Thanks for browsing to this article. If you require global forensic imaging or any other of our litigation services, please don’t hesitate to contact us!

The Current Market

eDiscovery tools Summation, Relativity, Intella and Nuix all have their place in the litigation support arena. As a technology agnostic myself I tend to try and find the best tool for my client in terms dependent on the size of the case and other factors such as if the data involves more than just documents and emails.

I was discouraged to discover that there was no solution for small to medium-sized cases. The answers I found would not cope with additional reviewers, more data and other factors.

GoldFynch eDiscovery Tool

A few weeks ago I came across Goldfynch and thought I would review some of the features involved in the tool. The website promises Cloud-based eDiscovery, Bank Grade Security, OCR processing, Pay as you go pricing (averages $6/GB/month), No contracts, no commitments and Unlimited users. I started to wonder if it also did the review for my clients too! The company slogan is “If you can use a search engine you can use GoldFynch.” Interestingly GoldFynch is owned by firm search engine firm Mazira who built the tool from the ground up to be intuitive.

GoldFynch is free to trial for the first case limited to 512mb of data. This means reviewers can train using this tool before the case being initiated and pricing is scalable.

Limitations as of 2018

Unfortunately, at the time of writing AD1, XWF, E01, AFF and other forensic container formats were not supported. These formats are used so a litigator can be sure of the integrity and original path of the files has been preserved when the items were captured at the source.  The collection, documentation and preparation of the ESI, therefore, requires a computer forensic expert to prepare the dataset before upload. Additionally, if you have ESI in more exotic formats such as NSF Lotus Notes or Android Mobile SQL Emails the files may need to be converted which takes some time and skill.

The server location may be relevant in multijurisdictional cases, and the cloud processing server is based in the USA currently. I have conversed with GoldFynch, and they are looking at opening servers some other jurisdictions including Europe as the firm develops.

Platform Review

I signed up for GoldFynch cloud platform free 512mb trial and decided to try my hand at processing a sample case with public domain data. The sample dataset included PST, PDF, TIFF, OFFICE and JPG files. The website states, at the time of writing, that PDF, PST, MBOX, MSG, EML, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, POTX, ODT, TIFF, JPEG, ZIP and RAR files are supported. In fact, I discovered that GoldFynch supports 7z (7zip) and a plethora of other data types not listed.

The datasets were compressed as Zip and 7zip file types. Uploading the data was as easy as selecting an ‘Upload Now’ button in the ‘Files’ tab of the web-based interface.

The upload on my enterprise 50mb broadband connection for the dataset took about 20 minutes. Processing took just under an hour to complete for 556.5 MB of data or 11,861 files. This performance isn’t bad if you factor in the wasted time of software setup, tweaking and moving data to a physical data centre.

If you want to add or remove users, this can be done instantly using the ‘Sharing’ tab. The number of users that can be added to the case is unlimited.  The user is sent a registration email when a valid address is entered. There are three types of user Owner, Admin or User each with their own set of permissions which the new user can be assigned as to avoid unintentional modifications to the case by a reviewer.

When the files are uploading PDF’s and images are automatically OCR’d (made searchable), assigned unique Bate’s numbers and scanned for issues. In the test, GoldFynch’s scanning engine identified seven attachments that required passwords to open and previously non-OCR’d documents were flagged in the search.

Decrypting these files is as comfortable as adding passwords to a bulk password list before or after processing event. These could also be exported out and cracked by a computer forensic examiner.

The ‘Overview’ tab displays a chart as so you can see how much data has been uploaded to a case and the status of the processing of the items.  The Activity sub-tab allows the reviewer to go through the changes regarding tagging the reviewers of the case have made.

The ‘Search’ tab allows examiners to run keyword searches against the dataset. The right-hand column provides for reviewers to filter by file type and date as to quickly find the responsive data. Data can be tagged as CONFIDENTIAL, IMPORTANT, IRRELEVANT, NON-RESPONSIVE or PRIVILEGED. Admin users can easily assign their own bespoke tags.

The advanced search allows for multiple queries to be compounded so that you could easily find results containing just the term ‘GUNS’ equal to or after the 01/01/2018 as shown below.

The ‘Doc Review’ tab has redaction, tagging, download and directory browsing features as found in most review tools. New items are populated fairly quickly, and the interface is intuitive.

The ‘Production’ tab allows the user to export tagged files using a wizard. Paid versions allow export in TIFF, Load File and even Relativity or Concordance formats.

Summary

Goldfynch is a transparently priced tool that could be very useful in small to medium size cases. The power of a cloud-based tool means a forensic expert or IT technician to collect and upload data to the cloud and assign reviewers of that data non-dependant of location. The functionality covers all the fundamental requirements for a review tool and is easy to use.  I am sure new features will be added, without the need for a software upgrade as the service evolves.

Thanks for reading!

Compiled here is the Top Ten of FREE Computer Forensic/eDiscovery software picks for 2018. Sometimes you do not need to spend £1000’s to get the job done. Paid software has its place but sometimes when you want one particular function only or to test out a hypothesis. So get downloading and examining using the software! Please email me at expert@compute-forensics.com with any suggestions for 2019. Contact us should you have an enquiry! Written by Alistair Ewing

1) Autopsy developed by Brian Carrier, Basis Technology, Dan Farmer and Wietse Venema

Autopsy is The Sleuth Kit’s shiny Windows front-end offering. The features are impressive for a free program; some stand up there with the paid for forensic tools Encase, FTK, X-ways and more recently Nuix Investigator. The suite of tools includes:

• Data Recovery using photorec as a carver module
• Indexing for Keyword Searching The program creates a text index for instantaneous keyword searches.
• Known Hash Set Filtering Do you have hash (SHA1/MD5) fingerprints for known noise files or known contraband files? These can be filtered in or out without having to examine the data yourself manually.
• Media Metadata EXIF metadata can be examined, sorted and filtered to find what device was used to make a recording or file, when and sometimes where using geotags.
• Timeline Analysis Autopsy draws file MAC times (created, modified etc.) from files, website visits and other data such as GPS and EXIF. The program is also beginning to support ‘plaso’ files generated using log2timeline although the author states on their website that this time of writing this is in a BETA stage.
• Website Records Supports parsing of current browser records including Firefox, Chrome and Internet Explorer.

Autopsy doesn’t have all the bells and whistles as some of the paid-for software, but don’t underestimate the tool’s features. Many of the features aren’t immediately apparent to the uninitiated, but this program has progressed by leaps and bounds.

I tested Autopsy 4.6.0 on a 1gb test image in the industry standard E01 format. The scanning engine quickly discovered signature mismatches (when someone tries to mask a file by changing its extension), file encryption, attached USB devices, web browsing history and more. The GUI interface is not unlike the functional but dated Encase v6 layout. (See Below). You may be a student or a ninja, in any case give Autopsy a whirl.

2) Caine by Nanni Bassetti

Caine is a 64bit bootable Linux suite of tools that can be used to forensically image Mac’s and Windows Machines, triage machines without writing to the disk inside and perform partial and full analysis of forensic images and disks. Caine is loaded with Windows executable tools as well for use on a live system if a computer is discovered in a switched-on state and triage or unencrypted image is desired for acquisition. My personal experience is that Caine images most disks without error and has Veracrypt installed so you can package the forensic copies onto an encrypted disk as to remain compliant with your client’s data protection rules. The ISO can be downloaded from the website. The ISO can be made USB bootable by using UNETBOOTIN or Rufus. A must for any examiner’s toolkit.

3) RegRipper by Harlan Carvey

Forged using python and operated user-side with an easy to use GUI frontend, Regripper parses registry hives (or even a mounted forensic image with a mod) and outputs the humanly readable data as a text file that can be searched using Notepad++ or similar. Want to find a user’s SID code, the Windows installation dates or MRU (most recently used/viewed items) fast? Then use RR.

4) Arsenal Image Mounter by Arsenal Recon

The function of mounting a forensic image in Windows is nothing new but AIM is especially proficient. FTK imager has a built-in image mounter, but this one is a little more advanced, and disks are seen in Windows where others have failed due to it’s faked SCSI driver. Arsenal mounts in many different and rarer image formats and even fakes disk serial number if required if mounting errors occur. *FREE for non-commercial use

5) Nirsoft Tools by Nir Sofer

A full suite of analysis tools for Windows artefacts. For forensic analysis, objects may have to be exported out, or examination must take place to a blocked mounted forensic image visible in Windows.

6) PhotoRec Christopher Grenier

Whether its a deleted Microsoft email PST item or a lost Encase E01 file, photorec is a data recovery tool that seems to perform well compared to the rest. The list of carvers preloaded is formidable, and the speed is swift. The carving can be completed on a mounted forensic image as to protect the integrity and only on the volumes free space to save time.

7) Log2timeline maintained by Kristinn Gudjonsson

This parser is the no one supertimeline tool and can be used in an advanced forensic analysis to extract event times from 1000’s of log/database filetypes and place them into one plaso file output or CSV spreadsheet for analysis natively or using a graphical program. Most paid for or built-in timeline tools just take into account MAC times and can’t parse as many file, registry or database types as log2timeline. If you need to put together times, user actions and other artefacts in one place then log2timeline is the tool of choice.

8) FTK Imager by AccessData

Imager needs no introduction. Imager does what it says on the tin and more! FTK imager has little-known eDiscovery uses as the software can image by SID owner, create directory listings and image logically to an AD1 format by folder location. Additionally, the tool includes a hex viewer. In incident response, the suite can be used to collect volatile memory as well as a live registry.

9) ddrescue GUI by Hamish McIntyre-Bhatty

This Linux GUI tool that simply put “copies data from one file or block device (hard disc, cd-rom, etc) to another, trying to rescue the good parts first in case of read errors.” ddrescue also produces a map file so you can go back to reimage the old parts of the disk that didn’t copy the first time in order to get a full transversal. It won’t only create an image filled 0s on the parts it can’t read as most imaging tools do. *Available on Caine

10) Acquire by Magnet Forensics

To get this hidden gem, you will have to register on Magnets website. Aquire has the imaging functions you find typically in FTK imager and others. MA shines when collecting from smartphones such as Apple and Android devices (forget about Blackberry!) The program will also take a full physical image of rooted android devices and output the data in an agnostic format. The items are best examined using Magnet’s Axiom or IEF.

In real cases these tools require specialist training, don’t hesitate to contact us should you have an enquiry!

Introduction

This brief overview is designed for those with an IT background, students, forensic analysts or budding first responders.  This will teach you the basics of how to create a Windows-based forensic OS for imaging and less commonly triage for free provided you own a valid Windows licence.

The consultancy Compute Forensics offers a worldwide three-day onsite first responder training in English and the Thai language for corporates, military and international police services. Those who have moderate computer literacy can be trained to triage and collect without affecting the original medium before handing over to a computer forensic expert or even the authorities. One should never start using self-made tools without testing.

Contact us for a quote in regards to training, collection or even an investigation.

We also offer a remote triage service, by sending a bootable drive with secure remote access software pre-installed we can forensically image a device from across the world without modifying the contents thus preserving the material.

I recommend the online training and exam from the forensic author, Brett Shavers. He runs an online course which you can find here.

Please be mindful this guide is for research purposes. Please test and use at your own risk! 

Be mindful that specific software may be not allowed for use in corporate settings as you may break the software companies EULA agreement.

How Does a Forensic Windows OS Work?

If the build process completes correctly, a unique modified Windows is created on a USB drive, ISO or CD or DVD. When booting from a forensic OS, the BIOS of the host system bypasses the internal physical disk booting from the information on the USB drive (for Windows To Go) or the data saved to the volatile RAM transferred from the boot media (for Mini-WinFE.)

Windows should not mount the internal fixed disk but connected USB disks in the case of Windows To Go or any discs what so ever using WinFE.

Please note: When using DISKPART from CMD in Windows To Go you can mount Disks Read Only but NOT Volumes. Doing so writes to the disk. You can still image using Forensics or FTK Imager without doing any mounting. If you want to use specific triage tools in a blocked mounted state, you may need to bring the disk online, but remember never bring the Volume online. ALWAYS test your build.

Practice using Diskpart and the toggling of online and offline correct, many think they are smart using the command line, but one wrong move and you could wipe, format or mount a volume leaving you to explain your actions in an Expert Witness or corporate hearing.

Why Would I Need a Windows Based Forensic OS?

Other forensic OS’s exist as do physical writeblockers. Linux (Caine, Paladin, and others) and Mac formats (Sumuri’s Recon & BlackBag’s Macaquisition) can collect data, but I estimate 80% of forensic software is produced for Windows. Imagine being able to boot into Windows and use tools such as Netcat, FTK Imager, OSforensics or even full-blown FTK on your Bitlockered Frankenstein creation. This would enable you to carry a Swiss army knife of tools at your disposal.

Using a Windows Forensic OS you can:

• Collect data from software RAIDS and logically image the device rather than having to piece together physical images later saving time.
• Decrypt Bitlockereddrives and image/triage them in a decrypted state and physical state consecutively using CMD looking something like “manage-bde –unlock E: -recoverypassword 111111-222222-333333-444444-555555-666666-777777-888888.”
• Produce decrypted logical images on the fly from Truecrypt, PGP and Veracrypt using default Windows tools.
• Boot into your Bitlockered ‘Windows To Go’ and use your client’s hardware to attach to their domain with admin rights temporarily, run FTK to capture a suspects RAM and physical disk Image remotely without having to lug a laptop or even worse a workstation to the client’s site.
• Travel light with a few USB keys in different countries without lugging 20 pelican cases and getting stopped by airport security whom mistake the devices for dirty nuclear bombs.
• Use data recovery tools such as photorec without making changes to the drive.
• Triage and quickly find and capture forensically the information needed with only primary first responder training and no expensive equipment.
• Production of a log2timeline to capture users actions between specific dates.
• Windows2go could be sent to a client with a copy of Teamviewer or similar. With instructions and connected to the internet the client could boot into the forensic OS, an examiner from across the world can log in and take over the collection process going on to capturing the internal physical disk as an E01 to an encrypted drive. When complete the client can mail the item back for analysis saving on travel costs.

Forensic OS Route 1: Native to Enterprise ‘Windows To Go’

If you own a copy of Windows 10 Enterprise and you purchase one of the certified ‘Windows To Go’ drives (See Below) to make your OS. All you need to do is press the “Win Key& Q” together and type ‘Windows To Go’ into the search bar. Plug in your drive and follow the instructions. You will be asked if you want to Bitlocker the drive, it is recommended but be aware it may not boot on Mac’s or specific other systems.

Certified Windowstogo Drives

• Imation IronKey™ Workspace W300 / W500 / W700
• Kingston DataTraveler Workspace
• Spyrus Portable Workplace
• Spyrus Secure Portable Workplace
• Spyrus WorkSafe
• Super Talent RC4 / RC8
• WD My Passport Enterprise
• SanDisk Extreme CZ80 USB 3.0 Flash Drive
• SanDisk Extreme CZ88 USB 3.0 Flash Drive

Using Other Drives Including an M.2 SSD in a USB 3.1 Caddy

If you are a ‘Cheap Charlie’ or are feeling more adventurous, you can try other disks, although they are unsupported officially.

I tested a “SAMSUNG M.2 NGFF 128GB SSD SOLID STATE DRIVE MZ-NTE1280” (£40 from Amazon) inside a USB 3.1 “Type C To M.2 NGFF PCI-E SSD Hard Disk Case Enclosure 2242/2260/2280 caddy” (£10 pictured below.) When the enclosure arrived in the post, it looked like something out of a Christmas cracker. When I assembled the device, which took two minutes, I was pleased with how robust it felt. Windows To Go recognised the disk. Windows To Go was installed in about 10 minutes using the built-in GUI.

Speeds faster than the ‘certified’ drives were noted in tests at around 500mb a second read/write and use was not noticeably slower than using my native Crucial M.2 built into my high-end test laptop.

To use the newly created OS on a stick, you need to plug it into a computer and press whatever button you need to boot from your disk, not the internal drive (Esc, F11, F12, Delete.) On first boot, you will have to setup Windows just like any other new installation of Windows. Do not wait until you are on the client site!

Using DISKPART to Bring Disks Online

When you use Windows To Go any attached USB devices will be writable. The internal disks will be offline and unavailable to Windows. FTK Imager and other software will still be able to view, image and parse the internal drives. If you wish to Triage using other tools you may need to bring the disk online using disk manager or DISKPART in CMD as an admin. The command would be something like:

1) Run CMD as an admin

2) Type DISKPART

3) LIST DISKS

4) SELECT DISK 2 (2 being an example of the internal disk under review)

5) ONLINE DISK. The disk should then be shown in explorer but in a blocked state. Practice taking the disks offline and online using DISKPART before using this on evidence! You should be able to use Nirsoft and other live tools to analyse the internal disk without writing to it.

It is noteworthy to mention boot USB producing software Rufus produces Windows To Go but this has not been tested yet!

The downside to this method is that you need to learn the command prompt of DISKPART, this isn’t easy but not ideal for first responders. People with less Windows knowledge and whom want a cleaner smaller build should consider building a custom Mini-WinFE.

Forensic OS Route 2: Building your Own Custom Mini-WinFE

Using a GUI assembler and Windows installation media, it is possible to build a bootable OS in minutes that will have a GUI disk read/write toggler, can contain tools such as FTK Imager or DD and be under 300mb in size. This is enough to fit onto a writable CD or Mini CD (recommended for compatibility even old systems have CD drives) or even a dated 1.0 or 2.0 USB key.

The beauty of that is you can customise a stripped down version of Windows that can triage, is blocked using a GUI and that boots in seconds without all the ‘fluff’ the Windows To Go build contains.

Producing a Mini-WinFE is tricky, and if you add too many features you may end up bypassing the protection making the internal disks prone to changes, not good!

The secret is not to add too many features and test your creation on your system, not evidence.

Below is a step by step how-to produce your first basic 32-bit Forensic Mini-WinFE:

(Above) Mini-WinFE’s GUI 

1. Download Mini-WinFE here or here.
2. Extract the Zip to a clean directory and run the launcher inside the Mini-WinFE folder as an admin.
3. Mount your Windows installation ISO or slip the DVD into your disk drive. I prefer 32-bit as it boots on both types of system. I used Windows 10 Enterprise as the Windows build.
4. In settings point your source directory to your Windows DVD location or the folder you have dumped the contents of the Windows installation media.
5. Create a working directory in the Mini-WinFE folder you just extracted and use this as your target directory.
6. Go to the FTK imager tab and point FTK to any 32-bit EXE. You can register and download Imager from here. I like to use version 3.1.1. A 64-bit version cannot be built into the cache for a 32-bit machine.
7. In the ‘Path to 32-bit’ area press the folder button and select the FTK image EXE file you have installed or extracted.
8. Option 1 allows you to select booting from FLAT or RAM. I would choose RAM; FLAT means the item boots from the medium and results in a larger ISO or USB output.
9. Tick all the programs boxes except add custom batch and folders unless you wish to do this.
10. Tick the create ISO tab and read the hover over suggestions.
11. In the create ISO section option 3 the drop-down box allows a user to select the Firmware type. Older computers use BIOS (Basic Input Output System) newer have UFEI firmware and can ofter boot the older BIOS software or UFEI. There are three options; I would select the ‘both’ option if you are unsure.
12. Select ‘oscdimg’ for an option.
13. Change the optimise option to ‘yes’ for option 5. This will result in a smaller ISO.
14. Selecting ‘yes’ for option 6 will build the ISO file in a newly created \mistyPR.Project.Output folder path in your project folder. Selecting ‘no’ will name the iso with the date and time to allow you to make multiple builds without writing over the older builds.
15. Select the triangular ‘Play’ logo with the ‘Build’ tab underneath.
16. If all goes well, you should have built your first forensic ISO. The file can be found in the output folder of your Mini-WinFE folder or the root of that folder.
17. The ISO can be burnt to CD, Mini-CD or DVD, or you can also use Unetbootin or Rufus to make a bootable USB from the ISO.
18. Sometimes a system won’t boot from a USB or not from sometimes a CD or DVD. Produce a few versions and label them.
19. You will have to tinker to get different builds to boot on different systems. To work on my system, I had to enter the BIOS, change the boot from UFEI to legacy. Be careful on evidence that has a TPM chip linked BitLocker as you could end up rendering the drive unbootable by disabling TMP in the BIOS.
20. Be sure to photograph the Bios when working with real evidence. In the boot setup of the BIOS take all the internal disks offline and have your forensic USB followed by CD/DVD in the boot order.
21. If the process works, you will be greeted by the disk manager, and this shows you which disks you can make writable or bring online for triage. Be careful not to bring the evidence volumes online. You can right click to find out more about the disk to make sure you make the correct selection. You don’t need to bring a disk online to image it though.
22. Closing the file manager window results in a forensic desktop being displayed.
23. Right-clicking on the desktop displays the drop-down menu in which you can scroll through and make utilisation of the differing tools.
24. Below displays a screenshot of the ISO successfully running in a test virtual box environment.

Please Like or Share this guide should you find it useful!