Saturday, 7 November 2015

Add Win-UFO (Ultimate Forensic Outflow) to your toolkit

The Win-UFO download is a single .exe file which asks you which location to install to when you first run it. Actually it does NOT install anything to Windows, it merely extracts files to the designated location. There is a PDF manual file to download and which I suggest you study first before using Win-UFO and some YouTube videos.
 Win-UFO is now associated with CAINE.



You can specify a folder on your USB drive as the target 'install' location.

Once that is done, you will see a Win-UFO.exe file, a few other files and a new tools sub-folder have been copied over (but no alteration to the Start Menu or any of the Windows filesystem).

When you run the extracted Win-UFO.exe file, you will see a GUI front-end for many diagnostics and forensic utilities (see pic above). Many of these utilities are from NirSoft (some may even be detected as 'malicious' by AV software). To prevent AV software from deleting any of these files, you can save the files as an ISO file and then use ImDisk to mount the ISO as a Read-Only CD.

Win-UFO will generate a full 'Report' automatically (it will prompt you for the location and other details). Some of the applications buttons will warn you if the utility is going to alter or add any files to the 'Windows' volume before you run it, so that you will be aware that the target Windows drive will have been 'changed'.

Each of the GUI buttons displays a tool-tip, so that you can get a brief description of what they do before you run them.

For instance, the ChromePass button runs a NirSoft utility which quickly displays all passwords that were saved by the Chrome browser.

Unfortunately, despite the fact that the report asks for 'case number' and other 'official' details, the manual does not suggest any recommended forensic procedures or precautions. It only talks about a parent using it on a child's system.

I am not experienced in Forensic methods, but it appears to me that most of these utilities are designed to run on the live 'target' Windows OS directly and not from a bootable WinPE OS. This means that, for forensic investigation, you should have made a backup image of the 'target' disk and then cloned it, so that you can run these utilities on a cloned replacement disk on the target system. In turn, this means that the target system and disk need to be in a bootable state and you will, at least, need to know the Administrator password (and any TrueCrypt password if encrypted!). I guess you would need to reset the Windows passwords first using an NT password reset program or the linux 'chntpw' utility if you did not know them?

Maybe you can point me at a good 'Forensic' Windows guide if you know one?

P.S. I have found the Paladin Quick Start Guide which is available at www.sumuri.com to give a good description of the forensic process for a linux-based environment. The Paladin ISO can be downloaded for free (enter 0 for the price in the shopping basket if you don't want to donate at the moment) and the latest version includes Autopsy.