71 replies to this topic

[bshavers]

You can now download the WinFE WinBuilder.  Thanks to everyone that helped support this effort, it was well worth it.



Before you put this off any longer, download the WinFE WinBuilder and try out the Windows Forensic Environment.  As to a guide on how to use WinFE, it probably isn’t really needed since WinFE is simply a forensic boot disc.  So, you might not need any help in putting WinFE to good use.  However…there may be a few things you didn’t know you could do with WinFE that could be of interest.   Since that might be the case, here is a quick guide on tips on using WinFE as well as tips for building with WinBuilder.  UsersGuidetoWinFE

For support on how to use WinBuilder (troubleshooting, advanced features), check out the WinBuilder website at http://reboot.pro.

To reiterate some points about WinFE (and to hopefully prevent ‘hate mail’ coming to me from commercial products…), WinFE is an addition to your forensic toolkit. It doesn’t replace any tools, only supplements what you are using anyway.   Commercial products that do the same thing that WinFE does work too, keep buying those if you want, you don’t have to use WinFE.  And for the Linux lovers out there (Hey, I’m one of you guys too!), there is time and place for everything, sometimes WinFE is best, another time CAINE or DEFT or ???*nix may be best.

As far as anyone making a profit out of WinFE, no need to ask, because no one is;  it is a community project of customizing a Windows PE to fit your needs.

And yes, there are even some more neat things to be added to WinFE in the future…but as of now, you have access to a solid forensic environment.


View the full article

[TheHive]

Like the Screenshot you posted and the idea for the project.

One error during test build
DirCopy - Failed to copy directory [*] to: [%BaseDir%\Workbench\Common\AccessData\FTK Imager]: + s

 Build Stoped.jpg   89.98KB   105 downloads
 log.zip   158.2KB   15 downloads

[ChrisR]

it's a shame

WinFE is just a copy of Win7PE_SE with just one extra script "WinFE_Win7pe_SEx64x86_v1_ (PublicRelease)" for forensic Environnement .

The error described by TheHive is produced besides by this script.

No reference to Win7PE_SE or thanks given to Yahoouk's, JFX and Me on Reboot.pro or on the Windows Forensic Environment site.

The least of things would have been asked permission, or to deliver just the script and give a link to Win7PE_SE.
It will always have a time lag with the updates.

Or then explains us the difference !!!!!!

Ashamed

[Brito]

One error during test build

You need to install FTK imager on your system before running the project: http://accessdata.co...port/adownloads (freeware tool)

WinFE is just a copy of Win7PE_SE

It is used as base, having in mind to provide specific features that suit the forensic analysis community.

Keep in mind that this is the first release. Many details will need to be addressed as you mention. So, please do refrain the animosity on your comments and help to point credits were due.

Thanks.

[ChrisR]

This is great for the forensic environment but courtesy want :
just asked,
give the reference source,
some thanks.

published as, It will always have a time lag with the updates and corrections of Win7PE_SE.

[Wonko the Sane]

It is used as base, having in mind to provide specific features that suit the forensic analysis community.

Keep in mind that this is the first release. Many details will need to be addressed as you mention. So, please do refrain the animosity on your comments.

Is there a line drawn somewhere between "base" and "plagiarism"?

IMHO mentioning the contributors of the "base" would have been nice.

The generic:

Thanks to everyone that helped support this effort, it was well worth it.

seems a lot like bshavers is the Author of the project and some peeps around helped him a bit.

A sentence like:

I adapted an existing project, Win7PE_SE, adding to it:

• FTK Imager
• ...
• ...

and making a few mods to it to make it suitable as portable forensic environment.

would have sounded MUCH better to me.



Wonko

[ChrisR]

Thank you Wonko, that's what I think.

Failing to have asked, thank you to update accordingly, in Forensic site also.

[Brito]

You see: Plenty of things to correct. (as usual on a first release)

What I really don't like seeing are aggressive postings. If something needs to be clarified, better do it over personal message than starting to flame other people for something that clearly needs to be added.

Derivative projects for a specific purpose are not new.

The point is creating a distribution more suited to forensic analysis using a Windows PE. It could have been any other PE project used as base and Win7PE was chosen.

In the future, it should remain using the more recent Win7PE versions as they became available or even switch to other projects if deemed necessary.

[al_jo]

Think I stick to ChrisR’s original project because my 3 administrators don’t want me to install the "FTK imager" in my home, office or business computers (they are all in one place).

Btw…the 3 administrators is: Me, Myself & I

[Brito]

Can we please get back on topic?

This is not a competition. As mentioned before, it is build using Win7PE as base and if you could test the project to provide feedback, that would be nice.

[al_jo]

Why did “somebody” remove this post? Dictatorship?

I'm quoting:

“Think I stick to ChrisR’s original project because my 3 administrators don’t want me to install
The FTK imager in my home, office or business computers (they are all in one place).

Btw…the 3 administrators is: Me, Myself & I”

[Shirin Zaban]

after 2 hours trying to see what is new: always get the same error as post#2 just after disabling (WinFE_Win7pe_SEx64x86_v1_(PublicRelease).script).the builder works noemally.so something is wrong with this script. may be if you give another downlad link (for just this script) will solve the problem. shirin zaban

[TheHive]

You need to install FTK imager on your system before running the project: http://accessdata.co...port/adownloads (freeware tool)

Thanks.

Downloaded the AccessData%20FTK%20Imager.exe

FTK Imager
FTK Imager version 3.0
Release Date:June 1, 2010
Release Date: October 8, 2010
MD5: 791d79866c1ef8aa823f1a3938353c0a

NOTE: Full version – installation required

Installed it and then reran the project. Built fine after that.
Cant the AccessData files be inbeded into a script. Good Adapted Project.
 WinFE.jpg   45.96KB   79 downloads

I would not call it a Plagiarism project since the names of the original scripts are still there and the final project is being posted here in the forum so that it might help others. Thanks for the effort put into it.

[balzanto]

Yes, the rest of the WinFE build is Win7PE_SE and yes, credit should be given where due. I don't think Access Data's FTK Imager can be imbedded in the script due to the licensing. The product is not open source and each user has to agree to the licensing terms.

WinFE is just the one script that makes two modifications to the registry. These were first published by Mr. Troy Larson of Microsoft back in 2008 and WinFE has been quite slow to be utilized by the forensic community. The greatly enhanced features and ease of customization of the WinBuilder builds, I believe, will help move this very useful tool out of the unknown.

Prior to this script being released I was using the Win7PE_SE WinBuilder to create my own PE by going back in and making the registry modifications. From me, I greatly thank those who have developed these builders. Prior to finding WinBuilder (now Reboot), I was creating a WinFE with the AIK. WinBuilder has dramatically reduced the time it takes and has moved me forward in the features and options I am able to offer the task force investigators I work with. The builds you provide are of tremendous use and benefit and for that, you have our thanks, appreciation and gratitude.

[sbaeder]

Yes, the rest of the WinFE build is Win7PE_SE and yes, credit should be given where due. I don't think Access Data's FTK Imager can be imbedded in the script due to the licensing. The product is not open source and each user has to agree to the licensing terms.

embedded BUt, in these cases, the script could (should?) do the checking on if it is installed, and provide a means to download and maybe even install it.

Another "trick" that can be used here is to do a "link" project, where the additions are clear, and it "links" to the other project, allowing the "base" (in this case) to move forward in an independent manner...

BUT as Nuno also said, It is a first attempt, The concept is a good one - i.e. make modifications so that the disks don't automount, and provide a tool like FTK.

So, Concept ==GOOD...but room for improvement if it's to be a fully stand-alone project.

For example, many of the configuration type things should be on the main configuration script UI, and FTK could be an app script on it's own...That could make it a lot cleaner...Also, does it need all the tools and add ons selected by default?

But good start...not let's figure out where it really wants to differentiate itself!
Scott

[ChrisR]

Brett contacted me by mail to explain us about the reference to Win7PE_SE not mentioned.

He added this on http://winfe.wordpress.com/ to clarify.

This project uses the project Win7PE_SE as Base building, thank’s to ChrisR for his great work ( Win7PE_SE http://reboot.pro/12427/). Also, thanks to the older Administrators and Yahoouk JFX with the Win7PE project on which this WinFE WinBuilder is based.

That seemed normal, good continuation to WinFE.

[Wonko the Sane]

Wonko approves of this.

Still a question remains unanswered (maybe because not even asked ).

If I get it right (and I am NOT going to download TWO times 75 Mb of data to check), at the moment the WinFE is an actual Win7PE_SE with a few .scripts added to it.

In other words it is a "monolithic" fork of Win7PE_SE with added functionalities.

This besides "forcing" users of both projects to download fundamentally TWO times largely the same things, poses a small problem of "syncronyzation".

I mean, when ChrisR or the other good guys that mantain Win7PE_SE issue a new release (possibly a bugfix - since also Win7PE_SE is still well experimental, AFAIK) will bshavers be able to timely fix as well WinFE ?

Or wouldn't it better to have a "main" project i.e. Win7PE_SE and a "forensics add-on", i.e. WinFE?

You do know how grumpy I can be , but in my experience nothing creates more havoc than forks and "versioning" do we really need to help Entropia increase?

If the base project is to be considered "mature" and "stable" this is not a big problem, but since - as seen from the outside - all 7 based PE projects, including Win7PE_SE and Make_PE3, are still experimental and are continuously updated and bettered as I see the problem might exist.

Another difficulty is the intended use of WinFE - which unless I am mistaken - is intended as a tool for professional forensics and as such needs to have some kind of validation performed on it.

The alternative would be to "freeze" the WinFE to a given "base project" Win7PE_SE version.

In any case my personal advice - which as always anyone is free to completely ignore - is that BOTH WinFE and Win7PE_SE - like ALL projects should have IMNSHO, should start having an explicit version number (like current Win7PE_SE_2010_12_10 has ) AND a History of changes/additions/whatever in the various releases.


Wonko

[Brito]

This besides "forcing" users of both projects to download fundamentally TWO times largely the same things, poses a small problem of "syncronyzation".

Yes.

And "forcing" users to download a given project and then adding the scripts poses a bigger problem of "syncronyzation" since we'd have to remember that incompatibilities would rise between the forensic scripts and the project used as base.

This monolithic package ensures that scripts were tested on a given project and even doing so, we already see enough reports of details in need of addressing.

Nevertheless, the standalone scripts are also planned to be made available within a while.

[Wonko the Sane]

And "forcing" users to download a given project and then adding the scripts poses a bigger problem of "syncronyzation" since we'd have to remember that incompatibilities would rise between the forensic scripts and the project used as base.

Good.

This monolithic package ensures that scripts were tested on a given project and even doing so, we already see enough reports of details in need of addressing.

Oh-oh : logical inconsistency detected :
if the "frozen", "monolithic" project was tested and still has to be fixed it should mean that has not been tested adequately...

Another reason to call it 0.something or "Beta" or "RC1".

Nevertheless, the standalone scripts are also planned to be made available within a while.

Good.

OT, but not much, and just out of curiosity , is actually bshavers the "only" Author or are you a co-Author/Contributor?

As always - seen from the outside - it seems "queer" to me that the "base" project is hosted on mediafire.com and has not it's own dedicated Forum, whilst the "derivative" one has a dedicated Forum and is hosted directly on reboot.pro....


Wonko

[Brito]

if the "frozen", "monolithic" project was tested and still has to be fixed it should mean that has not been tested adequately...

Yes, would be nice to have a more thorough testing platform and resources. However, this is a project made by humans on a volunteer basis and it will be improved as time moves forward.

I know you guys from Vulcan are perfect, do bear with us humans.

are you a co-Author/Contributor?

I help with the testing and feedback. There was an announcement some weeks ago asking for beta testers. (http://reboot.pro/13393/)

it seems "queer" to me that the "base" project is hosted on mediafire.com and has not it's own dedicated Forum

Yes, I also share your opinion about the "base" project.

[Wonko the Sane]

I know you guys from Vulcan are perfect, do bear with us humans.

You got it wrong , I'm only partially of Vulcan origins.
The small amount of Vulcan blood in my veins only allows me to have better logic processes than most humans, but I'm still fallible.
Let's say that there are greater than average chances that I am right .... at an estimated probability level of 97.42% last time it was computed - though this is a cumulative figure that fails to take into account the contributions of crystal ball (when properly tuned) Tarots and I-Ching, which may be substantial .


Wonko

[ChrisR]

For Information, an update of the project Win7Pe_Se was released today with some fixes and additions, it should not change the functioning of the script for the WinFE forensic environment.

It would be good if AccessData files was included as attachment in the project (to see the license issue) to ensure proper building from the first shot.

[Rubicante Van Dyne]

You see: Plenty of things to correct. (as usual on a first release)

What I really don't like seeing are aggressive postings. If something needs to be clarified, better do it over personal message than starting to flame other people for something that clearly needs to be added.

Derivative projects for a specific purpose are not new.

100% agreed. Reading the first few posts of this topic made me extremely unsympathetic to those crying over credit. Not something I'd expect from people on a forum who are essentially giving this stuff away anyway. I know I wouldn't have the time nor the incentive to track down who made what in order to credit them. "It's nice" is about all that can be objectively said about it. Somebody did something wrong on the Internet, oh no. As others have posted, give it time, others are here for that reason, to point out things that will give a project more credibility ...not flame the OP over it.

it's a shame

No it's not, not everybody cares about who made it. There is no i in team, these are community projects not some high school essay. Egos should be checked at the door when it comes to community collaboration and openly giving away stuff you made for free.

[MB_75]

You can now download the WinFE WinBuilder.  Thanks to everyone that helped support this effort, it was well worth it.



Before you put this off any longer, download the WinFE WinBuilder and try out the Windows Forensic Environment.  As to a guide on how to use WinFE, it probably isn’t really needed since WinFE is simply a forensic boot disc.  So, you might not need any help in putting WinFE to good use.  However…there may be a few things you didn’t know you could do with WinFE that could be of interest.   Since that might be the case, here is a quick guide on tips on using WinFE as well as tips for building with WinBuilder.  UsersGuidetoWinFE

For support on how to use WinBuilder (troubleshooting, advanced features), check out the WinBuilder website at http://reboot.pro.

To reiterate some points about WinFE (and to hopefully prevent ‘hate mail’ coming to me from commercial products…), WinFE is an addition to your forensic toolkit. It doesn’t replace any tools, only supplements what you are using anyway.   Commercial products that do the same thing that WinFE does work too, keep buying those if you want, you don’t have to use WinFE.  And for the Linux lovers out there (Hey, I’m one of you guys too!), there is time and place for everything, sometimes WinFE is best, another time CAINE or DEFT or ???*nix may be best.

As far as anyone making a profit out of WinFE, no need to ask, because no one is;  it is a community project of customizing a Windows PE to fit your needs.

And yes, there are even some more neat things to be added to WinFE in the future…but as of now, you have access to a solid forensic environment.


View the full article

I just would like to say THANK YOU on behalve of bshavers and the other people that would benifit from this "Project". Whether it's a project on it's own, filtered from another, we just like to say thanks and also to those that did not add their names in the in scripts and worked behind the scenes to make the Win7PE_SE project possible.

NightMan, YahooUK, Lancelot, JFX, ChrisR, YahooUK, Altorian, Paraglider, Max_Real, Qnx, Pedro Le 15, FxScrpt, BlueLife, Ludovici, Vvurat, Max_Real_Qnx, dera, John Adamopoulos, Nikzzzz, 2aCD, Markus Debus, Holger Kotsch, JonF, Joshua, Homes32, Psc, yamingw, Xplod, booty#1, Rui Paz, RoyM, saydin77, Jon Fleming, Saydin77, Galapo, Nirsoft, NewBSOD, PaPeuser, HighwayStar, Doc, NetFanTom, Peter Schlang, Boot Land community

Regards

[MB_75]

For Information, an update of the project Win7Pe_Se was released today with some fixes and additions, it should not change the functioning of the script for the WinFE forensic environment.

It would be good if AccessData files was included as attachment in the project (to see the license issue) to ensure proper building from the first shot.

Hi,

With the previous mentioning about the double downloading the "same" project, is it not also true for the same project that only got one of two changes and need to download the whole project again...

Is it not possible to just add the "changed" scripts and explained what changed in order for the rest of the community to decide if they need the change or not? Sitting here in SA with very limited bandwidth and high prices it would help a lot.

Regards