WinFE Course Review

Yesterday, I completed the WinFE course I mentioned in my last post. I wanted to do a review of the course because I found a lot of value in it.

First, what is the Windows Forensic Environment (WinFE)? In short, it is a slightly modified portable Windows distribution with software based write-blocking capability for the acquisition of digital media.It is based on the Windows Pre-Installation Environment and was initially created by Troy Larson at Microsoft. It can be made by anyone free of charge for personal use. It is not a commercial product and there is no support. You are your own technical support, so it's absolutely necessary to understand what you're working with and how it works (to some degree).

The WinFE course is available on the DFIR.Training site. The course, as well as the site are the product of Brett Shavers, a well known instructor/practitioner/author in the digital forensics field. He is the author of the X-Ways Forensics Practitioner's Guide/2E and several other publications including WinFE: Windows

WinFE Book

Forensic Environment. Brett has been instrumental in the continued development of Windows FE and has offered training on it in the past.

The course is divided into 18 lessons, followed by a pre-test, test and then a resources section. The lessons start out by covering some basics, such as what WinFE is (and what it isn't), as well as the topic of write-blocking.

Brett talks a lot in the course about when WinFE might be a good choice and when it isn't. I appreciated that he didn't sell this as the "all you need" solution to all your forensic problems. He discusses keeping it simple (my words, not his) as far as what you include in a WinFE build. WinFE is not meant to be a full forensic suite and indeed it is not. While you can add various tools (X-Ways Forensics, FTK Imager, etc) to your build, you need to decide what you really need and what is just extra stuff that doesn't need to be there, such as an office suite, zip file extractor and so on.

Once you get to the point of actually building your own WinFE, two different methods are taught for doing so. One is the "Mini WinFE" built with tools you can obtain from https://github.com/MistyFromReboot/Mini-WinFE . The second method requires a few more steps to get started, but it isn't terribly difficult to get ready. In fact, both methods are pretty easy to do. Once you have the initial steps done, you can build your own WinFE from either method in just a short time.

Brett also covers topics like dealing with Bitlocker, troubleshooting and hashing. He provides casework  examples as well. One of my favorite parts of the class however is the lesson on testing and validation. The need to test and validate WinFE (and all your software tools) is explained and I was very happy about that. It's easy to make a WinFE boot disk and use it to acquire a drive, but do you know that everything worked right? Do you know if any changes were accidentally introduced to the subject media? I'm so glad this topic was covered because it's just so easy to skip testing and assume all is well.

Something else I really appreciated was the lesson on report writing and testifying. I enjoy writing reports (I'm weird like that) because it present the opportunity to tell a story. I've testified in court related to forensic cases I've worked as well. With both of those things, I'm always happy to hear tips on doing them better, even though I'm not in a position where I'm likely to be testifying in court these days.

Possibly the best part of the course is that you actually have to show your work. You can't just blow through the videos, take a little test and get a certificate. You actually have to build both versions of WinFE to get past the pre-test before you can take the final.

The pre-test consists of answering a few questions followed by providing photographic evidence that you did the WinFE builds (photo of screen booted to each version). You also have to submit a PDF of your validation documentation for either one of the two versions you made. I love that these things were required before the student is allowed to take the final test. I think it lends a lot of credibility to the course certificate you earn when you can say that you actually did something other than watch a few videos to get it. Kudos to Brett for making this part of the course.

After completing the pre-test requirements, you are eligible to take the final test. The 17 question final covered various aspects of the training material. A score of 90% is required to pass. I passed and received my certificate. My next goal is to take the WinFE Instructor training course.

As you can tell, I was very pleased with this class. The instruction from Brett was top-notch. He provided the information based on his own developing and usage experience. He does an outstanding job covering each topic. I didn't come away from any of the lessons feeling like he left anything out. If you have the interest, I highly encourage you to take this course.

Learning and Research Ideas

 What's this? Two, yes two posts. Not just in the same year, but even in the same month! What has gotten into me?

More Training

Yesterday, I completed a course I started a long while back but never finished. I signed up for the Autopsy 8 hour course from BasisTech (https://dfir-training.basistech.com/) and got around halfway through it but, as often happens with me I got distracted and went off in another direction (squirrel!!!). Since it had been a long time since I started it, I decided to start over from the beginning. I enjoyed the course, which was taught by no less than Brian Carrier himself. Psst, hey Brian...in the extremely unlikely event you're reading this, I'd love to see some more online training from you.

Anyway, the course covers general setup and then goes through the various included ingest modules and views you can use to analyze the data. It also covers the various ways of producing reports. If you're interested in Autopsy but haven't used it, I encourage you to check out this course.

Also this week, I started the Windows Forensic Environment (WinFE) training taught by Brett Shavers at DFIR.Training. I'm only a little ways into this course, but I'm enjoying it so far. One thing that I really like is how much Brett goes into great detail on each thing. He explains very well why and when to use WinFE as well as when you should not use it. I've just gotten to the part of the course where the student is shown how to create a version of WinFE called Mini WinFE. It's my goal after completing this training to then go through the WinFE Instructor training as well.

Thinking about Research

Something I've wanted to do for a long time is find a good research project to work on. There are so many fun things to learn and do in digital forensics and I know there is much still to learn. I've been trying to come up with an idea, but I'm still not sure what I want to work on.

 That's all I've got for now. Be well and I'll (hopefully) be back soon with a new post.

Forensics/Malware Courses and Tools

I've been working hard on forensic and malware related courses lately and having a lot of fun with it. I had almost forgotten how cool it was working on and learning this material. I thought I'd give a little update on my activities, so here it is. Take your No-Doz, this may be the longest post I've ever done.

Forensic and Malware Courses

In my last post, I mentioned that I was working on the Practical Malware Analysis and Triage (PMAT) class over at the TCM Academy. I finished the course recently and found it was a very worthwhile course to take.

PMAT was a lot of fun for me. I've always enjoyed looking at malware, but I had never taken a course or really tried to get past the absolute basics. This course was a well designed and taught introduction to malware analysis. The course author/instructor is Matt Kiely The course covered the important topics of setting up your lab and covering how to use it safely. Multiple malware samples were made available for analysis including wannacry ransomware. The course started off with basic dynamic and static analysis and then moved into advanced versions. Also covered were binary patching, maldocs, shell code mobile device malware.

The course involved the use of both Windows and Linux investigation tools. The lab was setup so that you ran both the Windows FlareVM and the Remnux Linux VM for different tasks. Occasionally you needed to run both at the same time, such as using Inetsim on Remnux for the malware sample running on FlareVM to connect to, so you need a computer with high enough specs to run both at the same time.

If you're interested in learning more about malware analysis, I strongly encourage you to check out this course. 

Now that I'm done with PMAT, I'm working on another course, also at TCM This class is called Practical Windows Forensics (PWF). The course author/instructor is Markus Schober. I'm over halfway through it and enjoying it very much. In my case, it's serving as both a refresher on things I "used to know" and teaching me things I never knew as well.

One of the things I've really enjoyed working with in the class is using the Eric Zimmerman tools. I had never used any of them before and I see now why everyone talks about them so much.

In PWF to this point, I've really liked learning again about NTFS artifacts. I had never really known much about the USN journal and it's forensic value, so finding out how to access this information has been great.

I'll follow up when I've completed the class. I intend to go back over some topics again before truly being done with it.

I bought another malware related course this morning on a LinkedIn contacts recommendation. I purchased Reverse Engineering and Malware Analysis Fundamentals on Udemy. The course author is Paul Chin. I'm not going to start it until I've finished the other courses I'm taking.

I'm kind of "on-hold" with the GRC class I mentioned last time. I've gotten so excited about forensic and malware training that I just put that one aside for the time being. It's a great class and I'll get back to it, but I've just got too many other things grabbing my attention right now.

  Tools

Jobparer.py

Some years ago, Jamie Levy wrote jobparser.py for parsing Windows .job files. The script was written for Python 2.x. Recently I have been working on a short course on Cyber5W Academy called Investigating Windows Scheduled Tasks and it called for the use of Jamie's script in one part. I, like many only have Python 3 installed on my Linux laptop, so this morning I converted the script to work in Python 3. The conversion was partially done with a conversion tool and I manually fixed what it wasn't able to. I sent it to Jamie and she said she would add it to the Github page.

(edited to clarify that I used an online Python at https://python2to3.com/ conversion tool to help me convert the script. It missed quite a few things, so I manually fixed the rest. No, it wasn't chatgpt or anything like that 🤣)

Qu1ckSc0pe

I wanted to talk about a couple investigation tools I only recently learned about. The first one is called Qu1ckSc0pe and you can find it HERE. According to the Github page, Qu1ckSc0pe is and "All-in-One malware analysis tool for analyze Windows, Linux, OSX binaries, Document files, APK files and Archive files". To this point, I've only tried Qu1cksc0pe with Windows executables, but as you can see it's capable of far more.

Qu1ckSc0pe iterates through the file being examined and pulls out a great deal of information. It pulls strings and does Yara rule matching, highlights "interesting" imports and other patterns, pulls out the time/date stamp and file hashes and much more. If you provide your VirusTotal API key, it can also check for VirusTotal detections and report on those.

This is an excellent tool I can see myself using a lot. Go check it out!

Events-Ripper

Events-Ripper...sound at all familiar? It should. If you've ever used the great RegRipper, then you might guess Events-Ripper comes from the same place and you'd be right. Both are the creations of Harlan Carvey and Events-Ripper is operated in much the same way as RegRipper, except it's goal is to parse evtx files for you. Specifically (according to the Github page),

"the current plugins extract value from the following Windows Event Logs:Security.evtx System.evtx Application.evtx Microsoft-Windows-Windows Defender%4Operational.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx"

Using Events-Ripper for the first time on an investigation requires you to create an "events" text file by running a batch file. The batch file relies on logparser and evtxparse. This might be done like this:

wevtx.bat c:\case\*.evtx c:\case\events.txt

Once the events.txt file (or whatever you want to call it) is done, you run the main program along with the appropriate plugin to get the data you're looking for. The syntax is like this:

erip -f c:\cases\events.txt -p <plugin-name>

or

 erip -f c:\cases\events.txt -a

to run all the plugins once

Also, using -r will allow you to run a profile instead of just a single plugin. The tool works quickly, printing the output to the terminal you're working in or you can redirect the output to a text file.

One thing that I love about this is how Harlan included investigative tips or hints in the output of many plugins. This helps you know how the data might be useful to you or indicative of certain things.

So, this post has gone on far longer than I expected, so I'll end it here. I'll be posting again soon.

Accomplishments and Goals

Hello everyone! I'm back for yet another drive-by blog post. I've had a lot going on since my last post in December and I thought I'd catch you up a little.

First and foremost, I graduated! It happened 35 years later than I'd originally intended to, but I finally made it. I graduated with honors from Lincoln Trail College (also my awesome employer) last week. It wasn't something I needed to do, but it's a goal I always regretted not accomplishing until now. So now what?

Despite being done with school, I'm not giving up education. I've already set some new learning goals and I'm working on them as I have time.

I recently started a malware analysis course. I'm nearly halfway through the Practical Malware Analysis & Triage course at the TCM Security Academy The course is authored by Matt Kiely. I've always had an interest in malware analysis, but this is the first course I've ever taken on it. I'm really enjoying it and learning a lot.

I also signed up for The Definitive GRC Analyst Master Class by Dr Gerald Auger. The class is very good so far. I've had very little exposure to GRC (Governance, Risk and Compliance) topics before and Dr Auger explains each of the topics very well. I'm still working my way through this class.

There are a couple other courses I picked up but I haven't decided yet which I'm going to start once I'm done with the two above. I feel like it's good to always keep learning, so I'm sure I'll keep on with courses that interest me as long as I have the time and energy to do them.

I continue to dabble in Python from time to time. I've written a couple little scripts to help with things I do at work, but they're nothing groundbreaking. Just little things to help me get my work done more easily.

I still have the goal of writing on this blog more, but it seems like so many other things take precedence. I've always enjoyed writing, so maybe I'll eventually get back to it on a more regular basis. Hopefully it won't be another 5 months until my next post, but who knows?

That's pretty much it for now. At the moment, I'm spending most of my time preparing for my granddaughter's wedding which will take place in my front yard next weekend. Until next time, I hope you all are well and living your best life.

A Little Homelab and Life Update

I'm going to start writing more on my blog. No! Really! You do believe me, right? Ok, can't blame you if you don't. I come back to this from time to time and think this time I'm really going to dive into it, only to get sidetracked in some other direction. I promise I have a good excuse this time.

Since I last posted, I have gone back to school on a part-time basis while continuing to work full-time. I decided it was high time to finally get that Associate's Degree I started on decades ago. My days have consisted of going to work in the morning and going home in the evening to do homework. I just completed the Fall semester which included a Technical Mathematics class and a Speech class. I enjoyed both classes quite a bit, but I must say I'm glad for some down time of an evening for a while. We're on Winter break now and I'll only have one class left to take in the Spring semester which will allow me to finally graduate in May.

I haven't completely ignored my home-lab efforts during this time, however. I've re-done most of what I talked about in my last post, lo those many months ago. Now there is no domain controller, though it may return someday when I have more time to really learn it. It was an interesting exercise and not hard to get setup initially, but I found I really needed focus on other things first.

I finally added a home built pfSense firewall/router as the gateway for my network. It is connected to my ISP fiber modem and then everything else goes from there. I've been learning about vlan's and have setup a couple in pfSense and my old MikroTik RB260GS switch.

I've been learning about Cisco as well and am fortunate to have a couple old Cisco switches a friend gave me. I can hook them up when I need to, though they're both a little too noisy and power hungry to use all the time on my little home network. Those fans really get to going at times, so I only power them up if I plan to spend some time in Cisco training.

I still have my Proxmox virtual machine server running and I've been trying out several different things using VM's on it. Most recently I set up a NextCloud server, a Guacamole server and a Cloudflare Argo tunnel so I can reach the NextCloud and Guacamole from anywhere. Finally, the VM I was using as a file server was getting a little unstable for some reason, so I created a new one to replace it and then removed the old one after migrating all the stored files off it.

I'm off for a couple weeks now since the college is closed for break, so I'm sure I'll work on some more of this stuff soon. I'll try to do a more timely job of posting about it, but I make no promises I can't keep.

Setting up My Learning Environment

First, welcome to my renamed blog. I couldn't think of a good name for the blog years ago when I first started so I just settled for the most boring name I could think of, "Digital Forensics Blog". Granted, that was the main focus but it was just boring. A while back, I tweeted that I was looking for a better name. Phill Moore suggested Pryor Knowledge which I liked, but I decided to change it to No Pryor Knowledge. As I said in my last post, the focus will be a little wider here now but I'll still talk about forensics sometimes while other topics will also be featured as well. So, on with the post.

Not sure if this is a good thing or a bad thing, but I have many different interests when it comes to tech. My first love was just learning anything I could about repairing computers. Later I deeply fell for digital forensics and was fortunate to have the opportunity to learn from people like Mark McKinnon, Luby Novitovic, Harlan Carvey, Rob Lee, Jimmie Weg, Ali Hadi and so many others. Forensics held my full attention for a good while and is still a great interest. I still do forensic CTF's from time to time and always enjoy learning from them.

Later, I got really interested in security and blue team ops. I've watched countless security related videos and worked through online training environments like TryHackMe and Rangeforce. These things too are still of great interest to me.

I eventually worked my around full circle to my my enjoyment of just doing builds and repairs with the addition of servers and networking. I recently got a job that allows me to work in those areas every day and I'm loving it.

While I'm not over the servers or network, I am frequently involved in work related to those things. I wanted to learn more about networking, servers, Active Directory and Group Policy. I've watched videos, but I learn a lot more from watching the videos, reading books or blog posts and then doing hands on. This led me to set up a new learning environment at home.

I set up a Proxmox Virtual Environment (PVE) server on an old computer and connected it to my home network. I then set up a Proxmox Backup Server (PBS) on a separate computer. I wanted a separate device maintaining all the backups I knew I'd be making of my virtual machines.

Once that was all in place, it was time to set up my own local domain. I certainly didn't "need" a domain for my home network but it's nice having it as a learning environment that I can restore from backup anytime I mess it up.

 I decided to build a domain controller with the Zentyal Linux distribution. Zentyal allows you to set up a controller compatible with Microsoft Windows Active Directory and that allows you to administer your Active Directory environment using Windows tools in Windows instead of having to use Linux. I thought this was my best option because Zentyal is free to use (there are paid subscription plans as well) and I could still administer it with the tools available from Microsoft.

I decided my domain controller would exist as a virtual machine instead of running yet another computer. I downloaded the Zentyal ISO to Proxmox storage and then created the new machine. I gave it 6 gigabytes of RAM and a 250 gigabyte virtual hard disk. That was more than enough disk space, but I'd really like to have a little more RAM available for it. Still, it works pretty well for my home network. It would need a lot more RAM if it were a production network for a business. I'll go over the setup of my domain in greater detail in a future post.

In addition to the domain controller, I also set up another virtual machine on PVE to use as a file server. This VM is an Ubuntu Linux Server and I use it for simple file storage as well as using it for a DNS server for my network with Pi-Hole. I have a second install of Pi-Hole running on a Raspberry Pi and duplicate my settings between the two. I have both of them set up as DNS forwarders in my domain controller and they take care of that mission plus blocking ads too.

I still have very much to learn. I've just barely scratched the surface of working with AD and Group Policy. It's fun learning new stuff and getting a better understanding of what our admins are doing at work. My future plans include adding a pfSense or OPNSense router/firewall to my network to learn more about networking and vlans's.

I'll end this here for now. I have a lot of ideas for future posts and will hopefully be back with another one soon.

Ch Ch Ch Changes

I came back to this blog a little over a year ago or so thinking I'd really get back into writing. I was missing talking, thinking, doing and writing about forensics. I still do miss all those things but it seemed like I just couldn't find the time to really do anything about it. My job consumed so much of my time and energy that there just wasn't much left for anything else. My last post here was nearly a year ago.

Since then, life has taken a very positive turn. I enjoyed the work I was doing in the home improvement store electrical department but it wasn't really where my heart was. I knew I still wanted to be working in some type of tech related job but I didn't see much chance for that. That changed back in February when I fell into a job I absolutely love. My daughter texted me about an IT technician job for our local community college she'd seen posted. I taught an introductory computer forensics course there a few years back and knew it was a great place to work.

My first thought upon receiving the text from my daughter was "I've got to apply for this now!" The second thought came from my ever present self doubt saying "they'll never want to hire me" and I proceeded to forget about the job for a while. A few days, maybe a week later I decided to go ahead and take a chance and apply. Much to my surprise and delight I was called for an interview. A few hours later I got a call offering me the job and I immediately accepted.

I had no experience working with IT on this level before, so it's been a fun learning experience so far. While I ran my own part-time IT business for many years, my clientele was largely home based with just one or two computers or other devices. In this new job I'm enjoying learning about working with computers and other devices on a large network. To help me learn about things like Active Directory and Group Policy I decided to set up a domain on my home network. I've got that up and running now and will be doing a new post about that "soon".

My plan at this time is to start blogging more but broaden the subject range. While I will still write about digital forensic topics from time to time, I'm also going to write about other tech stuff that I'm learning and doing.

So I'm wondering if my blog needs a different name. It currently has the most boring name I could think of and it would be nice to change it. Someone suggested I change it to "Pryor Knowledge" a while back (EDIT: It was Phill Moore who suggested Pryor Knowledge...thanks Phill!)

"Pryor knowledge"

— Phill Moore (@phillmoore) October 16, 2020

I considered that but came to the conclusion that "No Pryor Knowledge" might be more appropriate. If you've got a good name for the blog, make a comment below and let me know!