Mini-winfe Iso Download

12/24/2021by admin
Views
  1. Mini Winfrey Iso Download Free
  2. Windows 10 Iso Download
  3. Winfe Download
  4. Mini-winfe Iso Download Windows 7
  5. Mini-winfe Iso Download Pc
12,455
From Embeds
Number of Embeds
Actions

Mini-WinFE has been co-developed with Brett Shavers to facilitate a simplified method for building a Windows Forensic Environment (WinFE). Full documentation is included in the project download and here. A possible workaround would be to run the project and then download and install the WAIK/ADK - compile boot.wim with HTA support and then replace the boot.wim in the Mini-WinFE cache (created when the project was run earlier) with this new boot.wim. This build is tentatively called “Mini – WinFE” because it is a super quick method to build a WinFE with. You can have your WinFE.iso completed in about 3 or 4 minutes. From there, you can either put the ISO on a CD or USB. Contact me if you want to be a beta tester and I’ll send the login creds to download the project. It’s a large download (about 500mb) so be patient it can take 10-20 minutes (depending on your internet speed) to download. After downloading burn the bootable Gandalf’s_Win8PE_x86.ISO file to CD, USB or mount the iso.

Downloads
Comments
Likes
Embeds 0
  • Very basic:
    No write-protection of devices
    No Windows Explorer
    - all tools were 3rd party
  • No GUI but could run GUI software (for example FTK Imager or XWF)
  • Windows 8/8.1 WinFE require Windows Assessment and Deployment Kit (Windows ADK)
    http://www.microsoft.com/en-us/download/details.aspx?id=39982&751be11f-ede8-5a0c-058c-2ee190a24fa6=True
  • Example of slip-streaming the HASP dongle drivers (for EnCase)
  • Dependant on host PC resources, there is the ability to boot the suspect’s PC as a forensically sound VM with VirtualBox (requires 64bit WinFE, lots of RAM and MIP to mount physical disk)
    mount image write-cached function)
  • If this menu is not displayed then the computer is trying to boot into another OS  pull the power cord!
  • If you are LE I recommend that you get access to the US CERT program CryptHunter (free):
    Small footprint, able to detect many encryption programs as well as boot sector abnormalities
    Supports: BestCrypt, DriveCrypt, Sophos SafeGaurd, Paragon Encrypted Disk, PGPDisk, TrueCrypt, BitLocker
  • If non-LE (or CryptHunter is not available) it is useful to check Task Manager for running processes
  • Can also look at running processes to determine if any encryption programs are running
  • Latest version of FileVault allows for full disk encryption and therefore the symbol may not be present on the user directory
  • Windows imaging HDs live, there is FTK Imager (including CLI), Cygwin DD, also EnCase acquisition / imager, XWF if dongle present
  • As well as Nirsoft Opera History View, cache view, etc
  • Additional tools:
    Cygwin (dd, NetCat)
    Nirsoft live password recovery tools
    Wireshark
  • Dec 2011
    Updated 4 Jan 2012
    Updated Nov 2014
    Creating a forensic bootable environment to run tools on a target system using WinPE.
    1. Download Windows AIK iso. This file will aid in providing necessary files to create the winFE.
    2. Mount Windows AIK file KB3AIK_EN.iso.
    a. Use a .iso mounter like Virtual Clone drive. After installing right-click on the icon.

    b. Mount the downloaded KB3AIK_EN.iso file.
    3. Open the contents, locate StartCD.exe and execute.
    4. Install Windows AIK Setup.

    5. Default installation path.
    6. Open Administrator command prompt. Right click command prompt and run as administrator.

    Mini Winfrey Iso Download Free

    7. Change directory in the PRTools area.
    cd 'c:Program FilesWindows AIKToolsPETools'

    8. Copy the necessary files to your winFE creation area.
    copype x86 c:winFE
    9. Mount the bootable area.
    Dism /Mount-Wim /WimFile:c:winFEwinpe.wim /index:1 /MountDir:c:winFEmount

    10. Should see the mount area is populated.
    11. Time to mod the registry so that the disc will not automount onboard drives. Open regedit. Start –> regedit.exe –> <enter>.

    12. Highlight HKLM
    13. Select File –> Load Hive …

    14. Locate c:winFEmountWindowsSystem32configsystem –> Open

    15. Name it “winFE”
    16. Under HKLM should be winFE

    17. Locate the following key HKLMwinFEControlSet001Servicesmountmgr –> Right click right panel and select New –> DWORD.
    18. Name it NoAutoMount = 1

    19. Modify HKLMwinFEControlSet001Servicespartmgrparameterssanpolicy = 3Iso
    ***Some other people have also been using # 4 ***
    ***Additional item to change as OPTIONS ***
    HKLMwinFEControlSet001ControlFileSystem /v DisableDeleteNotification /t REG_DWORD /d 1 /f
    20. Highlight winFE

    21. Select File –> Unload Hive… Confirm Close
    22. Modify the wallpaper if you like. Name the BMP winpe.bmp and overwrite existing under c:winFEmountWindowsSystem32
    23. Add directory tools under c:winFEmount

    24. Drop tools like RegRipper, Cygwin, FTK Imager Lite, NetCat, Winrar unplugged, IrfanView, etc in this location.
    Update 31 Dec 2012; I had to change from long file name to short for some reason even though I had the correct path. You might be able to use long file names with quotes starting at the 'c:...winpe-wmi.cab'. Short is what worked for me and I can only guess that it was something to do with the dism.exe program.
    25. Add VBS scripting capability:
    dism.exe /image:c:winFEmount /add-package /packagepath:C:Progra~1WI4A4E~1ToolsPEToolsx86WinPE_FPswinpe-wmi.cab

    26. (Hint use the arrow up key in the keyboard and change wmi to hta) Add HTA:
    dism.exe /image:c:winFEmount /add-package /packagepath:C:Progra~1WI4A4E~1ToolsPEToolsx86WinPE_FPswinpe-hta.cab
    27. Add scripting:
    dism.exe /image:c:winFEmount /add-package /packagepath:C:Progra~1WI4A4E~1ToolsPEToolsx86WinPE_FPswinpe-scripting.cab

    28. Add .vbs scripts (props: http://praetorianprefect.com/archives/2010/04/winpe-3-0-forensics/) under tools.
    ***Additional item to modify would be to set the scratch space ***
    Dism.exe /image:c:winfemount /Set-ScratchSpace:512
    This would mean the system your booting requires at least 1GB RAM. You could modify to 256 and so on but 512 is the max. Most new systems these days have over 1GB RAM.
    29. Add driver packs that way what ever system you come across should boot and see the onboard drives without issue. I have had issues in the past with Linux bootCDs that would not recognize hardware raids specifically SAS Dell blade servers. This winFE was able to see the hardware raid and image them without issue using the existing hardware. I extracted them to my c: drive root.
    dism.exe /image:c:winFEmount /add-driver /driver:c:DP_MassStorage_wnt6-x86_1110 /recurse
    30. I ran the following driver packs. The only reason you would need the LAN or WLAN is if you planned on using NetCat to maybe transfer and image file over the network. CardReader for high capacity drives to store images maybe. Chipset and MassStorage are the two most important.Download the latest and greatest.
    a. DP_CardReaders_wnt6-x86_11041
    b. DP_Chipset_wnt6-x86_11051
    c. DP_LAN_wnt6-x86_1109
    d. DP_MassStorage_wnt6-x86_1110
    e. DP_WLAN_wnt6-x86_1104
    31. Closing the image. ***Make sure you close all related windows linked to c:winFE*** If you dont the image will not close properly.
    32. Make sure your not in the command prompt c:winFE area when you issue the command.
    cd c:
    dism /unmount-wim /mountdir:c:winFEmount /commit
    33. Should get a successful completion.
    34. Copy file
    copy c:winfewinpe.wim c:winfeisosourcesboot.wim /Y
    35. Remove bootfix.bin so that you are not prompted to hit any key to boot from disc. This would be bad if we forgot and booted the operating system.
    del /f /q c:winFEISObootbootfix.bin
    36. Create ISO
    cd 'c:Program FilesWindows AIKToolsx86'
    oscdimg -n -bc:winFEetfsboot.com c:winFEISO c:winFEwinFE.iso
    37. Should have your .iso file.
    38. Dont forget to test it out…through vmware or live test system before using it within production.
    39. To add additional tools, drivers, scripts etc start at step 9 and follow until creating the .iso.

    Editing Existing WinFE


    Continuation from the Creating WinFE Boot Disc
    ***WHILE TESTING ENSURE BIOS IS SET TO BOOT CD/DVD***
    ***ON REAL TARGETED SYSTEMS IT IS A GOOD PRACTICE TO DISCONNECT THE HARD DRIVE BEFORE CHANGING THE BIOS***
    1. Edit the existing image.
    Dism /Mount-Wim /WimFile:c:winFEwinpe.wim /index:1 /MountDir:c:winFEmount
    ***SPECIAL NOTE***
    If you ever get this message because you failed to properly exit out of a mounted area of c:winFE utilize the following command:

    dism /cleanup-wim
    2. Should be able to see the mounted image under c:winFEmount
    3. I would recommend creating a text document that runs through the diskpart commands if you plan on using diskpart to enable your storage device read/write capability.
    4. Lets get the menu system up and running. Download PStart.
    5. ***Optional*** I had a spare 4GB USB drive lying around and decided to use that and install PStart to. Reasoning was my attempt at keeping things in order. No other purpose other than that.
    6. The winFE disc when booted will be “X:” so we will have to make sure when we install the programs we give it the right drive letter to run from.
    7. ***Optional*** I installed PStart to my 4GB USB drive. If you have an SD drive that is fine too or use your OS c:. Additionally if you don’t have any issues with permissions you could just install right to c:winFEmount -or- c:winFEmountt0olz
    8.***Optional*** I decided to change the drive letter of my 4GB USB drive to “x:” just like the winFE disk. This can be done under computer management.

    9. Lets download Notepad++ portable and install to get it working in our winFE and PStart.
    10. Install notepad++ and copy the contents to the winFE tools area

    11. Start PStart by executing the .exe file. The window will appear but of course your menu screen will be blank. Right click in the blank area and select add group…
    12. Call it Office or whatever.
    13. Right click on the Office folder and select Add file…
    14. Locate Notepad++Portable.exe under c:winFEmounttoolsNotepad++Portable or where ever you installed it on the mounted winFE image and select open.

    15. Change the application path to x:<where ever its installed in the winFE directory structure> –> OK
    The icon shouldn’t appear because x: doesnt exist yet until winFE is run. Sometime a folder icon doesn’t appear also and that can be downloaded as well and added later. It's possible that without the x: could work also but haven't tried.

    16. This step can be repeated to add additional programs. If the purpose for winFE is to take forensic images it would be good to install FTK Imager Lite to the winFE tools area. Remember to copy c:windowssystem32oledlg.dll to c:winFEmountwindowssystem32 (Props to Brett Shavers)

    Windows 10 Iso Download

    When I added FTK Imager Lite I still had to add the following files.
    c:windowssystem32avifil32.dll
    c:windowssystem32msacm32.dll
    c:windowssystem32msvfw32.dll
    Also might want to load Colin's Write Protect Application. This will aid in making hard drives online and writable like your storage device. Takes the place of diskpart. Update 4 Jan 13; dont know that its a full replacement for diskpart. Issue with Win7 installations is that a System Reserve partition is created by default of 100MB and when you tell WProtect to read-only and mount, it just mounts the first partition. This is only relevant if your thinking about using RegRipper to get information from it. Not an issue with FTK Imager because your probably imaging the physical drive anyway.
    The other additional program I thought nice to have was an Explorer like program. I chose Explorer++.
    17. Lets make PStart automatic when winFE starts.
    18. Locate the file c:winFEmountwindowssystem32startnet.cmd
    19. Edit the file with notepad or like program. Add the following line:
    wpeinit

    Winfe Download

    start x:PStart.exe
    20. “start x:Pstart.exe” will execute the program to run and move on to the next command. Make sure your PStart location is correct under c:winFEmount.
    21. Many automated other programs maybe run from this locations
    22. When finished and if you used a thumb drive to organize your tools. Copy the root contents over to the root of c:winFEmount. Copy the t0olz contents if used to c:winFEmountt0olz
    23. If you’ve finished adding additional programs lets complete the image. Make sure you exit out of any programs that are accessing c:winFE. This includes shutting Pstart off. It might be in your icon tray still active. If you make a mistake go back up to 1 to fix under special note.
    dism /unmount-wim /mountdir:c:winFEmount /commit
    24. Copy the boot image over.

    Mini-winfe Iso Download Windows 7

    copy c:winfewinpe.wim c:winfeisosourcesboot.wim /Y
    25. I had an issue where oscdimg.exe could not be located. In case you come across this also its found under program fileswindows aiktoolsx86
    cd 'c:Program FilesWindows AIKToolsx86'
    oscdimg -n -bc:winFEetfsboot.com c:winFEISO c:winFEwinFE.iso
    Received an error because the image exceeds the allowable space for a CD but not DVD. Change the command to:
    ***NOTE XX increment your .iso files created.***
    oscdimg -m -n -bc:winFEetfsboot.com c:winFEISO c:winFEwinFEXX.iso
    26. Boot using VMware etc or burn to DVD for testing.

    Working with WinFE


    This is a continuation from Editing Existing WinFE.
    ***ENSURE BIOS BOOTS FROM CD/DVD***

    Mini-winfe Iso Download Pc


    1. Attached a storage device to a target system that will be used to store your forensic image.
    2. I attached a 64GB thumb drive to take a 60GB operating system hard drive. Just going to simulate.
    3. Set the bios to boot from cd/dvd.
    4. Started winFE. Since we told Pstart to load automatically it should have opened up. Your background will be different.

    6. Open WProtect.exe

    7. What you will notice is that the operating system hard drive appears as mounted and not read-only. From all I can tell this isn't the issue because we have taken Troy's registry hacks to prevent this. To make sure we should set it properly. Highlight the OS drive and select dismount. Now select read-only.
    8. Dont worry FTK Imager will still be able to see it.
    9. Hopefully your storage device is already formatted. We need to make it writable. Select your storage device --> Read/Write --> Mount

    10. Open Explorer++ and make sure you can see the storage device. Take note of the drive letter.
    11. Now open FTK Imager. Add the OS drive.

    12. Add the drive letter for the destination. Add an image file name.
    13. Start the imaging

    14. After FTK Imager verifies the image you can power off the system.
    Comments are closed.