winFE相关调研

最近一段时间一直在做winFE系统的相关调研,主要是在winFE系统下挂载外接设备这块,但是在百度里晃了半天也没有太多的相关资源,所以编写此篇博文,一来丰富自己,二来给他人一个参考。

什么是winFE,它和winPE有什么联系呢?

winFE 全称 Windows Forensic Environment,是取证用的winPE。

他和winPE的唯一区别就是修改了两个注册表键值,一个是"HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr",在这个项中添加一个DWORD类型,名称为NoAutoMount的键,键值为1;这个键值的作用是Mount-Manager服务不会自动挂载任何存储设备。第二个是"HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" ,它有一个键为"SanPolicy",把这个键值修改为3(原值为1),其中3表示全部脱机,1表示全部联机,为什么要脱机呢,因为一旦联机,磁盘属性变成可写状态,在可写的状态下系统会向磁盘写入4字节的控制代码,从而破坏原磁盘的数据位置,对于取证来说这个不确定因素影响太大,因为我们也不知道会不会把原数据破坏掉,所以取证环境下不能挂载需要取证的磁盘。

注册表修改转至winFE简单制作

但是我们有时候需要在PE环境下接入外接设备来运行某些程序或者拷贝取证磁盘,那么该怎么办呢?

如果你不用闪存设备(U盘,sd卡等),那么你可以直接用diskpart来挂载你的外接磁盘:

在cmd命令下面使用如下命令

diskpart

list disk

然后找到你的外接设备,比如disk 2

select disk 2

这样你就选择了你的外接磁盘

然后

online disk

这样你的磁盘就联机了,但这还没有结束

attribute disk clear readonly

这样就清除了磁盘的只读属性,否则你无法向磁盘写入数据。

然后继续

list volume

选择你刚才挂载磁盘的分区,比如是 volume 3

select volume 3

然后给分区一个盘符

assign Letter=E(也可以是其他字母,但是要保证未被使用)

这样你就可以使用你的外接磁盘了。


但是如果需要用到外接闪存设备怎么办?

你会发现用上述的方式似乎不行了,偶尔可以把闪存设备挂上去,但是大部分时间还是挂不上去的,

这个时候就需要用另一种方式了,

但是这个方式有一个要求,那就是这个制作FE的PE必须是win8及以上系统才行

记得上次我们修改的注册表键值吗?SanPolicy这个值我们把他设置成4

这时候你会发现所有的外接设备全部自动联机,你可以随便使用了,而且不需要再执行上面的命令。

sanpolicy=4   表示的是内部脱机

这意味着只有内置磁盘是脱机的,这为我们的取证带来了很大的便利,即不用担心会修改取证磁盘的数据,又可以很方便的进行取证工作,真是一举两得。



  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Windows Forensics Cookbook by Oleg Skulkin English | 4 Aug. 2017 | ISBN: 1784390496 | ASIN: B073RMBDJ6 | 274 Pages | AZW3 | 8.51 MB Key Features Prepare and perform investigations using powerful tools for Windows, Collect and validate evidence from suspects and computers and uncover clues that are otherwise difficult Packed with powerful recipes to perform highly effective field investigations Book Description Windows Forensics Cookbook provides recipes to overcome forensic challenges and helps you carry out effective investigations easily on a Windows platform. You will begin with a refresher on digital forensics and evidence acquisition, which will help you to understand the challenges faced while acquiring evidence from Windows systems. Next you will learn to acquire Windows memory data and analyze Windows systems with modern forensic tools. We also cover some more in-depth elements of forensic analysis, such as how to analyze data from Windows system artifacts, parse data from the most commonly-used web browsers and email services, and effectively report on digital forensic investigations. You will see how Windows 10 is different from previous versions and how you can overcome the specific challenges it brings. Finally, you will learn to troubleshoot issues that arise while performing digital forensic investigations. By the end of the book, you will be able to carry out forensics investigations efficiently. What you will learn Understand the challenges of acquiring evidence from Windows systems and overcome them Acquire and analyze Windows memory and drive data with modern forensic tools. Extract and analyze data from Windows file systems, shadow copies and the registry Understand the main Windows system artifacts and learn how to parse data from them using forensic tools See a forensic analysis of common web browsers, mailboxes, and instant messenger services Discover how Windows 10 differs from previous versions and how to overcome the specific challenges it presents Create a graphical timeline and visualize data, which can then be incorporated into the final report Troubleshoot issues that arise while performing Windows forensics About the Author Oleg Skulkin is a digital forensic enthusional (enthusiast and professional) from Sochi, Russia. Having more than 5 years of experience, he solves lots of different cases involving digital evidence for the Ministry of Internal Affairs of Russia. Also, you can find his articles both in Russian and foreign magazines. Finally, Oleg is a very active blogger, and he updates Cyber Forensicator's blog daily. Scar de Courcier is Senior Editor at digital forensics website Forensic Focus. She also works as an independent consultant on online and offline child protection projects. In her spare time, she enjoys swimming, pretending she lives on the USS Voyager, and hanging out with her cat. Table of Contents Digital Forensics And Evidence Acquisition Windows Memory Acquisition and Analysis Windows Drive Acquisition Windows File Systems Analysis Windows Shadow Copies Analysis Windows Registry Analysis Main Windows System Artifacts Web Browser Forensics Email and Instant Messaging Forensics Windows 10 Forensics Data Visualisation Troubleshooting in Windows Forensic Analysis

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值