Documente Academic
Documente Profesional
Documente Cultură
Windows Triage
Environment
Pedro Gilberto
[WTE MANUAL]
Windows Triage Environment Manual (Lang. English)
SEARCH 1 ............................................................................................................................................................................. 29
HTTP://WWW.GLARYSOFT.COM/QUICK-SEARCH
(QUICKSEARCH) ....................................................................................................... 29
1 This application will be started automatically during WTE startup and at screens bottom will be displayed a small
search box ............................................................................................................................................................................ 29
2 As you type the term to search the results will be displayed in real time ...................................................................... 29
3 Click on columns header to sort results .......................................................................................................................... 29
Pag. 1
SEARCH 3 ............................................................................................................................................................................. 49
HTTP://WWW.MYTHICSOFT.COM/AGENTRANSACK
(XNVIEW) ........................................................................................................................................ 57
1 Start screen .................................................................................................................................................................... 57
2 Click File > Open browse and select the image you want to open. ................................................................................ 57
3 On Tools > Search [ Ctrl + F ] or click de icon, to search images. ................................................................................... 57
4 Will open a new windows for Search configuration, you can configure: ....................................................................... 57
5 Results will be displayed and you can see them as thumbnails ..................................................................................... 60
6 Select relevant images and click Create > Web Page or the button ........................................................................... 61
7 Will open a new windows displaying Report configuration ........................................................................................... 61
8 If configuration is ready just click Create ....................................................................................................................... 62
9 Will be created three folders named Images, Thumbnails and nav and an html file named thumb.html, all making
part of the report, clicking on thumb.html you could see the report on the browser. ........................................................ 62
Pag. 2
(EXT2MGR)..................................................................................................................................... 75
1 In WTE main menu click All Programs > Linux & Mac > Linux Volumes Mount. ............................................................ 75
2 Ext2 Volume Manager will display all disks and partitions, mounted or not. ................................................................ 75
3 Select the partition to mount, right click and chose Change Drive Letter [ F4 ]. ........................................................... 75
4 Click Add select a drive letter, a way to mount, click OK and Done. .......................................................................... 76
(LINUXREADER) ................................................................................................. 77
1 In WTE main menu click All Programs > Linux & Mac > Search Linux & Mac. .............................................................. 77
2 Double click or right click on the volume and select Open partition to browse its content. .......................................... 77
3 In top menu click View to change the appearance, by default will be displayed the full path to the selected file and a
preview. ............................................................................................................................................................................... 78
4 To search chose Commands > Search [ Ctrl F ] or click the proper icon......................................................................... 78
5 On the left panel configure your searches then click Search. ........................................................................................ 78
6 Clicking a hit automatically will show the full path and a quick preview on the bottom of right panel. ....................... 79
7 You can change the appearance of the results clicking the proper icon ........................................................................ 80
8 Selecting a hit automatically will be showed the full path and a quick preview on Preview Panel. ............................. 80
9 Right click on Preview Panel and chose how to preview. .............................................................................................. 80
10 At Details in left panel, click on the preview to open a Large Preview........................................................................ 81
11 Searching for files containing the typed text inside, and previewing file content........................................................ 81
12 You can click Cancel and stop the search job any time to check the results. ............................................................... 82
13 To open Folders Panel and browse folders chose View > Folder Tree or click the proper icon ................................... 82
14 To export evidence files select the relevant ones right click and chose Save. .............................................................. 82
15 Click Next and Browse for destination folder, preferably chose Y:\Evidence\Relevant Files. .................................... 83
(TRUEREMOTE) ........................................................................................................................ 92
1 In WTE main menu click All Programs > Net > Remote. ................................................................................................ 92
2 For this connection Server must be using static IP or in the same network as Client. ................................................... 92
3 If you are acting in ServerMode inform your IP to who is intent to connect to you and click OK ................................. 92
4 If you are acting in ClientMode type the IP from the server you want and click OK. .................................................... 92
Pag. 4
Pag. 5
http://www.ramsdens.org.uk/
SYSTEM STARTUP
(Mounting disks write protected)
1 In order to avoid mistakes disconnect any external USB drive from target system: Mount and examine it later.
2 Access system target BIOS and change boot options as needed (see document BIOS settings for USB
booting.pdf
3 Boot the computer using WTE system from USB STICK or CD
4 Chose one of the options:
WTE Standard (default)
WTE Mini (if standard option dont boot properly try this one)
WTE Maxi (support for: Network; MSI Installer; MS Visual C ++; Volume Shadow Copy Service; USB 3.0)
Pag. 6
Select disk
Click Detail Disk to check
which disk it is
Pag. 7
Pag. 8
Pag. 9
Pag. 10
Pag. 11
Pag. 12
SYNCHRONIZE LETTERS
(LetterSwap)
1 Synchronize volume letters based on registry from target computers Windows O.S.
3 Browse for WINDOWS folder and click twice to open WINDOWS folder
4 Click OK
5 Refresh explorer [ F5 ] and verify if letters assignment changed and are now corrected
Sometimes, depending on how disk are partitioned and the location of the active partition and were OS is installed,
this reassignemt wont succeed.
Pag. 13
http://www.gaijin.at/en/dlregreport.php
SYSTEM REPORT
(Registry Report)
C:\WINDOWS\system32\config\software
C:\WINDOWS\system32\config\system
C:\WINDOWS\system32\config\SAM
2 Save them to WTE USB Stick (by default Y:) into Evidence\Registry folder
Pag. 14
If several relevant users, for each one, create a subfolder at Evidence\Registry\[username] and copy
respective NTUSER.DAT into it.
Pag. 15
Pag. 16
On RegistryReport:
Pag. 17
Pag. 18
Pag. 19
8 As preferential option you should select the folders of the original evidence files
Pag. 20
Using this option the original location of the evidence files will be displayed on the report, allowing to identifying
immediately which user is the report related.
11 Click File > Create report [Ctrl+R]
Pag. 21
Case more than one relevant user you should elaborate a report for each one, and could use first 3 files
just for a first complete report.
For other reports you could use only the NTUSER.DAT regarding each user.
Pag. 22
Save it at Evidence\Registry:
Pag. 23
While the script is running will be displayed a small icon at the task bar
Select the NTUSER.DAT file regarding the relevant user and click Open to continue.
The script will search for the other necessary system files.
Pag. 24
The application RegistryReport will automatically start and generate the report, but you will need to save it
manually.
Before saving the report make sure it was correctly generated, checking in its beginning the location of the
system files used and if were chosen the correct ones.
Do not forget to save the report in the folder concerning each user clicking File > Save as [Ctrl+S].
You will be asked if you want to generate a new report regarding another user, if so you must close
RegistryReport before choosing a new NTUSER.DAT file.
(If you didnt close the application the report generation will not be started automatically, but as the files are
already selected just click File > Create report [Ctrl+R] and proceed)
All the needed system files will be saved automatically into Evidence\Registry at the ending stage so do
not be surprised with some delay until the appearance of the finishing message.
Pag. 25
Name of registration of OS
Install date of OS
Date and time of OS last shutdown
Pag. 26
Installed software.
Pag. 27
USB devices (External disks, Pendrives, Photo Cameras, Video cameras, Mobile phones )
Pag. 28
http://www.glarysoft.com/quick-search
SEARCH 1
(QuickSearch)
1 This application will be started automatically during WTE startup and at screens bottom will be displayed a
small search box
2 As you type the term to search the results will be displayed in real time
Will be displayed files or folder containing the typed word, regardless its position, on the name;
You can only search for a term at a time.
Pag. 29
Pag. 30
Chose Options.
At Category tab select the one to modify and at File Extensions field add, modify or remove any file
extension.
You can also Remove or Add a new category
Pag. 31
If for any reason the application is already running when you mount a disk you will have to close it (click on the
small white arrow and chose Exit) and start it up again so that the application indexes this also that disk.
Pag. 32
http://locate32.cogit.net/
SEARCH 2
(Locate 32)
1 This application will be started automatically during WTE startup and will update a database named WTE
Will be displayed a small box at the right bottom of the screen showing database indexation progression:
2 Locate32 saves to a database the names of all files on your hard drives
By default non fixed disks and volumes assigned with letters Y: and X: (used by WTE System) will not be
indexed.
3 Once the file indexing has occurred, you can locate files quickly by using the application's search form
Type the terms to search and the results will be displayed in real time:
Check if the application is working tiping just a character (eg: a) at Named field:
4 If the application is not working or displays this messages go to Advance Configuration on this document
Pag. 33
SEARCHING
5 Search configuration
b)
Extensions: you can specify extensions; only files with those extensions will be searched.
c)
To search files witch name has [,] [;] or [space] use apostrophes [])
You can search a file which name does not contain a term using - (eg: -tmp -log).
Pag. 34
d)
Browse You can use this button to specify a directory for "Look in:".
Minimum / Maximum file size: delimit the size of the files to look for.
Pag. 35
c)
Modified
Created
Last accessed
Pag. 36
Type of file: you can specify type of files to search for (grouped by extension).
a)
File containing text: check and use this field to find texts inside of files.
b)
Match case: check to specify whether the text to search for is case sensitive or no.
c)
Pag. 37
Click Presets
Select one of the sets
Pag. 38
VIEW RESULTS
7 Click twice on a column header to sort results.
8 Click View at main menu and select how to view the results.
Pag. 39
a)
At File name field: type the name of the file to save (eg: Searches_[user] or: create a subfolder).
Pag. 40
c)
WTE Images: for a report with relevant images thumbnails, and some simple information.
WTE List: just a list from relevant files with simple information about each one.
Pag. 41
d)
e)
You can check Description and type some text to include as description on header report.
f)
g)
At Details: select what information, related to each result, to include at the report, by default:
Full Path
Date Modified
MD5 checksum: (it could take quite a long time if there are too many results to export)
if you want to display more information in the listing change the choices
Pag. 42
Pag. 43
ADVANCED CONFIGURATION
10 Correcting database ERRORS.
a)
b)
If not
a)
Pag. 44
b)
At File field change Y for the letter assigned to WTE USB Stick.
c)
Click File > Update Databases [F9] in order to update the database and allow searches on that
disk.
Pag. 45
Define all the options in order to perform your searches as you want and:
a)
b)
Pag. 46
Pag. 47
MORE HELP
13 Click ? at Advanced tab for help.
14 Click Help > Help Topics on main menu bar for help.
Pag. 48
http://www.mythicsoft.com/agentransack
SEARCH 3
(Agent Ransack)
SEARCHING
2 Search configuration
Main tab:
a)
You can search multiple terms at once separating them with a ; (semicolon).
Pag. 49
Not: If checked the file name criteria specifies files to EXCLUDE from the search.
c)
Containing text: Specifies the contents to find in the files for a content search.
d)
Match Case: Click Aa to change state, if on the file name matching should be case-sensitive.
e)
f)
You can specify multiple locations to search separating them by; (semicolon).
Pag. 50
Subfolders: if unchecked will be searched only files located in the Look in folder; if checked,
subfolders will be searched to.
h)
Browse for multiple folders button provides a great mechanism to select the folders to search.
Select the desired folder and click Add
i)
j)
k)
To activate the date criteria click on the Calendar and select date/time
Pag. 51
Options tab:
a)
File name: Changes the way to search using the expression typed on the field with the same name
at Main tab:
Regular Expression (If checked the file name should be treated as a regular expression)
Match Case (If checked the file name matching should be case-sensitive)
Specifies NOT expression (If checked the file name criteria specifies files to EXCLUDE from the
search)
b)
Contents:
Regular Expression
Match Case
c)
With regular expression check if using a normal DOS expression at Main/File name (e.g.: *.doc; *.jpg)
will be displayed an error message:
Using regular expressions for the same criteria you should use \.(doc|jpg)$
Pag. 52
Modified (After/Before)
Created (After/Before)
Last Accessed (After/Before)
3 Starting to search
a)
Start [F5]: When all configurations are as needed just click to start.
b)
Pag. 53
Browse to the folder Y:/Utilities/Search Criteria and double click on the .srf file you wish to use.
c)
File name
Location
Size
Type
Date
Pag. 54
Pag. 55
c)
d)
Check Selected files in order to export just the selected results for the report.
Pag. 56
IMAGE VIEWER
(XnView)
http://www.xnview.com
1 Start screen
2 Click File > Open browse and select the image you want to open.
Most image files are associated so that clicking on the file at Windows Explorer this application
will open it automatically.
3 On Tools > Search [ Ctrl + F ] or click de icon, to search images.
4 Will open a new windows for Search configuration, you can configure:
a)
Filename
Insert Filename (or part of it) or leave it blank
Pag. 57
b)
Look in
c)
Include subfolders.
d)
e)
Pag. 58
f)
g)
Pag. 59
h)
i)
Pag. 60
6 Select relevant images and click Create > Web Page or the button
Pag. 61
9 Will be created three folders named Images, Thumbnails and nav and an html file named thumb.html, all
making part of the report, clicking on thumb.html you could see the report on the browser.
Pag. 62
Pag. 63
http://www.irfanview.com
1 Start screen
2 Click File > Open browse and select the image you want to open.
Most image files are associated so that clicking on the file at Windows Explorer this application
will open it automatically.
3 On File > Thumbnails [ T ] a box will open and fill with thumbnails of the images in the directory.
Pag. 64
SEARCHING
4 Click File > Search Files [ Ctrl + F ] for searching images and a dialog with search options opens.
j)
Filename pattern: Type the name or extension of the files to look for.
*.jpg
123*.jpg
*123.jpg
Find only JPG type files with 123 anywhere in the name
Image
Pag. 65
k)
l)
m) Search subfolders: Check in order to search also subfolders from specified volumes or folders.
Pag. 66
n)
o)
p)
Look in: Check the data type you want to search for the text.
IPTC data
EXIF data
Comment data
Pag. 67
Pag. 68
a)
With mouse over the thumbnail will be displayed image basic information:
9 Clicking twice the thumbnail will open the image full size.
Pag. 69
b)
Pag. 70
Pag. 71
Pag. 72
b)
Pag. 73
a)
You could right click on the report and edit the html file with MS Word:
b)
At MS Word you could select the table and copy it into another Word document (e.g..: a more
elaborated report)
Pag. 74
http://www.ext2fsd.com
1 In WTE main menu click All Programs > Linux & Mac > Linux Volumes Mount.
2 Ext2 Volume Manager will display all disks and partitions, mounted or not.
3 Select the partition to mount, right click and chose Change Drive Letter [ F4 ].
Pag. 75
The volume will be mounted and the Explorer will now displayed a new volume with the selected letter assigned.
Pag. 76
http://www.diskinternals.com/linux-reader/
1 In WTE main menu click All Programs > Linux & Mac > Search Linux & Mac.
Linux Reader will display all volumes, and physical drives, mounted or not:
2 Double click or right click on the volume and select Open partition to browse its content.
Pag. 77
Preview
Full Path
4 To search chose Commands > Search [ Ctrl F ] or click the proper icon
Click to expand
Pag. 78
6 Clicking a hit automatically will show the full path and a quick preview on the bottom of right panel.
Pag. 79
8 Selecting a hit automatically will be showed the full path and a quick preview on Preview Panel.
Pag. 80
11 Searching for files containing the typed text inside, and previewing file content.
Pag. 81
13 To open Folders Panel and browse folders chose View > Folder Tree or click the proper icon
14 To export evidence files select the relevant ones right click and chose Save.
Pag. 82
a)
Click Next:
Pag. 83
c)
Pag. 84
http://www.mitec.cz/mailview.html
MAIL VIEWER
(Mitec Mail Viewer)
1 In WTE main menu click All Programs > Mail > Mail Viewer.
DBX, EML, MSG files are associated so that clicking on the file at
Windows Explorer this application will open it automatically.
2 Just select the type of mail file to view browse to its location and click OK.
Pag. 85
http://www.nucleustechnologies.com/ost-viewer.html
OST VIEWER
(Kernel OST Viewer)
1 In WTE main menu click All Programs > Mail > OST Viewer.
2 Search or Browse and select the Source OST File and click OK.
3 Once opened the OST you can navigate in a similar manner as MS Outlook:
The content of HTML messages probably wont be properly showed
Pag. 86
PST VIEWER
http://www.nucleustechnologies.com/pst-viewer.html (Kernel Outlook PST Viewer)
1 In WTE main menu click All Programs > Mail > PST Viewer.
2 Search or Browse and select the Source PST File and click OK .
3 Once the PST opened you can navigate in a similar manner as MS Outlook.
The content of HTML messages probably wont be properly showed
Pag. 87
http:// holger.winbuilder.net
1 In WTE main menu click All Programs > Net > Network Mount.
Pag. 88
Pag. 89
7 Double click on one of the available connection and insert the wireless key if needed.
8 A task bar icon will appear and you will be able to control the connection state.
Pag. 90
2 If you are acting as Client inform your ID to the Operator who intent to connect to you.
3 If you are acting as Operator type the Client ID and click Connect.
4 The Client have to Accept [A] the connection.
Wont be necessary any other configurations
the operator can now control your system over internet
Pag. 91
http://blog.x-row.net/?cat=4
1 In WTE main menu click All Programs > Net > Remote.
2 For this connection Server must be using static IP or in the same network as Client.
3 If you are acting in ServerMode inform your IP to who is intent to connect to you and click OK .
4 If you are acting in ClientMode type the IP from the server you want and click OK.
Pag. 92
If you need an encrypted connection or sound capture use Brynhildr in a similar way.
http://blog.x-row.net/?cat=9
5 Shouldnt be necessary any other configurations and the Client can access and control the Server system.
Pag. 93
WTE OFFICE
(Office Tools)
1 A regular MS Windows Calculator.
www.flos.freeware.ch
Pag. 94
www.openoffice.org
5 With PDF Reader (Foxit Reader) read and create PDF file types.
www.openoffice.org
Pag. 95
6 The old MS Wordpad to read and create plain text or RTF files.
Pag. 96
www.gaijint.at
On Search 1 results window Right click on the file and chose Open:
Or on explorer window select the file and click open (or double click):
Pag. 97
Select relevant results and export them clicking the icon, or File > Export selected [Ctrl + Shift + E] on menu:
Pag. 98
WTE SUPPORT
(WTE Support Tools)
1 CD Burning Tool (ImgBurn).
www.imgburn.com
www.7-zip.org
Most compressed files are associated so that clicking on the file at Windows
Explorer this application will open it automatically.
Pag. 99
www.nirsoft.net
Pag. 100
On menu chose View > Chose Columns to select the ones to make visible:
To export results chose View > HTML Report All Items on menu.
Or select the relevant ones and on menu chose View > HTML Report Selected Items:
Pag. 101
http://www.ltr-data.se
Pag. 102
Pag. 103
Pag. 104
http://www.faststone.org
6 Drivers.
Pag. 105
Pag. 106
7 System.
Command Prompt
Keyboard Switch
With [Ctrl +Tab] or clicking the icon on taskbar you can scroll through the available keyboards and select another
one to use.
Right click on taskbar Icon, chose Preference and you can add more keyboards
Pag. 107
Use [Left Alt +Shift + Letter] to change for another input language:
Letter Swap
Pag. 108
System Lock
8 Tools.
Disk Mount
Pag. 109
FTK Imager
If you dont know how to open a file try using this application.
CAUTION if you open a file and considerer it evidence DO NOT use Save or Save As to your WTE Evidence
Folder cause it will change file Metadata
Rader you should open an explorer window and copy the file directly to your Evidence Folder.
Pag. 110
Video Frames
Pag. 111
Pag. 112
- Report Configuration:
Insert a Title
Insert a Sub-Title
Insert column number (default: 3)
Insert Thumbs width (default: 300px)
Chose information to include from video file:
- MD5 Hash
- SHA1 Hash
- Last Modified Date
- Created Date
- Last Accessed Date
- Click Generate Report
Pag. 113
Pag. 114
original_files.info sample:
Report.html sample:
Pag. 115
Chose the relevant frames right click on one of them and chose Create HTML Report
Pag. 116
Quickly restore Create HTML report configuration for images report clicking Utilities > Restore Images Report
for IrfanView at Portable Start Menu (this should be done with IrfanView closed)
Pag. 117
Pag. 118