You are currently browsing the 4nzx @ stonesifer.org weblog archives for December, 2011.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Jul | Mar » | |||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
- 26. March 2012: Log Parser
- 18. March 2012: Creating a Home Email Server
- 27. December 2011: Working with WinFE
- 27. December 2011: Editing Existing WinFE
- 20. December 2011: Creating WinFE Boot Disc
- 6. December 2011: Bitlocker Decryption with Known Key without Admin Privileges
- 1. July 2011: Dual Boot Windows 7 (encrypted) with Ubuntu 11.04 (encrypted)
- 3. May 2011: EnCase7 Quick Look
- 30. March 2011: Volatile Memory and Logs
- 11. November 2010: Is your anti-virus completely cleaning?
Archive for December 2011
Editing Existing WinFE
27. December 2011 by Ric.
Continuation from the Creating WinFE Boot Disc
***WHILE TESTING ENSURE BIOS IS SET TO BOOT CD/DVD***
***ON REAL TARGETED SYSTEMS IT IS A GOOD PRACTICE TO DISCONNECT THE HARD DRIVE BEFORE CHANGING THE BIOS***
1. Edit the existing image.
Dism /Mount-Wim /WimFile:c:\winFE\winpe.wim /index:1 /MountDir:c:\winFE\mount
2. Should be able to see the mounted image here. Minus the PStart menu…we’ll get to that later.
3. I would recommend creating a text document that runs through the diskpart commands prior to mucking around with the target system. This step by step process will aid in preparing the storage drive as writable. If you remember prior we told WinFE through registry entries NoAutoMount. The SetPolicy change I suspect is for ensuring all drives are offline. We will get that to auto load when the disc is booted. First things first.
4. Lets get the menu system up and running. Download PStart.
5. I had a spare 2GB SD lying around and decided to use that and install PStart to. Reasoning was my attempt at keeping things in order. No other purpose other than that.
6. The winFE disc when booted will be “X:\” so we will have to make sure when we install the programs we give it the right drive letter to run from.
7. I installed PStart to my 2GB SD device. If you have a thumb drive that is fine too or use your OS c:\. Additionally if you don’t have any issues with permissions you could just install right to c:\winFE\mount\ -or- c:\winFE\mount\program files -or- c:\winFE\mount\
8. I decided to change the drive letter of my 2GB SD to “x:\” just like the winFE disk. This can be done under computer management.
9. There should be two files in the directory.
10. Lets download Notepad++ portable and install to get it working in our winFE and PStart.
11. Install notepad++ and copy the contents to the winFE tools area. Optional would be the install to the \program files area.
12. Start PStart by executing the .exe file. The window will appear but of course your menu screen will be blank. Right click in the blank area and select add group…
13. Call it Office or whatever.
14. Right click on the Office folder and select Add file…
15. Locate Notepad++Portable.exe under c:\winFE\mount\tools\Notepad++Portable or where ever you installed it on the mounted winFE image and select open. ***NOTE THE MORE STUFF YOU ADD THE LONGER IT WILL TAKE TO BOOT***
16. Change the application path to x:\<where ever its installed in the winFE directory structure> –> OK
The icon shouldn’t appear because x:\ doesnt exist yet until winFE is run. Sometime a folder icon doesn’t appear also and that can be downloaded as well and added later.
17. This step can be repeated to add additional programs. If the purpose for winFE is to take forensic images it would be good to install FTK Imager to the winFE tools area. Remember to copy c:\windows\system32\oledlg.dll to c:\winFE\mount\windows\system32\ (Props to Brett Shavers)
18. Let make PStart automatic and diskpart_steps.txt file in number 3 open automatically using Notepad++ when winFE starts.
19. Locate the file c:\winFE\mount\windows\system32\startnet.cmd
20. Edit the file with notepad or like program. Add the following lines:
wpeinit
@echo off
start x:\PStart\PStart.exe
start x:\tools\Notepad++Portable\Notepad++Portable.exe x:\tools\diskpart_steps.txt
21. “@echo off” doesn’t show the preceding commands on screen.
22. “start x:\PStart\Pstart.exe” will execute the program to run and move on to the next command. Make should you PStart location is correct under c:\winFE\mount.
23. “start x:\tools\Notepad++Portable\Notepad++Portable.exe x:\tools\diskpart_steps.txt” will execute notepad++ and load x:\tools\diskpart_steps.txt inside.
24. Many automated other programs maybe run from this locations
25. If you’ve finished adding additional programs lets complete the image. Make sure you exit out of any programs that are accessing c:\winFE.
dism /unmount-wim /mountdir:c:\winFE\mount /commit
26. Copy the boot image over.
copy c:\winfe\winpe.wim c:\winfe\iso\sources\boot.wim /Y
27. I had an issue where oscdimg.exe could not be located. I case you come across this also its found under \program files\windows aik\tools\x86
oscdimg -n -bc:\winFE\etfsboot.com c:\winFE\ISO c:\winFE\winFE.iso
Received an error because the image exceeds the allowable space for a CD but not DVD. Change the command to:
***NOTE XX increment your .iso files created.***
oscdimg -m -n -bc:\winFE\etfsboot.com c:\winFE\ISO c:\winFE\winFEXX.iso
28. Boot using VMware etc or burn to DVD for testing.
Posted in Imaging | No Comments »