Alex Van Ginkel Final Thesis MSC - 27nov

A.F.J.
van Ginkel

16 of 63

2 Literature Review

According to Kruse and Heisere
[2]
a standard forensic process can be divided into 3 phases:
acquirement, authentication and analysis. The acquirement phase involves the making of a
forensic image of all existing storage devices after the system has been shut down (pulling the
plug). A forensic image is a computer file containing an exact copy of a given storage device, such
as a hard disk, a CD or DVD. It contains all the information necessary for the reconstruction of the
structure and data of the given media device, such as files, file organization and metadata.
According to Cohen and Schroader,
[4]
the best method to copy a source storage device is bit by bit
or physically (read only). The forensic image will subsequently be mathematically verified. This
process is known as hashing. A hash value can best be compared to a digital fingerprint. It
identifies all data of a given storage device by a series of numbers. A widespread hash formula is
the MD5 (Message Digest version 5). For a number of test results in this thesis MD5 hash was
used.
The forensic way to preview storage devices is by means of a forensic boot CD. It offers
the possibility to use a number of tools, amongst which the imaging within a forensic environment,
(Wiles and Reys).
[5]
Similar tools, such as the Linux based forensic boot CDs, are already being
used extensively within the Dutch digital forensic community. The elaborate testing of forensic
boot CDs is necessary to reveal possible flaws and errors, whereby any divergences should,
according to Daubert
[6]
, be recorded and made public. In the past, a number of forensic Linux boot
CDs appeared not to fully live up to the read only demands, (Al-Azhar).
[7]
Because of this a
writing activity took place on the source storage device. Next to Linux based boot CDs, Windows
based versions are also available. A number of those versions are based on Windows PE
(Windows Pre installation Environment). With the help of adaptations in the Windows register this
boot CD can be forensically used in the WinFE version, (Shavers).
[8]
The use of forensic boot CDs,
applied on modern computer systems with Unified Extensible Firmware Interface (UEFI), could
cause problems. (According to Wilkins and Richardson)
[9]
UEFI, the latest replacement of the
BIOS, is better secured against attacks. This option is named Secure Boot and appears in modern
computer systems. Because of this, Linux or Windows 7 boot CDs cannot boot in UEFI without a
manual adjustment. Without this adjustment the Secure Boot blocks any unsigned boot loaders.

A.F.J. van Ginkel

17 of 63

Summarizing, it may be said that a lot of research has been done on the use and technique
of forensic boot CDs and image tools. I am of the opinion that imaging of a PCI-e SSD by means
of a boot CD is a relatively unknown territory within the forensic community. This thesis describes
an accessible way to image a PCI-e SSD.

A.F.J. van Ginkel

18 of 63

3 Existing acquisition methods

This Chapter surveys the existing acquisition methods. The use of hardware blockers and
forensic boot CDs will be examined accordingly.
According to Kruse and Heiser
[2]
a number of procedural steps for the traditional
acquirement of a storage device are necessary. These steps are required to forensically record the
evidence. In short, these steps are as follows: First the computer is shut down, for instance, by
removing the live wire (pulling the plug). If possible, the hard disk will be removed and connected
to a forensic machine containing a hardware blocker. Then the hard disk is to be imaged by a
software tool, such as FTK Imager, Encase etc. The image will subsequently be hashed for a
forensic validation. The analysis of an image can be done, for instance, by a forensic investigator.
For the acquirement of storage devices a number of standard methods are available.
Hardware blockers and forensic boot CDs are existing methods used to make a forensic image of a
storage device. In this thesis these methods will be examined on their respective applicability for
the imaging of PCI-e SSD.
The next paragraph addresses the facilities of the hardware blocker. The acquirement of
the PCI-e SSD by a hardware blocker is being looked into as well.
3.1 Hardware blockers

A hardware write block device is a special kind of computer hardware with a disk controller. The
write blocker has the applicability to connect a computer hard drive (source) and just read (read-
only). The hardware blocker makes any writing on the hard drive source impossible. For the
testing of hard- and software blockers the US National Institute of Justice (NIST) has put together
a test programme, namely the Computer Forensics Tool Testing (CFTT)
[12]
. It contains the
requirements and conditions the blockers are supposed to live up to, according to CFTT.

A.F.J. van Ginkel

19 of 63

Advantages of hardware blockers:
The hardware blocker is not dependent on the operating system (OS)
The functioning and the connections of the hardware (LEDs) are visible
Broader acceptance within the Dutch digital community/law court
Relatively user-friendly

Disadvantages of hardware blockers:
A limit to the provisions for connecting different type of storage devices
Hardware blockers are high-priced
Hardware blockers are being produced by many different manufacturers. Below is an outline of a
limited selection of manufacturers.
Tableau
The company Tableau, which has its seat in the USA, produces and develops several kinds of
hardware blockers. Since 2010 the brand Tableau is part of Guidance Software Inc., seated in the
USA and manufacturer of amongst other things the forensic software package Encase. The
standard provisions for connection of the hardware blockers vary per type. The following
connections are being supported: SATA, IDE, SCSI, SAS, USB2-3, FIREWIRE and ZIF.
Recently, a Tableau TD3 forensic duplicator was purchased by SRCI-NEN. I looked into whether
or not the TD3 has a connection/adapter for the PCI-e SSD. The TD3 does not provide such a
connection.

A.F.J. van Ginkel

20 of 63

Wiebetech
Founded in 2000 by Mr. J. Wiebe and taken over in 2008 by CRU-Dataport, which has its seat in
the US. Wiebetech carries a selection of different hardware blockers with standard connections
such as the ultradock v5. Also adapter kits are available to link deviant connections. Recently, I
received a test version of the Wiebetech Ditto Forensic Field station. I did not find any connection
that shows the PCI-e SSD is being supported.
Logicube
Logicube, founded in 1993, has its seat in Los Angeles, USA. This hardware is mainly focused on
mobile hardware blockers like the Forensic Falcon that can be used in the field. This field location
could be a search of premises, for instance. The following formats are connections supported by
the Forensic Falcon: SAS, SATA, USB 2-3, Firewire, IDE, ZIF and Micro-SATA.
Findings hardware blockers
At this moment, the use of a hardware blocker does not facilitate, in my opinion, the imaging of a
PCI-e SSD. An adapter for a PCI-e SSD is not provided by the above named manufacturers.
Theoretically, an additional hardware driver is also needed to recognize a PCI-e SSD on a forensic
investigative machine with hardware blocker.
3.2 Forensic boot CDs

Another method to acquire storage devices is the forensic boot CD. Within the digital
forensic community these are being used actively. Around 2007 manufacturers launched the
netbook on the market. It is an inexpensive small laptop of little weight and usually equipped with
a 10 inch screen. It instigated an extensive increase in popularity and usage of forensic boot CDs.
This was due to the degree of complexity in taking apart netbooks for the imaging of the hard disk.
The same could be said for some types of the Apple MacBook.
The next paragraphs outline some of the existing forensic boot CDs. These boot CDs can be
downloaded through the internet. Both free as well as commercial versions are available. In view
of the fact that probably more than 30 different kinds of forensic boot CDs versions exist, I made a

A.F.J. van Ginkel

21 of 63

selection. It is a limited selection made on the basis of their popularity with digital forensics in The
Netherlands and the active continuing development of forensic boot CDs.

Advantages of the forensic boot CD:
The software is not dependent on the underlying operating system (OS)
There is no need for the hardware to be dismantled
Storage connections in the source computer can be used
Several forensic tools are on the boot CD

Disadvantages of the forensic boot CD:
Dependent on the speed of both hardware and memory
No full recognition of the storage devices
When the boot CD fails to load, the host OS will start-up, writes occur on the source disk

With every new version forensic boot CDs are extended in order to better recognize hardware.
This is made possible by an upgrade of the used base OS Linux/Windows version. The release of
new versions is limited and differs per type.
3.2.1 Free options

CAINE
The boot CD CAINE
[17]
(Computer Aided INvestigative Environment) open source GNU/Linux
live distribution was created as a Digital Forensics project and is of Italian origin. CAINE is
continuously being developed with new options and tools and its latest version is 4.0. Its current
project manager is Bassetti. For the 64 bit version the CAINE LittleStar project was developed,
based on Ubuntu 13.04. CAINE can be used to image storage devices. In addition it can be
implemented in Incident Response (IR) cases. In the tested version 4.0 a user does not have the
option to add extra hardware drivers. This is what a CAINE desktop looks like:

A.F.J. van Ginkel

22 of 63

Figure 3.1: CAINE Desktop
RAPTOR
Raptor
[18]
was developed by Forward Discovery and turns out to be part of the Alvarez & Marsal
company, a consultant agency for finance and organization. Their free boot CD is based on a
Linux version, Ubuntu v12.10. Raptor is being further developed and its current version is 3.0. The
boot CD was mainly developed to image, so as not to remove the hard disk from laptops or
netbooks. While using Raptor it is not possible to add extra hardware drivers.

Figure 3.2: RAPTOR 2.0 Desktop

A.F.J. van Ginkel

23 of 63

HELIX
The free Helix
[19]
forensic boot CD was often used in the past by the digital forensic community.
Helix was designed by Fahey. The company e-fense
[20]
took over Helix and launched a commercial
Pro-version on the market. Around 2009 this version of e-fence Helix Pro was stored at
Accessdata
[21]
, the producer of Forensic Tool Kit (FTK). Helix and Helix Pro have not been
developed any further. Users have no option to add any extra hardware drivers. This is what a
Helix 3 Desktop looks like:

Figure 3.3: HELIX 3 Desktop
PALADIN
The company Sumuri LLC
[22]
was founded by Whalen around 2010. He also was the co-founder of
Forward Discovery and the manufacturer of the Raptor boot CD. Paladin is the forensic boot CD
that was released by Sumuri. This Linux Ubuntu v13.03 based boot CD is still being developed
extensively and has reached its 5th version. It comes in a 32-bit and a 64 bit version. Paladin on a
USB thumb drive has to be paid for. The boot CD is a free download as an ISO file. Paladin can be
used for Incident Response (IR) and also for imaging a hardware device.

A.F.J. van Ginkel

24 of 63

While using Paladin 5 users cannot add any hardware drivers.

Figure 3.4: PALADIN 4 Desktop
DEFT
DEFT 8 (Digital Evidence & Forensic Toolkit)
[23]
is an Italian product based on Kernel 3 of Linux
64 bit 3.5.0-30. The first version of DEFT appeared around 2005. This boot CD was co-developed
by the Computer Forensic Course of the Faculty of Law of the University of Bologna, Italy. DEFT
8 can be employed for Incident Response (IR), Computer Forensics and Cyber Intelligence. While
using DEFT 8 the user has no option to add extra drivers. This is what the desktop looks like:

Figure 3.5: DEFT 8 Desktop

A.F.J. van Ginkel

25 of 63

3.2.2 Paid Version

SAFE
This was developed and released by the company ForensicSoft Inc
[24]
. in 2005. It is a paid version
of a Windows forensic boot CD based on Windows PE 3.0, editions SAFE Consultant and SAFE
Enterprise. A restricted test version may be downloaded. This is the SAFE 1.2.1 demo version that
stays in action for 15 minutes. Users may add hardware drivers for the recognition of unknown
hardware. An overview of the desktop:

Figure 3.6: SAFE 1 Desktop
3.3 Findings of recognition of PCI-e SSD

I used several test environments to examine the above forensic boot CDs on their ability of
recognizing PCI-e SSDs. For this purpose forensic boot CDs were made by me using ISO files,
derived from different original websites, as a source. In addition Zalman VE200SE with hard disk
was used as well as Zalman VE300 with SSD to emulate ISO files as CD/DVD player. Different
forensic boot CDs were used to start up the test machines.

A.F.J. van Ginkel

26 of 63

Specifications of test environments;

3.4 Test results

The PCI-e OCZ RevoDrive 3 from Testing Machine PC 1 was partially recognized by the Linux
based boot CDs Cain 4, Raptor 3, Paladin 5 and Deft 8. Apparently the PCI-e SSD OCZ
RevoDrive3 was built up (hardware-wise) from 2 SSDs of 128 GB in a RAID 0. In the hardware
of a Raid 0, also known as 'striping RAID', data are divided over 2 SSD modules. The Helix boot
CD did not recognize any of the PCI-e SSDs hardware as storage device.
With the help of the option 'add driver' the Forensic Safe v1.2.1 boot CD was able to install the
32bit driver of the OCZ RevoDrive3, thus fully recognizing the PCI-e OCZ RevoDrive3 256 GB.
Being a test version the Forensic Safe boot CD stayed in action for only 15 minutes. Therefore, no
image or MD5 hash of the PCI-e OCZ RevoDrive3 256 GB was made.
None of the above mentioned Linux or Windows forensic boot CDs recognized the Testing
Machine Server 3 with the high end PCI-e Fusion-IO io-drive 320GB (Fusion-IO) as a storage
device. This Fusion-IO drive for Windows OS Server comes only with a 64 bit driver.
Testing Machine PC 1
Asus P5Q WS (bios American Megatrends)
Intel Quad Core Q9550
Memory 8 GB
Harddisk 2x Seagate 2 TB
PCI-e SSD OCZ REVODrive3, 256 GB
OS, W7, Ultimate 64 bit
Testing Machine Server 3
Supermicro X8DTH-iF Mainboard
Intel Xeon L5630
Kingston 32Gb DDR3 1333mhz
Areca ARC-1880i, 8 ports
8x Seagate 3.5" SAS 600GB 15K
PCI-e SSD Fusion-IO ioDrive 320 GB
OS, W-Server 2008 R2, 64 bit

A.F.J. van Ginkel

27 of 63

The option 'add driver' was implemented with the Forensic Safe v1.2.1., which loaded the driver,
but did not recognize the Fusion-IO. Apparently the Forensic Safe v1.2.1 test cannot handle 64bit
drivers.
Here is a survey of the test results:

Table 3.1: test forensic boot CDs

3.5 Findings regarding boot CDs

Linux boot CDs contain limited options for recognizing the OCZ Revodrive 3 PCI-e SSD.
Therefore, it was impossible to fully acquire the complete OCZ Revodrive 3 PCI-e SSD 256GB.
None of the forensic boot CDs recognized the PCI-e Fusion-IO IO-Drive. Integrating new
hardware drivers by a user is not a standard option on the Linux based boot CDs. The SAFE
forensic boot CD v.1.2.1 (15 minute try-out version) does contain such an option, however
confined to loading only 32 bit Windows drivers.
3.6 Plan of action

Existing methods of hardware blockers and existing forensic boot CDs are, in my opinion, not
sufficiently flexible in order to acquire new storage devices such as a PCI-e SSD. Furthermore, it
is very difficult to demount storage devices from the new generation Ultrabooks, the latter having
different connections as well. Connections like mSata, M.2, Sata Express.
During this research I designed a virtual framework that can be used by forensic
investigators for the creation of a specific forensic boot CD in a relatively simple way. The
specific hardware driver is thereby added to the framework, after which the forensic investigator
with almost a 'one button push' can create the custom forensic boot CD WinFE. WinPE served as
the basis for the framework.

A.F.J. van Ginkel

28 of 63

Chapter 4 extensively describes the applied method used to build the framework. Furthermore the
framework's product, the WinFE boot CD, is being tested on the Forensic Validation of read-only
and its recognition of various storage devices.

A.F.J. van Ginkel

29 of 63

4 Virtual framework
This chapter discusses the choice and construction of the virtual framework. In addition the
framework will be examined on its user-friendliness for a forensic investigator. The final product,
the custom WinFE boot CD, will be tested extensively. It is absolutely essential for this test that
the WinFE boot CD only reads the storage devices.
4.1 Environment Setup

As a base for the framework a virtual environment was selected. For this purpose various software
products are available on the market, such as Virtual box of Sun or VMware. Within digital
forensics in The Netherlands a VMware workstation is often being used as a virtual environment.
A free version of VMplayer v6 is also available. In my opinion the selected VMware software
lives up to the demands of the framework as decribed below.
Simple digital transfer procedure (cloning)
Simple complete back-up procedure (cloning)
Works irrespective of physical hardware alterations
Facilities for testing and carrying out adjustments (snapshots)
Acceptance of virtual software by digital forensics in The Netherlands
For the construction of the framework VMware Workstation v7.1.6 was used with an installation
of Operation System (OS) Microsoft Windows 7 Pro N, 32 bit (TechNet version).

Testing Machine PC 1(host)
Memory 8 GB
PCI-e SSD OZC REVODrive 3
OS W7 64
VM OS W7 32 bit

Figure 4.1: Testing Machine PC1 and VMware WS

A.F.J. van Ginkel

30 of 63

4.2 Windows based boot CD

A Windows based boot CD, WinPE, was preferred to a Linux version. In Chapter 3 several
Forensic Linux boot CDs were tested. It showed that the hardware drivers proved to be restricting
factors in the support of Linux. The advantages of a Windows based boot CD are: driver support,
available forensic software, acceptance of use.
4.2.1 WinPE

Existing software was used as a base for the framework. This software was launched by Microsoft,
namely the Windows Preinstallation Environment (WinPE). WinPE was initially intended for
Original Equipment Manufacturers (OEM) and large companies. By adjusting certain Windows
registry keys it is possible to use WinPE for forensic purposes as well.
Mircosoft definition: Windows Preinstallation Environment (Windows PE) 3.0 is a minimal
Win32 operating system with limited services, built on the Windows 7 kernel. It is used to
prepare a computer for Windows installation, to copy disk images from a network file server, and
to initiate Windows Setup.
Windows PE is not designed to be the primary operating system on a computer, but is instead used
as a standalone preinstallation environment and as an integral component of other Setup and
recovery technologies, such as Setup for Windows 7.
WinPE 3.0 has the facility to make a boot CD based on Windows 7. Windows 7 was
selected, because it contains standard support for many built-in hardware drivers. Hardware
producers usually launch their new products with extra drivers for Windows 7. For the creation of
a forensic boot CD a number of steps are essential. One of these steps has already been developed
by developer Larson
[3]
, Senior Forensic Examiner of Microsoft. He did research into the adaptation
of the WinPE environment, in order for a Windows Forensic Environment (WinFE) to develop.

4.2.2 WinFE

WinFE can be described as a forensically safe, bootable OS for Intel/AMD (x86/x64) processors.
The WinFE environment is adjusted in such a way that the option 'auto-mount disks' for e.g. hard

A.F.J. van Ginkel

31 of 63

drives, SSD and PCI-e SSD is set off. The integrity of the data is thus maintained (write blocked).
The modification is made up of two windows registry keys for Windows 7. The following
Windows Registry keys were modified by Larson.
The Mount-Manager service will not automatically mount any storage device

4.2.3 WinFE build options

There are various facilities to create a WinFE boot CD. The following methods have been
examined and tested. It is essential a forensic investigator is able to apply a method for the
framework swiftly and without too much reference. The programme WinBuilder was selected
because it works without command line. With the help of the methods described below it is also
possible to build a WinFE.

The command line

In the Command line build
[22]
only the registry write protected settings created by Larson were
applied. Because of familiarity needed to operate a command line interface, new users experience
difficulty in navigating and operating a command line. Not all programs will run as it is a minimal
Windows build and more difficult to install/inject drivers.
GUI and Command line
WinFE lite
[23]
is a combined version of GUI and Command line. The build is mainly focused on
older type computers with little RAM. Configuration requires proper knowledge of Command line.

'HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr'.
The DWord 'NoAutoMount' has to be set to '1'.

'HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters'
where 'SanPolicy' has to be set to '3'.

A.F.J. van Ginkel

32 of 63

WinBuilder
WinBuilder
[19]
was developed by Brito. It is a free software package, designed to create
customized boot CDs based on Microsoft Windows (WinPE). WinBuilder contains various scripts.
Many other scripts as well as programmes and additional features are available. For new users
WinBuilder is an accessible tool, because it contains a graphic user interface (GUI).
4.3 Winbuilder

This paragraph reflects the choice and use of WinBuilder software. For the framework the free
WinBuilder v082 application was used. WinBuilder does not require installation and start-up is run
from executable. The application functions best, in my experience, on a 32bit host Windows OS
like Windows Vista or Windows 7. Starting up WinBuilder requires the authority of
Administrator. Several projects are available for the loading of WinBuilder. They can be
downloaded from WinBuilder Download Centre. The project Win7PE SE was selected for this
purpose, a relatively small project based on Windows 7. Win7PE SE was developed by alias
ChrisR for the WinBuilder engine. It contains a number of WinBuilder scripts and programmes.
The Win7PE project
[25]
has the following specifications:

Requirements to build and run:
1. Winbuilder Version 077 or above.
2. Source machine should be Windows XP sp2 or above. (Only support for x86 processors)
3. Minimum Free Harddisk space 4GB recommended.
4. Minimum RAM should be 768 MB for 32bit, 1GB RAM is needed for 64bit build)
5. CD R/W Rom for CD build.
6. USB 512Mb or above for USB Booting users

A.F.J. van Ginkel

33 of 63

As a base for the WinBuilder Source a Windows 7 with 32bit or 64 bit install DVD or ISO is
essential. WinBuilder uses these source files to compose a boot CD.

Figure 4.2: Winbuilder source
4.3.1 Write Protect tool

Furthermore, the WinFE script with its free Write protect tool (WP) designed by Ramsden
[14]
was
used. The modifications of the registry keys as devised by Larson were implemented. Thus
preventing the 'auto mount' of Windows storage devices. The script has the additional facility of
mounting a storage device 'bringing a disk Online', as Read Only as well as Read/Write.
The option Add Driver of the WinFE Write Protect Tool has been tested and shows fluctuating
results, amongst which the automatic Read/Write of the PCI-e SSD OCZ Revodrive3.

A.F.J. van Ginkel

34 of 63

This is an undesirable situation. Integration of drivers with WinBuilder 'Driver Integration' is a
forensically safer policy.

Figure 4.3: WinFE Write Protect tool GUI
The script can be found in the folder Tweaks. Surplus scripts of Multi7PE SE were turned off,
because of loss of performance. Furthermore, in the script WP the Windows TRIM
[26]
command
for SSD drive or PCI-e SSD was turned off.

4.3.2 Disable TRIM

The TRIM command sees to it that a SSD or certain PCI-e SSDs maintain their optimal disk
performances. This is a command that Windows 7 sends along to the SSD controller during a
delete action. TRIM informs the SSD controller which pages can be deleted. The SSD reads in the
blocks and the pages containing files are being emptied. Thus the SSD maintains its speed. Not all
SSD controllers are driven by the TRIM command. In the Write protect tool, designed by
Ramsden, the registry key is adjusted to turn off the TRIM command.

In a live WinFE environment this setting was checked by me using the command 'cmd: fsutil
behavior set disabledeletenotify'. During which it was set on 1 (Windows TRIM commands are
disabled).

RegWrite,"HKLM",0x4,"DTSetup\ControlSet001\Control\FileSystem","DisableDeleteNotific
ation","0x00000001"

A.F.J. van Ginkel

35 of 63

Programmes
In WinBuilder project Multi7PE SE extra programmes can be added. The image programme FTK
imager lite v.3.1.1.8 was added by me. FTK imager lite is being used for instance to image the
PCI-E SSD. Other forensic programmes, such as: Encase, X-ways, F-Response, Nirsoft-tools, etc.
can also be added. With this it is possible to create an Incident Response (IR)/Triage boot CD of
the WinFE.
The base of a free Framework is hereby completed. A forensic investigator may now with the help
of this framework and the VMplayer create a customized forensic boot CD. The procedure to
acquire a PCI-e SSD will be discussed in the next paragraph.

A.F.J. van Ginkel

36 of 63

4.4 Procedure

The diagram below shows the steps of the procedure to acquire a PCI-e.

Figure 4.4: Process PCI-E

A.F.J. van Ginkel

37 of 63

4.4.1 Procedural steps

The forensic investigator is on a case in which a computer/laptop with a PCI-e SSD was seized.
This computer has to be secured for further investigation. In case the PCI-e SSD is physically
attainable, the brand/type can be read. This line is preferred, because it excludes any risks when
the computer is to be booted. Another option to obtain the brand/type of the PCI-e SSD is through
the BIOS, UEFI or alternatively in the configuration utility of the PCI-e SSD. The forensic
investigator will look for the appropriate driver and download it from the Internet. Preference
should be given to download it from the website of the hardware producer. Other download sites
may contain drivers contaminated with possible malware. With WinBuilder the driver now has to
be placed in the framework, however, under the condition that it is no longer wrapped up in for
instance a ZIP or EXE format. The specific driver will have to be placed in WinBuilder in the
folder Driver Integration. The above mentioned WinBuilder source ISO/DVD of Windows 7
should be adjusted to the driver type. For instance, a 64 bit driver demands a 64 bit source
DVD/ISO.

Figure 4.5: Winbuilder, Driver Integration
With a one button push on the Big Blue Play button of WinBuilder the customized WinFE boot
CD/USB thumb drive can be created. A detailed cheat sheet has been compiled and can be found
in Appendix II.

A.F.J. van Ginkel

38 of 63

Use of the wrong PCI-e SSD driver for the customized WinFE boot CD will result in the PCI-e
SSD not being recognised. The storage devices suffer no ill effects from this. The proper or
alternative driver will then have to be searched for. In case the PCI-e SSD is recognised, it can be
imaged with FTK image lite v.3.1.1.8.

4.5 Forensic Validation

The customized WinFE boot CDs made while using the framework, were tested on the functioning
of read-only. This means that WinFE OS can't have write access to the storage devices during or
after the boot process. The WinFE environment can only allow write-access by order of the
forensic investigator through designated target storage devices. According to Shavers
[8]
there are
situations when WinFE writes on the source disk. Placing a Volume in Read-only does write to
the disk. Connecting a NON-Windows drive might write a disk signature.' The disk signature is a 4
byte entry and can be found on the Master Boot Record (MBR) at offset 0x01B8.
For the test the generally accepted method of MD5 hash calculations was used. The change of
even a single bit will have its influence on the outcome of the MD5 hash checksum. By doing so
MD5 hash checksum Daubert's
[13]
principle is being met. The evidence must be reliable through
testing.
The MD5 hash method was used for the various tests. It can establish whether or not the image has
the same data as the source. In case the two MD5 hash values do not correspond, it can be
determined if a write took place on the source storage device. The PCI-E SSDs were not included
in these tests, because they were not completely recognised by the Linux versions. The demo
version of SAFE was limited to 15 minutes. Therefore, a comparison could not be made with the
customized WinFE.
For the different tests use was made of the following storage devices:

Memory SD Card 128 MB (Sandisk)
USB thumb drive 1 GB (CEIC 2010)
RAID 0 (Asus onboard Raid), 2x SSD Samsung SSD 256, Total 512 GB

A.F.J. van Ginkel

39 of 63

The following test machines were used:

Memory SD card en USB thumb drive

The physical storage devices, Memory SD card and USB thumb drive were imaged and hashed on
Testing Machine PC 4 'Windows 7, 64 bit'. After that they were tested separately on Testing
Machine PC 2 with 'WinFE'. The results can be found in Table 2.

RAID

On Testing Machine PC 2 the Asus motherboard was used to make a RAID 0 (striping) with 2x
Samsung SSD 256GB, total volume 512GB. For the testing procedure the Paladin Forensic boot
CD was selected. First the Testing Machine PC 2 was started up with the Paladin 5 boot CD, 64-
bit, that recognised this RAID configuration. An identical cycle was repeated with a custom
WinFE boot CD. The test results are given below:

Booted with custom WinFE/Paladin 5
Mainboard ASUS P9X79 Pro
Intel I7-3820
Memory G.Skill 24 GB DDR3
RAID 0, 2x Samsung SSD256, Total 512GB
USB software writeblock
Mainboard ASUS P9X79 Pro
Intel I7-3820
Memory G.Skill 24 GB DDR3
Sandisk SSD 256 GB

A.F.J. van Ginkel

40 of 63

Table 4.1: Testing WinFE

4.5.1 Write block conclusion

The MD5 hash results of all the different tests and tools have remained the same. It has had no
effect on the storage devices that were formatted in different ways with various file systems, such
as FAT32, NTFS, EXT4 or HFS+. The option 'mount' of the WinFE write protect script did not
have any effect on HFS+ and EXT4 volumes. Having tested the above I may expect the WinFE
custom boot CD not to make any alterations on the storage devices. In this research no
abnormalities with disk signatures were detected.

A.F.J. van Ginkel

41 of 63

4.6 Framework distribution

The free VMware WinFE framework was extensively tested and improved. After a local test phase
the framework was made available to several forensic specialists of the Dutch Police Force and the
Dutch Police Academy. These forensic specialists will test the WinFE framework with the help of
the attached cheat sheet. In Chapter 5 of this thesis these test results are incorporated.
The positive results of the acquirement of PCI-e SSDs are presented in the next chapter.

A.F.J. van Ginkel

42 of 63

5 Results
In this chapter the achieved results of the custom WinFE boot CDs are presented. Together with
this the acquirement of PCI-e SSDs is discussed.
5.1 Results virtual framework WinFE

The virtual WinFE framework is a powerful tool for forensic investigators. They may use this free
virtual WinFE framework swiftly and efficiently in almost a one button push. The Linux based
forensic boot CDs that were tested in Chapter 3 could not fully recognise the available PCI-e
SSDs, OCZ and Fusion-IO. The objective to image PCI-e SSDs forensically by using the virtual
WinFE Framework was achieved. The positive results of the imaging of PCI-e SSDs are given
below:
PCI-E SSD Fusion-IO ioDrive
Among digital forensics of the SRCI-NEN the Fusio-IO ioDrive is being used as storage for the
Oracle Database of FTK 4.2. This Fusion-IO has special hardware drivers that are closely
connected with the firmware version.
For the acquirement of the PCI-e Fusion-IO io-Drive a custom 64bit WinFE boot CD was created,
whereby the 64 bit Fusion driver (Fusion-io_3.2.3.950_X64) was integrated. With this custom
WinFE boot CD the configuration Testing Machine Server 3 was started up.

The Fusion-IO io-Drive was completely recognised. The information the WinFE Write Protect tool
gives on the Fusio-IO is shown in Figure 5.1. Alongside an image was made using FTK imager
lite. The FTK report can be found in Appendix IV.
Testing Machine Server 3
Supermicro X8DTH-iF Mainboard
Intel Xeon L5630
Kingston 32Gb DDR3 1333mhz
Areca ARC-1880i, 8 ports
8x Seagate 3.5" SAS 600GB 15K
PCI-e SSD Fusion-IO ioDrive 320 GB
OS, W-Server 2008 R2, 64 bit

A.F.J. van Ginkel

43 of 63

Figure 5.1: WinFE write protect Tool Fusion
5.1.1 PCI-E SSD OCZ Revodrive 3

The PCI-E SSD, OCZ Revodrive3 has been purchased especially for this research. This OCZ
Revodrive3 is composed of 2 modules that apparently form a RAID 0. A 32bit custom WinFE
boot CD with (OCZ10xx32) driver has been created. Testing Machine PC 1 was started up using
this boot CD and the OCZ REVOdrive3 was completely recognised and imaged with FTK imager
lite.

The image report of FTK imager can be found in the Appendix III.

Memory 8 GB
PCI-e SSD OCZ REVODrive3, 256 GB

A.F.J. van Ginkel

44 of 63

The WinFE Write Protect tool gives the following information on the OCZ Revodrive3:

Figure 5.2: WinFE write protect Tool OCZ Revodrive3

The last chapter of this thesis discusses the tests and the future work on the virtual WinFE
framework.

A.F.J. van Ginkel

45 of 63

6 Testing, Limitations and Future work

6.1.1 Testing

During the past eleven months the virtual WinFE framework was extensively tested. With the help
of elaborate test environments and testers (forensic specialists) various problems were discovered.
A couple of examples:
The WinBuilder locked up in a W7, 64 bit environment;
The created virtual WinBuilder environment in VMware WS v7 locked up in VMware v8;
WinBuilder, project Win7PE SE, caused problems with various large driver packs and
scripts;
The integrated driver option did not work on 64bit drivers with 32bit source W7 DVD.

Any problems that arose were analysed and corrected in the Virtual WinFE framework and cheat
sheet. Having tested it again the problems appeared to have been solved. Positive experiences with
the use of the WinFE framework were also reported by the testers.
Some of responses:
Free use of WinFE framework was experienced as positive;
The option to create a custom WinFE boot CD or boot USB thumb drive is simple;
Applicable to RAID hardware (Areca and Marvell RAID tested);
The WinFE framework has growth capacities for Incident Response (IR)/Triage.

The positive responses/ideas will be incorporated in the future of WinFE framework.

A.F.J. van Ginkel

46 of 63

6.1.2 Limitations Secure boot

Recently, various types of Windows 8 Ultrabooks were launched with a new version of UEFI
Secure boot. In it a key combination no longer gives access to the configuration of the UEFI. The
start-up of a forensic boot CD is apparently being excluded by it. The live environment of the
Ultrabook equipped with Windows 8 only provides for an UEFI set-up to be adjusted. Thus, only
the UEFI secure boot can be turned off, making UEFI during booting accessible again. This is a
problem for adopting forensic boot CDs. While writing this thesis no Windows 8 Ultrabook with
such UEFI was available for testing.

Figure 6.1: Windows 8, UEFI Firmware Settings

6.1.3 Future work

In cooperation with the Police Academy of The Netherlands, as part of a digital forensics training
course in connection with the module 'Other OS systems', the WinFE framework is being used to
image the new Mac Pro in a test environment. At the end of 2013 Mac Pros are to be launched by
Apple. This computer contains a PCI-E flash SSD. Apple OS X operating system provides the
facility to make a disk partition with Bootcamp on to which a Windows version can be installed.
The BootCamp Support Software (driverpack) can be used to create a custom WinFE boot CD for
the PCI-E Flash SSD. Integration of the WinFE framework as part of the training 'Other OS
systems' is a realistic option.

A.F.J. van Ginkel

47 of 63

Windows 8.1
In the future the WinFE framework will be adapted to WinPE 5, suitable for Windows 8.1. In this
new environment a new version will also be provided for with a focus on Incident Response
(IR)/Triage activities.

A.F.J. van Ginkel

48 of 63

7 References
1 Apple mac pro Quote http://www.apple.com/mac-pro/ [last visited (lv) 30-09-2013]
2 W.G. Kruse & J.G. Heiser . (2002). Computer Forensics: Incident Response Essentials
Addison Wesley Professional.
3 Troy Larson, working at Microsoft, How to Build Windows FE (Forensic Envirment) with
the Windows Preinstallation Environment.
4 A. Schroader and T. Cohen, Alternate Data Storage Forensics / Edition 1 (2007)
5 J. Wiles and A. Reyes, The Best Damn Cybercrime and Digital Forensics Book
Period(2007) Syngress
6 Daubert v. Merrell Dow Pharmaceuticals, Inc., (1993)
7 M.N. Al-Azhar Forensically Sound Write Protect on Ubuntu (2007)
8 B. Shavers, Placing the Suspect Behind the Keyboard (2013) Elsevier / Syngress
9 R. Wilkins & B. Richardson 2013 UEFI Secure Boot in Modern Computer Security
Solutions. http://www.uefi.org/ [lv 22-10-2013]
12 United States National Institute of Standards and Technology (NIST), CFTT
http://www.cftt.nist.gov/HWB-ATP-19.pdf [2-09-2013]
13 http://en.wikipedia.org/wiki/WinBuilder [lv 01-09-2013]
14 C. Ramsden, http://winfe.wordpress.com/2012/03/19/colins-write-protect-application/
[lv 01-09-2013]
15 http://www.forensicfocus.com/downloads/WinFE.pdf [lv 1-9-2013]
16 http://www.ramsdens.org.uk/information.html [lv 1-9-2013]
17 http://www.caine-live.net/index.html [lv 28-09-2013]
18 https://www.forensicsandediscovery.com/Training/InformationProtection/Raptor.aspx
[lv 28-9-2013]
19 http://www.forensicswiki.org/wiki/Helix3 [lv 28-09-2013]
20 http://www.e-fense.com/products.php [lv 28-09-2013]
21 http://www.accessdata.com/ [lv 14-11-2013]

A.F.J. van Ginkel

49 of 63

22 http://sumuri.com/index.php [lv 28-09-2013]
23 http://www.deftlinux.net/ [lv 01-10-2013]
24 http://www.forensicsoft.com/ [lv 14-10-2013]
25 http://win7pe.winbuilder.net/Projects/ [lv 18-09-2013]
26 http://en.wikipedia.org/wiki/TRIM [lv 23-10-2013]

A.F.J. van Ginkel

50 of 63

8 Appendices

8.1 Appendix I - WinFE, WP.script

script WP.script (selection)
[main]
Title=WinFE Write Protect Tool
Description=Windows Forensic Environment Disk Write Protection Tool
Selected=True
Level=4
Version=4
NoWarning=False
Download_Level=1
Author=Colin Ramsden, Royal Meier
Contact=http://winfe.wordpress.com/
Credits=Colin Ramsden, Karl Morton, Royal Meier
Date=21/03/2012

[variables]
%ProgramTitle%=DiskTool
%ProgramEXE%=WProtect.exe
%ProgramFolder%=DiskTools
%ShortCutName%=WinFE Write Protect Tool

[process]
//Generic Patches - Disable TRIM to be on the safe side
RegHiveLoad,DTSetup,%RegSystem%
RegWrite,"HKLM",0x4,"DTSetup\ControlSet001\Control\FileSystem","DisableDeleteNotification","0x00000001"
//Disable Dynamic Disks
RegWrite,"HKLM",0x4,"DTSetup\ControlSet001\services\volmgrx","Start","0x00000004"
RegHiveUnLoad,DTSetup
// Dump WP Tools into System32 Folder if Checkbox 1 is checked (True)
ExtractAllFiles,"%ScriptFile%",Folder,"%target_sys%"
// Edit Registry and add Troy's default write blocking registry settings
RegHiveLoad,DTSetup,%RegSystem%
RegWrite,"HKLM",0x4,"DTSetup\ControlSet001\services\partmgr\Parameters","SanPolicy","0x00000003"
RegWrite,"HKLM",0x4,"DTSetup\ControlSet001\services\mountmgr","NoAutoMount","0x00000001"
RegHiveUnLoad,DTSetup
// Patch Winpeshl.ini
TXTReplace,%target_sys%\winpeshl.ini,[LaunchApps],#$qWProtect.exe -i#$q
TXTAddLine,%target_sys%\winpeshl.ini,[LaunchApps],PREPEND
// Add_Desktop & Start Menu Shortcuts
Add_Shortcut,Desktop,,"%SystemRoot%\System32\%ProgramEXE%",%ShortCutName%,"%SystemRoot%\System32",,,,"WinFE
Write Protect Tool"
Add_Shortcut,StartMenu,"WinFE","%SystemRoot%\System32\%ProgramEXE%",%ShortCutName%,"%SystemRoot%\System32",,,,"
WinFE Write Protect Tool"

[EncodedFolders]
Folder

[Folder]
WProtect.exe=11279,15039

A.F.J. van Ginkel

51 of 63

8.2 Appendix II Cheatcheet Framework WinFE

CHEATCHEET WINFE v1.9
Making a case specific Windows Forensic Boot CD/USB Flash drive
Integrate drivers for PCI-e SSD (flash), RAIDS Cards, different storage media.

What does one need:

Login into the VMWare Windows 7, 32 bit (no username or password required).
In the VM settings under CD/DVD (IDE), set ISO image file: Windows 7, 32 bits or 64
bits for 64bit drivers
It will mount the DVD as Drive letter D:

Framework: VM clone WINFE_PCI_E
VM workstation or free VM player.
Windows 7 DVD or ISO 32 / 64 bit
Windows PC with minimum of 4 GB memory,
preferably more.

A.F.J. van Ginkel

52 of 63

START VM clone WINFE_PCI_E
On the Desktop start up Winbuilder 32bit or 64bit.

A.F.J. van Ginkel

53 of 63

In WinBuilder:
Set source file, (the Windows 7 DVD files on Drive letter D: )
!" $%&%'$()*
Check the internet on information on the brand/type of the seized computer. The
brand/type of the used PCI-E SSD, RAID etc. is sometimes listed in the specifications.
If possible check on the PCI-E SSD, RAID of the computer itself for the brand/type.
Consult the computer manual how to enter Bios UEFI or Raidcard. Do take notes!
Site for access BIOS hLLp://pcsupporL.abouL.com/od/flxLheproblem/hL/accessblos.hLm

A.F.J. van Ginkel

54 of 63

Use a forensic boot CD/DVD like raptor or WinFE and put it in the DVD-Drive for safety
reasons! (Forensic USB flash drvie can also be used)
If possible remove the battery from the laptop before booting. If by accident booting
occurs in the host OS, then immediately pull the plug!
Boot the computer/server, enter the Bios and look for the hardwares brand/type/version
(PCI-e SSD or RAID controller).
Do take notes/pictures!

Do not
boot in the
system OS!
Look for the suitable vendor on the internet to find the hardware driver for the PCI-e SSD
or RAID. Download the proper Windows 7 version or W2008 Driver 32 bits or (if not
available) 64 bits driver. Be aware! A 64bits driver requires a 64bit W7 source DVD/ISO
Having unpacked the driver (ZIP, EXE) copy it to the
Winbuilder Version 32 bit drivers: \Drivers_x86\
Winbuilder Version 64 bit drivers: \Drivers_x64\

A.F.J. van Ginkel

55 of 63

When creating a WinFE boot CD use ImgBurn ISO (on). Turn off USB flash drive.
When creating a WinFE USB flash drive turn off ImgBurn (off)
Copy to USB device (on)
Stick a USB flash drive in the VM and select the root directory of your USB device.

A.F.J. van Ginkel

56 of 63

Check source W7 DVD/ISO for 32 or 64 bit! (64bit driver requires a W7 64 source
DVD/ISO)
Ready to go!
Press the blue play button and wait for approximately 10 minutes.

The new ISO can also be found on location C:\win FE\ISO
Burn the ISO on CD/DVD or use a Zalman ZM-VE to mount ISOs as CD/DVD Emulator

A.F.J. van Ginkel

57 of 63

BOOTING Target
Boot the custom WinFE Boot CD on the suspect machine.
Use the Write Protect tool on the Desktop to change the Drive destination into Read/Write and
Mount.

Do not
boot in the
system OS!
Use FTK imager Lite, on the desktop to image the suspect physical Drive.

A.F.J. van Ginkel

58 of 63

Do not use Disk Manager!
Solely the Write Protect tool on Desktop.

Placing a Volume in Read-only does write to the disk. Connecting a NON-Windows drive
might write a disk signature.' The disk signature is a 4 byte entry and can be found on the
Master Boot Record (MBR) at offset 0x01B8.

THE END.

A.F.J. van Ginkel

59 of 63

8.3 Appendix III PCI-E SSD OCZ Revodrive 3 Image

Created By AccessData FTK Imager 3.1.1.8

Case Information:
Acquired using: ADI3.1.1.8
Case Number: PCI-E OCZ Revodrive 3
Evidence Number: PCI-E OCZ Revodrive 3
Unique description: PCI-E OCZ Revodrive 3
Examiner: AFJ van Ginkel
Notes: PCI-E OCZ Revodrive 3

--------------------------------------------------------------

Information for C:\OCZ PCI SSD IMAGE FTK IMAGER\new\PCI-E OCZ Revodrive 3:

Physical Evidentiary Item (Source) Information:
[Device Info]
Source Type: Physical
[Drive Geometry]
Cylinders: 29,186
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 468,883,198
[Physical Drive Information]
Drive Serial Number: OCZ-X9T4Q54M9GWPHMGL
Drive Interface Type: SCSI
Removable drive: False
Source data size: 228946 MB
Sector count: 468883198

A.F.J. van Ginkel

60 of 63

[Computed Hashes]
MD5 checksum: 8e49ce18fb4b27f4e756bf25910af06f
SHA1 checksum: ac35cb6050e6d52c42c11d9dfe17d28f4fa61b6e

Image Information:
Acquisition started: Sun Oct 27 17:47:52 2013
Acquisition finished: Sun Oct 27 18:23:02 2013
Segment list:
C:\OCZ PCI SSD IMAGE FTK IMAGER\new\PCI-E OCZ Revodrive 3.E01

A.F.J. van Ginkel

61 of 63


Image Verification Results:
Verification started: Sun Oct 27 18:23:05 2013
Verification finished: Sun Oct 27 18:59:39 2013
MD5 checksum: 8e49ce18fb4b27f4e756bf25910af06f : verified
SHA1 checksum: ac35cb6050e6d52c42c11d9dfe17d28f4fa61b6e : verified

A.F.J. van Ginkel

62 of 63

8.4 Appendix IV PCI-e SSD Fusion-IO ioDrive 320 GB image

Created By AccessData FTK Imager 3.1.1.8
Case Information:
Acquired using: ADI3.1.1.8
Case Number: Fusion-IO
Evidence Number: Fusion-IO
Unique description: t
Examiner: A. van Ginkel
Notes: Fusion-IO io-drive
--------------------------------------------------------------
Information for C:\test fusion image\t:
Physical Evidentiary Item (Source) Information:
[Device Info]
Source Type: Physical
[Drive Geometry]
Cylinders: 35,014
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 562,500,000
[Physical Drive Information]
Drive Serial Number: 478327
Drive Interface Type: SCSI
Removable drive: False
Source data size: 274658 MB

A.F.J. van Ginkel

63 of 63

Sector count: 562500000
[Computed Hashes]
MD5 checksum: 4e502be0df41d2abb5a50e95f218f16e
SHA1 checksum: af65925a77ebdbec0cc54e0a56a092e76fbccc14
Image Information:
Acquisition started: Fri Sep 27 11:31:33 2013
Acquisition finished: Fri Sep 27 12:09:38 2013
Segment list:
C:\test fusion image\t.E01
Image Verification Results:
Verification started: Fri Sep 27 12:09:42 2013
Verification finished: Fri Sep 27 12:39:47 2013
MD5 checksum: 4e502be0df41d2abb5a50e95f218f16e : verified
SHA1 checksum: af65925a77ebdbec0cc54e0a56a092e76fbccc14 : verified

Alex Van Ginkel Final Thesis MSC - 27nov

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Alex Van Ginkel Final Thesis MSC - 27nov

Încărcat de

Drepturi de autor:

Formate disponibile

A.F.J.

S-ar putea să vă placă și