I finally found the time to do some testing on Windows FE builds to see if the claims against Windows FE not being “forensically sound” were true.

Posted the results here:

Windows FE: Forensically Sound? – http://grandstreamdreams.blogspot.com/2009/03/windows-fe-forensically-sound.html

Long post short: It seemed to check out just fine in my MD5 hashing tests of both a Windows system and a non-Windows system and matched the same MD5’s generated by DEFT Linux forensics LiveCD results.

Felt duty-bound to do the work and share here after my previous comment.

Cheers.

–Claus V.

I had been keeping an eye out for the next Helix release and was shocked when I landed on the new pages. Puzzled it out myself like you did as well. I see their side about wanting to make a buck or two, but it still seems like a loss. Quite a large community had grown up around it. I’m going to have to guard my ISO files of it like gold and keep some masters squirreled away for safe keeping…

Fortunately, as you have shared others are hard at work keeping the forensics LiveCD field rich wth new life and projects.

One more active forensic LiveCD project you might want to take a look at (you may already know of it) is DEFT Linux – http://www.deftlinux.net

They seem to be actively working on updating and tweaking it.

I like the “dual-nature” of CAINE (Linux boot / Windows auto-run menu). I do wonder if they might get into some “redistribution issues” by including some of the Windows-side utilities along with the CD ISO. Some developers frown on that practice. So I hope it survives that test.

I’ve not independently confirmed it myself, but I’ve read that WinFE might in fact somehow change disk media anyway. There are reports that it may not be forensically sound. Some comments are that if you take a hash of a drive before using it (using another forensics tool) then boot a system with Win FE and then take a 2nd hash when done using the original tool, the hash is different. Don’t know more than those details and they might not bear out to be factual…I hesitated to even mention it, but it might be worth validating before using in a “live-fire” response with it. Could be limited to specific storage devices. I’ve got some homework to do on this one. I’ve been doing a lot of Win PE building so I am curious in particular with Windows FE behaviour as it is based on Windows PE, but with two registry tweaks: Windows FE – Details Teased out of the Web – http://grandstreamdreams.blogspot.com/2009/02/windows-fe-details-teased-out-of-web.html

John Sawyer posted a followup article to the Windows FE one you linked to posing that very question:

Tool Validation: Trust, But Verify – http://darkreading.com/blog/archives/2009/02/tool_validation.html

Anyway, great blog and I am enjoying your perspective on things.

Cheers.

–Claus V.