Create your own Windows FE

On September 7, 2010, in Forensics, Test Category, Tools, Win FE, by MegaDeus

FE = Forensic environment

Let’s say you come across into situations where you’re not allowed to open the computer, you don’t have the right tools to acquire a ZIF hard drive, warranty issues, raid problems etc.  The best choice would be Helix or raptor. If you don’t feel comfortable with Linux/Unix tools, and you’re more of windows guy then Windows FE is your weapon of choice.

It is a Windows PE based custom build created by Microsoft for computer forensic examiners!

In another words, it’s basically a Windows PE Live CD that allows you to run forensic tools and other programs you install/embed!! And it’s all command line based!! Yay!!

1
Lets start off by downloading and install  Windows Automated Installation Kit (AIK) from MicroSoft.com (I personally downloaded the windows 7 version)

2
Once you install AIK, run “Deployment Tools Command Prompt” as admin. And copy the WinPe files to your local machine. (i personally created a Virtual hard drive for this little project)
type of the following command:

copype.cmd x86 C:\WinFE
 
 
 

 

3
Windows FE uses a .wim file to store the OS used to booted at run time.  Mount the winpe.wim file to configure it for Windows FE. use imagex.exe to mount the base Windows PE image

imagex /mountrw Y:\winFE\ISO\sources\winpe.wim 1 Y:\winFE\mount

OR!! If your a GUI person, download Gimagex which does the same thing as the Dos version.

Make sure “Read and Write” is checked before mounting!!!!

After you finish mounting WinPE, this will be displayed:

4
Now click START, RUN, and type in REGEDIT. We will modify the registry. This will help us operate without modifying

Click FILE, then Load Hive. 
Then browse to:
Y:\winFE\mount\Windows\System32\config and select the system hive file.  It will be the file named “system” that has no extension.  Open it!!
Then name it whatever you like, for example “WINFE”
The following registry will be modified

HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\MountMgr key
 and if the NoAutoMount does not exist, right click and create “dword” name it “NoAutoMount” with a setting of 1.

Next, go to
HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\partmgr\Parameters
and change the SanPolicy setting to 3

Click file, and Unload Hive!

5
IF you have any forensic tools, for example encase, FTK imager etc, install them to “Y:\WinFE\mount\Program Files”. Include dll files, dongle drives etc.

6
Delete bootfix.bin (when winfe disk is inserted, this will pop a message “press any key to boot from cd”, once deleted, the WinFE will boot right away!)
Located:
C:\WinFE\ISO\boot

Delete boot.wim in Y:\winFE\ISO\sources.  Copy the modified winpe.wim to Y:\winFE\ISO\sources and rename it boot.wim.

7
time to unmount your winFE
Open Deployment Tools Command Prompt and type
imagex.exe /unmount /commit C:\winFE\mount

If your using GImagex, check on Commit Changes at the bottom left, select the device you want to unmount and click unmount!!

8
Create an ISO
in Deployment Tools Command Prompt type
oscdimg -n -m -o -bY:\WinFE\etfsboot.com Y:\WinFE\ISO Y:\WinFE\WinFE.iso

9
Burn it! test it!
when finished booting, I ran FTK (X is your default drive letter)

And BAM!!

 

Leave a Reply

Your email address will not be published. Required fields are marked *


+ seven = 10