward to it.
 

Usual bunch of half-@§§ed grub4dos batches attached.

 

As usual, no particular howto's, help files and not even basic instructions, this is stuff that - not only in this preliminary stage - is reserved to people knowing where their towel is.

Files in the archive:

  • chkdsig.g4b <- check disk signature - this will check the Disk signatures of first ten disks, i.e. (hd0) to (hd9) looking for a disk with an "All zero" Disk Signature, allowing user to change it
  • zerods.g4b <- zero disk signature - this will write a disk signature made of all zeroes to the chosen disk MBR
  • zeromb.g4b <- zero magic bytes - this will write 00 00 as "Magic Bytes" to the chosen disk MBR
  • 55AAmb.g4b <- 55AA magic bytes - this will write 55 AA as "Magic Bytes" to the chosen disk MBR

 

 

You can easily  botch a hard disk MBR using these, so be careful, do not come here whining about it :ph34r:, you have been warned.

 

:cheers:

Wonko 

Attached Files



#32 misty

misty

    Gold Member

  • Developer
  • 1066 posts
  •  
    United Kingdom

Posted 02 October 2013 - 10:16 PM

Cheers Wonko.

 

I doubt if I'll get the chance to test these scripts until the weekend as I need to set up a new VM (thanks to your warnings) and figure out how to use a grub4dos batch - I'm still using Grub4dos version 0.4.4!

 

Never saw the need to upgrade before and haven't played with Grub4dos in years - despite it being something I use every day.



#33 misty

misty

    Gold Member

  • Developer
  • 1066 posts
  •  
    United Kingdom

Posted 02 October 2013 - 10:25 PM

P.s. Is the "half-@§§ed" comment a reference of sorts to a former legend of the PE community - Frodo?

#34 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 October 2013 - 03:23 PM

P.s. Is the "half-@§§ed" comment a reference of sorts to a former legend of the PE community - Frodo?

Yep :thumbsup: he initially invented the attribute for some of his own contributions, and since I find it an extremely polite way to describe most of  my own little scripts/batches :smiling9:, conveying at the same time how they are not pretending in any way to be "well written" or sophisticated nor to be the "ultimate answer" to any question/issue, but only the simplest, primitive (though effective - in the right hands ;)) tools to solve a (usually very specific) issue.

 

Among the non-written things is that those batches are intended to be used on newer grub4dos releases at that namely were (briefly) tested on currently "featured" 0.4.5c version of grub4dos i.e. the 2013-03-03 version:

https://code.google....-03.7z&can=2&q=

 

:cheers:

Wonko



#35 misty

misty

    Gold Member

  • Developer
  • 1066 posts
  •  
    United Kingdom

Posted 04 October 2013 - 04:26 PM

Among the non-written things is that those batches are intended to be used on newer grub4dos releases at that namely were (briefly) tested on currently "featured" 0.4.5c version of grub4dos i.e. the 2013-03-03 version:
https://code.google....-03.7z&can=2&q=
 
:cheers:
Wonko

Thanks. I did a very quick test of the disk signature batch yesterday and will test the others soon. I'm now going to be away for the weekend and will have to wait until I get back.

#36 misty

misty

    Gold Member

  • Developer
  • 1066 posts
  •  
    United Kingdom

Posted 08 October 2013 - 08:05 PM

@Wonko
I finally found the time to test the grub4dos batches - in a VM, not on real hardware.

They appear to work as advertised.

1] Firstly I checked the MD5 hash of a disk image with a 00'd signature.

2] I added a disk signature to the disk image (with one of the g4b files) and then booted WinFE. The partition in the image mounted in WinFE 5.0 without any difficulty (something not possible in previous tests). I then checked the MD5 hash - which had, not surprisingly, changed.

3] I then used zerods.g4b to 00 the disk signature and rechecked the MD5 - it was the same as the MD5 hash from step 1.

 

:cheers: 
 



#37 misty

misty

    Gold Member

  • Developer
  • 1066 posts
  •  
    United Kingdom

Posted 05 June 2022 - 07:41 AM

More testing. Results available @ http://winfe.mistypr...winfe_tests.htm

Windows 10 sources tested. Mainly 64-bit - on UEFI and BIOS firmware. 

VMWare Workstation 16 Player used for testing. Whilst it would be useful to test on physical hardware, I have no intention of reproducing the 185 tests. The time required to complete disk checksums twice for each test is impractical.

Tests comprised of running each version of WinFE on a virtual system with the following disk images (single disk connected as SATA type disk for each test) -

  • Disk 1 - Empty disk image - ALL bytes 00
  • Disk 2 - Disk image 1 with magic numbers 55 AA added to offset 0x1FE to 0x1FF
  • Disk 3 - MSDOS installed (single partition - no disk signature
  • Disk 4 - Disk image 3 with offset 0x1FE to 0x1FF written over with 00
  • Disk 5 - Disk image 1 with one entry manually added to the partition table

The main finding is that WinFE 5.x and 10.x created a disk signature at offset 0x1B8 on Disk 1. No disk signature was create on any of the other disks. 

Feedback welcome.

:cheers:

Misty






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users