The recent release of USB malware, in which any USB device is suspect of being infected after plugging into an unknown-if-clean machine, makes a problem for bootable USB devices in forensic collection. Some of the very scary claims to the USB malware are (http://news.discovery.com/tech/gear-and-gadgets/warning-usb-malware-code-unleashed-141006.htm):
- Alter files from thumb drives
- Redirect Internet traffic
- Tap and spy on USB-enabled smartphones
- Hijack keyboards to type commands
- Potentially inject malicious elements as files are being transferred
That is bad stuff for a forensic bootable USB device. I’ve seen a few suggested solutions to the USB infection issue, but the fastest solution with WinFE is to burn to a CD/DVD instead of making a USB bootable. Problem solved.
Building a WinFE is still very very very very easy. Using the Mini-WinFE build, I just timed creating a WinFE DVD is less than 6 minutes. That was a few minutes with Winbuilder and a few minutes burning the ISO to DVD, while taking my time in the short process. If you haven’t yet built a WinFE, the process is almost completely automated. Just point Winbuilder to your Windows 7/8 source and press go. Less than 5 minutes later, you have a forensically sound, bootable ISO/CD/DVD/or USB.
Granted, creating a WinFE CD/DVD in less than 10 minutes is not going to save you time compared to imaging a removed hard drive using a hardware imaging device. But…if you have LOTS of machines to image, booting the machines to be seized to WinFE most likely will be faster than removing hard drives and sharing hardware imaging devices. And for those pesky drives that won’t come out, WinFE may be a good solution than fighting with an ultralight, can’t-find-the-screws-to-remove-the-darn-hard-drive machines.
View the full article