Jump to content











Photo
- - - - -

Mini-WinFE

windows forensic environment winfe

  • Please log in to reply
34 replies to this topic

#1 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 14 October 2013 - 08:53 PM

Posted Image

File Name: Mini-WinFE
File Submitter: misty
File Submitted: 14 Oct 2013
File Updated: 29 Apr 2017
File Category: Projects

This project is based on MistyPE. It's been scaled down and developed specifically for digital forensics acquisitions. Mini-WinFE has been co-developed with Brett Shavers to facilitate a simplified method for building a Windows Forensic Environment (WinFE).

Full documentation is included in the project download and here.

All you require to create a WinFE in a matter of minutes is the Mini-WinFE download, a Windows Source DVD (or mounted disc image) and any of the third party applications you want to include in the build - the WAIK or ADK is not required.

Supported applications include -
  • CloneDisk (included)
  • DMDE (included)
  • Forensic Acquisition Utilities (included)
  • FTK Imager (copied from local install)
  • HWiNFO (included)
  • LinuxReader (downloaded automatically)
  • MW Snap (included)
  • NT Password Edit (included)
  • Opera (included)
  • Sumatra PDF Reader (included)
  • WinHex (copied from local install)
  • X-Ways Forensics (copied from local install)
  • Write Protect Tool (included)
For changelog, see here

Click here to download this file
  • alacran likes this

#2 mhallman

mhallman
  • Members
  • 3 posts
  •  
    United States

Posted 19 October 2013 - 01:11 PM

Can anyone recommend a script and set of steps to add TrueCrypt to this project?  I have tried to use the Truecrypt 7.1a (which is the version that I need) found here on reboot.com.  That script fails with the following warnings:

 

1. unrecognized command: [FRunFromRam, %CheckBox1%]

2. unrecognized command: [Unpack,Files,Truecrypt.7Z,True]

3. unrecognized command: [Add_Shortcut,StartMenu,Security]

 

Thanks in advance for any suggestions.

 

-Mark



#3 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 19 October 2013 - 02:59 PM

@mhallman
Please test the following - I've done a quick test and it seems to work in MistyPE. This script isn't ready for release!

Replace the [main] and [process] sections in Elton's script with the following -

[Main]
Title=TrueCrypt 7.1a
Description=Elton's TrueCrypt 7.1a (Version 12) - adapted for MistyPE \ Mini-WinFE
Selected=True
Level=3
Author=Misty
Credits=Elton
Version=1
Date=2013-10-19

[Process]
If,Not,ExistFile,"%Programs%\TrueCrypt\TrueCrypt.exe",Begin
  Echo,"Extracting files from script..."
  If,Not,ExistDir,"%Programs%\TrueCrypt",DirMake,"%Programs%\TrueCrypt"
  ExtractFile,%scriptfile%,Files,TrueCrypt.7z,"%Programs%"
  ShellExecute,Hide,"%Tools%\7z.exe","x #$q%Programs%\TrueCrypt.7z#$q -o#$q%Cache%\Programs\TrueCrypt#$q"
  FileDelete,"%Programs%\TrueCrypt.7z"
End
If,%PROGRAMS.IN.WIM%,Equal,NO,Set,%PATH%,%OutputDir%
If,%PROGRAMS.IN.WIM%,Equal,YES,Set,%PATH%,%TargetDir%
If,Not,ExistDir,"%PATH%\Programs",DirMake,"%PATH%\Programs"
DirMake,"%PATH%\Programs\TrueCrypt"
DirCopy,"%Programs%\TrueCrypt\*.*","%PATH%\Programs\TrueCrypt"
Regards,

Misty

#4 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 19 October 2013 - 03:15 PM

You will also need to add the following menu entries to the "Shell.Then.End\BlackBox Lean" script - you can decide where yourself.

NOTE - These are for MistyPE, you will need to adapt them for Mini-WinFE (if memory serves then replace the reference to MistyPE.menu.cmd with MiniWinFE.menu.cmd - use the other entries as a guide.

[PROGRAMS.IN.WIM_MENU]

TXTaddLine,"%OutputDir%\Programs\MistyPE.menu.cmd",IF EXIST #$q%~dp0TrueCrypt\TrueCrypt.exe#$q ECHO [exec] (TrueCrypt) {#$q%~dp0TrueCrypt\TrueCrypt.exe#$q} >> #$q%SYSTEMDRIVE%\Programs\bblean\menu.rc#$q,Append

[BBLEAN_MENU]

If,ExistFile,"%TargetDir%\Programs\TrueCrypt\TrueCrypt.exe",TXTaddLine,"%TargetDir%\Programs\bblean\menu.rc",[exec] (TrueCrypt) {%SYSTEMDRIVE%\Programs\TrueCrypt\TrueCrypt.exe},Append


#5 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 October 2013 - 03:28 PM

Very good :), a post without a link/reference to the original .script (that doesn't work).
A reply as well without a link/reference to the original .script that was modified to work in WinFE/miniWinFE.

Maybe it would be useful (for other readers/members) to specify that you are talking about this .script:
http://reboot.pro/to...-truecrypt-71a/

:cheers:
Wonko

#6 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 19 October 2013 - 03:42 PM

Sorry Wonko. :white_flag:

 

I feel well and truly told off - I should know better and will try harder in future. Thanks for saving me the trouble of adding a link :P

 

:cheers:



#7 mhallman

mhallman
  • Members
  • 3 posts
  •  
    United States

Posted 19 October 2013 - 07:41 PM

I can see my omission could make it hard to provide any support.  Sorry!  I have learned my lesson.

 

Misty,  your updates worked.  I can now run TrueCrypt!!   Thanks for your help.



#8 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 23 October 2013 - 07:49 AM

Repacked the Mini-WinFE.zip download using Windows 7 (SP1) built in software - hopefully fixing the issue mentioned here and here.

The previous download was packed using 7-zip. Although the build process was working, the following error message was displayed if the project was unzipped using Windows built in software -

A winpeshl.ini file is present, but no commands were successfully launched. This could be cause by incorrect formatting or an invalid executable name. Please consult the documentation for more information.


Regards

Misty

#9 Blackbeauty

Blackbeauty

    Newbie

  • Members
  • 27 posts
  •  
    India

Posted 02 April 2014 - 05:31 AM

In which language you developed this project ??



#10 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 02 April 2014 - 07:36 PM

Hi Blackbeauty,

This is a Winbuilder 082 project. Winbuilder is a scripting environment - the following is from the documentation available here -
 

WinBuilder is a flexible scripting environment that is well suited to building boot disks and other Windows "Pre-installation Enviroment" (or PE) images. Using special scripts, this program can create different bootable environments based on the source that is used.....


Version 082 is a legacy an old version of Winbuilder - the scripting language uses an easy to learn (in my opinion anyway) syntax. A new version, which was introduced last year, uses Java.

Regards,

Misty


Edited by misty, 03 April 2014 - 06:03 PM.
Poor use of the english language

  • Blackbeauty likes this

#11 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 03 April 2014 - 10:16 AM

Hmmm. :dubbio:

Let's see if this one "passes through" :unsure: :ph34r:

http://homepage.ntlw...pejorative.html

 

:jaclaz:

 

:duff:

Wonko


  • misty likes this

#12 Blackbeauty

Blackbeauty

    Newbie

  • Members
  • 27 posts
  •  
    India

Posted 03 April 2014 - 12:33 PM

Thank you Misty.... :) ..Where can I find documentation for the latest version ??, which uses Java(you mentioned)



#13 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 03 April 2014 - 06:01 PM

Hmmm. :dubbio:
Let's see if this one "passes through" :unsure: :ph34r:
http://homepage.ntlw...pejorative.html
 
:jaclaz:
 
:duff:
Wonko

Corrected about my use of English (my native tongue) by an Italian - and rightly so! :cheers:

 

Regards,

 

Misty



#14 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 03 April 2014 - 06:05 PM

Where can I find documentation for the latest version ??, which uses Java(you mentioned)

Hi Blackbeauty,

Sorry to be the bearer of bad news, but as far as I'm aware there isn't any documentation available for the new WinBuilder yet.

Regards,

Misty

#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 03 April 2014 - 07:43 PM

Corrected about my use of English (my native tongue) by an Italian - and rightly so! :cheers:

The doubt about "passing through" was not addressing you, of course ;).

:duff:

Wonko



#16 Blackbeauty

Blackbeauty

    Newbie

  • Members
  • 27 posts
  •  
    India

Posted 04 April 2014 - 05:16 AM

Okey Misty...no problem :)

I want to add a new package to the WinFE ...Is it possible with this tool ? ...if possible then what are the steps I need to go through ?



#17 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 04 April 2014 - 05:51 AM

@Blackbeauty
By new package, do you mean a program. If so, then it's possible, but you would need to add a new script. There's no guarantee that a program will run in a Windows Preinstallation Environment (including WinFE/Mini-WinFE) so I'd suggest making sure it works (maybe trying to run it as a portable type application) before you go to the effort of creating a script. Dependencies (including file and registry) can be a problem - particularly in such a minimal build like this project. What do you want to add?

Regards,

Misty

#18 Blackbeauty

Blackbeauty

    Newbie

  • Members
  • 27 posts
  •  
    India

Posted 07 April 2014 - 05:28 AM

Hi misty,

I tried to add an application(Locally developed) to this winfe by following the steps you provided above for adding Truecrypt.
But my app is not running properly because of the absence of HTA Package ( for HTML Application support). So please let me know is there any way to add this package to winfe ??
Sorry for the late reply. I was out of station :(
 



#19 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 07 April 2014 - 07:26 PM

Hi Blackbeauty,

Mini-WinFE is designed as an easy to use project that can use a variety of source files (Vista/7/8/etc) - this makes it very difficult to add support for individual packages such as the HTA package. To add the HTA package to a Windows 7 based project the WAIK is required. To add the HTA package to a Windows 8 based project the ADK for Windows 8 is required. To add the HTA package to a Windows 8.1 based project a different ADK is required. This not only makes it very difficult to script, it also increases the build times (particularly if the WAIK or ADK needs to be downloaded and installed) and makes the project more difficult to use and less user friendly. Sorry - I'd suggest looking at an alternative project if this is required.

A possible workaround would be to run the project and then download and install the WAIK/ADK - compile boot.wim with HTA support and then replace the boot.wim in the Mini-WinFE cache (created when the project was run earlier) with this new boot.wim. Don't forget to change option 4] Set 'boot.wim' Image Number in the main project script (if required) if you use this approach - the image number will need to be set to 1 for ADK builds and 2 if DVD source files are used. Hope this makes sense.

Regards,

Misty

#20 Blackbeauty

Blackbeauty

    Newbie

  • Members
  • 27 posts
  •  
    India

Posted 09 April 2014 - 06:25 AM

Hi Misty,

Thanks for info..What I have done so far is given below

I have created a windows 8 PE using ADK.

Added the required package(HTA) into it.

Created an iso image of PE and mounted it into a virtual drive.

Set the source of winbuilder as the virtual drive

Set boot.wim image number to 1

Then I tried to run the project but the execution fails with the error "A required source file is missing! Are source files present inthe following location?"

The log file shows following warnings

1. install.wim is missing from source file

2. etfsboot.com is missing from source

Thanks & Regards
 



#21 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 09 April 2014 - 08:00 AM

Hi Blackbeauty,

Here's what I would do for Windows 8.1 PE (WinPE 5.0) - if you are using Windows 8 (WinPE 4.0) then adjust the instructions accordingly. You should be able to adapt the following principle to Windows 7 sources and use the WAIK instread of the ADK.

Firstly, you will need a Windows 8.1 source DVD. Assuming you want to create a 32-bit WinFE, the source DVD will need to be a 32-bit Windows 8.1 DVD.

Run Mini-WinFE as normal with the Windows 8.1 DVD as source. Let's assume the project is being run from the C:\Mini-WinFE directory. After the build has finished you should have cached the required Windows 8.1 dependencies to C:\Mini-WinFE\Projects\cache\sources\x86 (this is from memory - it might be a slightly different path)

Now use the ADK to prepare a new source with the required package(s) (or Optional Components as they are now being referred to). Lets assume that the following directory is used - C:\WinPE_x86. If memory serves the ADK compiled boot.wim can be found in C:\WinPE_x86\media\sources\boot.wim after the build process.

Now replace C:\Mini-WinFE\Projects\cache\sources\x86\boot.wim with C:\WinPE_x86\media\sources\boot.wim.

Use the following project settings -

1] Attempt to use existing cache? to YES
3] WinFE Processor Architecture to x86
4] Set 'boot.wim' Image Number to 1

Rerun the build process.

Fingers crossed it worked!

Regards,

Misty
  • Blackbeauty likes this

#22 Blackbeauty

Blackbeauty

    Newbie

  • Members
  • 27 posts
  •  
    India

Posted 09 April 2014 - 09:42 AM

Thank you misty.... got it :)



#23 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 26 April 2014 - 12:37 PM

Updated the project. Changelog -
  • Added a number of additional options in the core script - these are all enabled by default. The new options will remove a number of unsupported options from the right-click context menu. Thanks to reboot.pro forum member farda for these suggestions.
  • Added "Open with" workaround for WinPE 4.0/5.0. See - http://reboot.pro/to...-in-winpe-4050/
  • WinFE settings are now seperate to the Shell script - but are still mandatory. They have been moved to a new script \Programs\0.winfe.script
  • Option to use either SANPolicy 3 or 4 (in new WinFE script) - SANPolicy 3 is automatically used with WinPE 2.*/3.* sources as SANPolicy 4 is only supported in WinPE 4.0/5.0.
  • File dependencies (to be extracted from install.wim or copied from the host Operating System) are handled in one (hidden) script - Core\required.files.script. This will make it simpler to implement any future file dependencies.
  • Added a script to copy files and folders from a local directory - allowing the easy addition of third party files. A menu entry will open the directory these files were copied to.
  • Added Tools\Create USB script - it's now possible to create a MistyPE bootable UFD during the build process. Use with caution - see documentation for more details. Tested with Windows 7 (SP1) and Windows 8.1.
  • Added ADK For Win 8 (and 8.1) scripts. Refer to documents. NOTE - this has only been tested using Windows 7 (SP1) and Windows 8.1.
  • Wallpaper support (.jpg) added for all builds - this feature was not previously working with WinPE 4/5. See Programs\Wallpaper script.
  • Wimlib-ImageX updated to version 1.6.2
  • Added build 6.3.9600 (Windows 8.1 - Final) to the list of tested/working sources.
  • Added the following scripts -
    • - WinHex
    • - DMDE
    • - Opera - 64-bit support added.
    • - Keyboardlayouts
  • Included FAU in the download. This is redistributed with the permission of the author (GMG Systems Inc) - refer to the project documentation.
  • Program scripts now contain menu entries - this should make it easier to add new program scripts. Previously all menu entries were contained in the shell script - resulting in multiple script edits for any new programs added.
  • Various tweaks in core script
    • - "FileDelete,"%Cache%\temp\*.*" has been added to ensure that cached batch files and .ini files are deleted earlier in the build process. Without this fix there are errors in some very limited circumstances.
    • - Added verification check from registry files extracted from boot.wim - only used if the wimlib-imagex checks fail.
  • Script structure has been changed for all Program scripts. Hopefully results in better error checking for any missing files.
  • Browse for folder support is added by individual program scripts even if this option is not selected in the Core script. Resulting in a more modular approach (see "http://reboot.pro/to...ophy-for-winpe/" for the philosophy behind this approach).
  • Documentation updated - added section on using the ADK For Win 8.1.
Regards,

Misty

#24 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 04 July 2014 - 05:36 AM

Updated the project. Changelog -
  • SysWOW64 support added when building from Windows 7/7(SP1)/8/8.1/8.1 Update 1 sources (should also work with some Windows Server 2008/2012 sources). The 5-Wow64 script was used as a base to identify file and registry dependencies. Credit therefore goes to everyone involved in the 5-Wow64.script (including JFX, Lancelot, 2aCD, ChrisR and "...to everybody on the BootLand forums for helping on the debuggind and improvement of this script."). Select 4] SysWOW64 in the main project script options to add SysWOW64.
  • UEFI support has been added
  • CloneDisk script added
  • Virtual Keyboard (FreeVK) script added
  • A number of changes have been made to the core script - wimlib-imagex now uses file lists when extracting dependencies from install.wim/boot.wim. This significantly improves build time, but has meant that any program scripts containing paths for file dependencies has required editing due to wimlib preserving directory structure (when extracting from file lists)
  • Fixed a bug when x64 local sources are used (in Create a cache from WinRE and the ADK scripts). Due to the way in which SysWOW64 redirects to the \Windows\SysWOW64 directory when running WinBuilder on a 64-bit system the file dependencies were being cached from \Windows\SysWOW64 instead of \Windows\System32
  • Wimlib updated to 1.7.0. The amended update add command significantly reduces build time when the INJECT method is used.
  • Create ISO script updated. It now contains several options including Flat Boot and RAM Boot or multiboot RAM and Flat boot. It's also possible to create a BIOS or UEFI bootable ISO - or BIOS and UEFI bootable
  • Create USB updated to include the option to RAM Boot or Flat Boot or multiboot RAM and Flat boot. UEFI support is also included. This script will not work if running WinBuilder on a Windows 2000/XP/2003 system
  • Create USB (GPT UEFI) script added. This script will not work if running WinBuilder on a Windows 2000/XP/2003 system. Only fixed type disks are supported
  • Added error check to the ADK For Win 8 (and 8.1) scripts - these cannot be executed if running WinBuilder on a Windows 2000/XP/2003 system
  • Project.Settings.ini is added to the build listing all programs and project settings used in the current build
  • Project documentation updated - minor updates throughout and two new sections added (MultiBoot WinPE and UEFI, BIOS, GPT and MBR)
A special thanks to alacran for requesting UEFI and SysWOW64 support in MistyPE and for beta testing and feedback to actually get them working.

Due to the number of changes made in this build it is entirely possible that errors may have unintentionally crept in. Please report any issues (or positive feedback) on the support topic at reboot.pro

Regards

Misty

#25 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 26 July 2014 - 06:15 AM

Please do not use a path with apostrophes/single quotes (') in it - e.g. C:\_Forensic_Boot_Disk_ISO's. If you do then the build will appear to complete successfully however the build files will not actually be injected into boot.wim. See http://reboot.pro/to...ot-the-project/ (thanks to seanpowell for bringing this to my attention).

Regards,

Misty





Also tagged with one or more of these keywords: windows forensic environment, winfe

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users