WTE Manual

2014

Windows Triage Environment Pedro Gilberto

[WTE MANUAL] Windows Triage Environment Manual (Lang. English)

System Startup - WTE 2013 Pag. 1

Windows Triage Environment (WTE)

SYSTEM STARTUP .................................................................................................................................................................. 6

HTTP://WWW.RAMSDENS.ORG.UK/ (MOUNTING DISKS WRITE PROTECTED) ........................................................................................... 6

1 In order to avoid mistakes disconnect any external USB drive from target system: Mount and examine it later. .......... 6

2 Access system target BIOS and change boot options as needed (see document BIOS settings for USB booting.pdf ... 6

3 Boot the computer using WTE system from USB STICK or CD .......................................................................................... 6

4 Chose one of the options: ................................................................................................................................................. 6

5 An alert message will be presented after startup ............................................................................................................ 6

6 WinFE Write Protect Tool Management Console will be displayed ................................................................................. 6

7 Mount evidence disks write protected (Read Only) ......................................................................................................... 7

8 Mount WTE USB Stick allowing writing (Read/Write) ..................................................................................................... 8

9 Disk and WTE USB Stick ready to be properly mounted ................................................................................................... 9

10 Initial screen locked waiting for password ..................................................................................................................... 9

11 WTE system desktop .................................................................................................................................................... 10

12 WTE System Main Menu Start .................................................................................................................................. 10

13 For main procedures click Help ................................................................................................................................. 12

SYNCHRONIZE LETTERS ........................................................................................................................................................ 13

(LETTERSWAP) ............................................................................................................................................................................. 13

1 Synchronize volume letters based on registry from target computers Windows O.S. .................................................. 13

2 Click 1 Letter Swap ................................................................................................................................................... 13

3 Browse for WINDOWS folder and click twice to open WINDOWS folder ................................................................ 13

4 Click OK .......................................................................................................................................................................... 13

5 Refresh explorer [ F5 ] and verify if letters assignment changed and are now corrected .............................................. 13

SYSTEM REPORT .................................................................................................................................................................. 14

HTTP://WWW.GAIJIN.AT/EN/DLREGREPORT.PHP (REGISTRY REPORT) ................................................................................................ 14

1 From target Operating System copy the registry files ................................................................................................... 14

2 Save them to WTE USB Stick (by default Y:) into Evidence\Registry folder................................................................... 14

3 Copy files regarding relevant Users ............................................................................................................................... 15

4 Save it into the same folder Evidence\Registry at WTE USB Stick ................................................................................. 15

5 Click File > Open registry files [Ctrl+D] .......................................................................................................................... 17

6 Click Import from folder ................................................................................................................................................ 18

7 Select Evidence\Registry folder (or optionally original folder) ...................................................................................... 18

8 As preferential option you should select the folders of the original evidence files ........................................................ 20

9 After all files properly selected click OK ......................................................................................................................... 21

10 The application appearance with all files selected ...................................................................................................... 21

11 Click File > Create report [Ctrl+R] ................................................................................................................................ 21

12 After report generation is finished click File > Save as [Ctrl+S] ................................................................................... 22

13 Click File > Exit [Ctrl+X] ................................................................................................................................................ 23

14 In order to facilitate the whole process was created a script that will run by clicking the link on the desktop ........... 24

A brief analysis to the generated report ............................................................................................................................ 26

SEARCH 1 ............................................................................................................................................................................. 29

HTTP://WWW.GLARYSOFT.COM/QUICK-SEARCH (QUICKSEARCH) ....................................................................................................... 29

1 This application will be started automatically during WTE startup and at screens bottom will be displayed a small

search box ............................................................................................................................................................................ 29

2 As you type the term to search the results will be displayed in real time ...................................................................... 29

3 Click on columns header to sort results .......................................................................................................................... 29



4 Click on the left tab to filter results by file type.............................................................................................................. 30

5 Double clicking a result will open file location on an explorer window.......................................................................... 30

6 Right clicking a result will display several options ......................................................................................................... 30

7 You can open the file with an associated program ........................................................................................................ 30

8 How to configure file type filters .................................................................................................................................... 31

8 Check if the application is working properly typing just a character (e.g.: a) at the search box you should see

immediate results ................................................................................................................................................................ 32

9 If the application is not working use search 2 or 3. ....................................................................................................... 32

SEARCH 2 ............................................................................................................................................................................. 33

HTTP://LOCATE32.COGIT.NET/ (LOCATE 32) ................................................................................................................................. 33

1 This application will be started automatically during WTE startup and will update a database named WTE .............. 33

2 Locate32 saves to a database the names of all files on your hard drives ...................................................................... 33

3 Once the file indexing has occurred, you can locate files quickly by using the application's search form ..................... 33

4 If the application is not working or displays this messages go to Advance Configuration on this document ............... 33

5 Search configuration ................................................................................................................................................... 34

6 Use pre-configured searches. ......................................................................................................................................... 38

7 Click twice on a column header to sort results. .............................................................................................................. 39

8 Click View at main menu and select how to view the results. ....................................................................................... 39

9 In order to export search results to a file click File > Save Results [Ctrl S]:.................................................................... 40

10 Correcting database ERRORS. ...................................................................................................................................... 44

11 Configure Presets ......................................................................................................................................................... 46

12 Restore application with its default configurations including preconfigured searches (Presets). ............................... 47

13 Click ? at Advanced tab for help. ................................................................................................................................. 48

14 Click Help > Help Topics on main menu bar for help. .................................................................................................. 48

SEARCH 3 ............................................................................................................................................................................. 49

HTTP://WWW.MYTHICSOFT.COM/AGENTRANSACK (AGENT RANSACK) ................................................................................................ 49

1 Application start screen. ................................................................................................................................................ 49

2 Search configuration ................................................................................................................................................... 49

3 Starting to search ........................................................................................................................................................ 53

4 Using preconfigured searches ..................................................................................................................................... 53

5 Sort search results ....................................................................................................................................................... 54

6 Select the relevant results .............................................................................................................................................. 55

7 Save the results ........................................................................................................................................................... 55

IMAGE VIEWER .................................................................................................................................................................... 57

HTTP://WWW.XNVIEW.COM (XNVIEW) ........................................................................................................................................ 57

1 Start screen .................................................................................................................................................................... 57

2 Click File > Open browse and select the image you want to open. ................................................................................ 57

3 On Tools > Search [ Ctrl + F ] or click de icon, to search images. ................................................................................... 57

4 Will open a new windows for Search configuration, you can configure: ....................................................................... 57

5 Results will be displayed and you can see them as thumbnails ..................................................................................... 60

6 Select relevant images and click Create > Web Page or the button ........................................................................... 61

7 Will open a new windows displaying Report configuration ........................................................................................... 61

8 If configuration is ready just click Create ....................................................................................................................... 62

9 Will be created three folders named Images, Thumbnails and nav and an html file named thumb.html, all making

part of the report, clicking on thumb.html you could see the report on the browser. ........................................................ 62

IMAGE VIEWER (ALTERNATIVE) ........................................................................................................................................... 64



HTTP://WWW.IRFANVIEW.COM (IRFAN VIEW) ............................................................................................................................... 64

1 Start screen .................................................................................................................................................................... 64

2 Click File > Open browse and select the image you want to open. ................................................................................ 64

3 On File > Thumbnails [ T ] a box will open and fill with thumbnails of the images in the directory. ............................. 64

4 Click File > Search Files [ Ctrl + F ] for searching images and a dialog with search options opens. ............................... 65

5 Click Start search. .......................................................................................................................................................... 67

6 If you think you have enough results Stop the search any time and check them. ......................................................... 68

7 You can Sort files clicking the proper button. ................................................................................................................ 68

8 Click Show in Thumbnail [ T ] to view and select the relevant images .......................................................................... 69

9 Clicking twice the thumbnail will open the image full size. ............................................................................................ 69

10 Select relevant results to export. .................................................................................................................................. 71

11 In order to export the results chose. ............................................................................................................................ 71

12 Create HTML report configuration . ............................................................................................................................ 72

13 Generated report location............................................................................................................................................ 73

14 Exported files location .................................................................................................................................................. 73

15 HTML Report example .................................................................................................................................................. 74

LINUX VOLUMES MOUNT .................................................................................................................................................... 75

HTTP://WWW.EXT2FSD.COM (EXT2MGR) ..................................................................................................................................... 75

1 In WTE main menu click All Programs > Linux & Mac > Linux Volumes Mount. ............................................................ 75

2 Ext2 Volume Manager will display all disks and partitions, mounted or not. ................................................................ 75

3 Select the partition to mount, right click and chose Change Drive Letter [ F4 ]. ........................................................... 75

4 Click Add select a drive letter, a way to mount, click OK and Done. .......................................................................... 76

SEARCH LINUX & MAC ......................................................................................................................................................... 77

HTTP://WWW.DISKINTERNALS.COM/LINUX-READER/ (LINUXREADER) ................................................................................................. 77

1 In WTE main menu click All Programs > Linux & Mac > Search Linux & Mac. .............................................................. 77

2 Double click or right click on the volume and select Open partition to browse its content. .......................................... 77

3 In top menu click View to change the appearance, by default will be displayed the full path to the selected file and a

preview. ............................................................................................................................................................................... 78

4 To search chose Commands > Search [ Ctrl F ] or click the proper icon ......................................................................... 78

5 On the left panel configure your searches then click Search. ........................................................................................ 78

6 Clicking a hit automatically will show the full path and a quick preview on the bottom of right panel. ....................... 79

7 You can change the appearance of the results clicking the proper icon ........................................................................ 80

8 Selecting a hit automatically will be showed the full path and a quick preview on Preview Panel. ............................. 80

9 Right click on Preview Panel and chose how to preview. .............................................................................................. 80

10 At Details in left panel, click on the preview to open a Large Preview. ....................................................................... 81

11 Searching for files containing the typed text inside, and previewing file content........................................................ 81

12 You can click Cancel and stop the search job any time to check the results. ............................................................... 82

13 To open Folders Panel and browse folders chose View > Folder Tree or click the proper icon ................................... 82

14 To export evidence files select the relevant ones right click and chose Save. .............................................................. 82

15 Click Next and Browse for destination folder, preferably chose Y:\Evidence\Relevant Files. .................................... 83

MAIL VIEWER ...................................................................................................................................................................... 85

HTTP://WWW.MITEC.CZ/MAILVIEW.HTML (MITEC MAIL VIEWER) ..................................................................................................... 85

1 In WTE main menu click All Programs > Mail > Mail Viewer. ....................................................................................... 85

2 Just select the type of mail file to view browse to its location and click OK. ................................................................. 85

OST VIEWER ........................................................................................................................................................................ 86

HTTP://WWW.NUCLEUSTECHNOLOGIES.COM/OST-VIEWER.HTML (KERNEL OST VIEWER) ....................................................................... 86



1 In WTE main menu click All Programs > Mail > OST Viewer. ........................................................................................ 86

2 Search or Browse and select the Source OST File and click OK. ..................................................................................... 86

3 Once opened the OST you can navigate in a similar manner as MS Outlook: ............................................................... 86

PST VIEWER ......................................................................................................................................................................... 87

HTTP://WWW.NUCLEUSTECHNOLOGIES.COM/PST-VIEWER.HTML (KERNEL OUTLOOK PST VIEWER) .......................................................... 87

1 In WTE main menu click All Programs > Mail > PST Viewer. ......................................................................................... 87

2 Search or Browse and select the Source PST File and click OK . .................................................................................... 87

3 Once the PST opened you can navigate in a similar manner as MS Outlook. ................................................................ 87

NETWORK MOUNT (WTE MAXI ONLY) ................................................................................................................................. 88

HTTP:// HOLGER.WINBUILDER.NET (PE NETWORK MANAGER) .......................................................................................................... 88

1 In WTE main menu click All Programs > Net > Network Mount. .................................................................................. 88

2 Network Manager will scan for devices. ........................................................................................................................ 88

3 Select the Network Adapter to use. ............................................................................................................................... 88

4 If the Network Adapter you want to use is missing you must install drivers for LAN or WLAN. .................................... 89

5 Type an IP address or obtain it automatically. ............................................................................................................... 89

6 For a WIFI connection select the proper Network Adapter and click on the WIFI tab. .................................................. 90

7 Double click on one of the available connection and insert the wireless key if needed. ................................................ 90

REMOTE OVER INTERNET (WTE MAXI ONLY) ....................................................................................................................... 91

HTTP://WWW.AMMYY.COM/EN/ADMIN_FEATURES.HTML (AMMYY ADMIN) ....................................................................................... 91

1 In WTE main menu click All Programs > Net > Remote over Internet. ......................................................................... 91

2 If you are acting as Client inform your ID to the Operator who intent to connect to you. ............................................ 91

3 If you are acting as Operator type the Client ID and click Connect. .............................................................................. 91

4 The Client have to Accept [A] the connection. ............................................................................................................... 91

5 If both connected to the same network or using static IPs use IP instead of ID ............................................................ 91

REMOTE (WTE MAXI ONLY) ................................................................................................................................................. 92

HTTP://BLOG.X-ROW.NET/?CAT=4 (TRUEREMOTE) ........................................................................................................................ 92

1 In WTE main menu click All Programs > Net > Remote. ................................................................................................ 92

2 For this connection Server must be using static IP or in the same network as Client. ................................................... 92

3 If you are acting in ServerMode inform your IP to who is intent to connect to you and click OK . ................................ 92

4 If you are acting in ClientMode type the IP from the server you want and click OK. .................................................... 92

WTE OFFICE ......................................................................................................................................................................... 94

(OFFICE TOOLS) ........................................................................................................................................................................... 94

1 A regular MS Windows Calculator. ................................................................................................................................ 94

2 The well-known Internet Explorer. ................................................................................................................................ 94

3 Notepad2 in substitution of the traditional Notepad. ................................................................................................... 94

4 With Open Office read and create office files (including MS Office) . ........................................................................... 95

5 With PDF Reader (Foxit Reader) read and create PDF file types. .................................................................................. 95

6 The old MS Wordpad to read and create plain text or RTF files. ................................................................................... 96

P2P (WTE MAXI ONLY) ......................................................................................................................................................... 97

(P2P TOOLS) ............................................................................................................................................................................... 97

1 View and export the content of eMule known.met files. .............................................................................................. 97

WTE SUPPORT ..................................................................................................................................................................... 99

(WTE SUPPORT TOOLS) ................................................................................................................................................................ 99



1 CD Burning Tool (ImgBurn). ........................................................................................................................................... 99

2 Compressed Files (7-Zip). ............................................................................................................................................... 99

3 Files Hash (HashMyFiles). ............................................................................................................................................. 100

4 Mount Virtual Disks. ..................................................................................................................................................... 102

5 Screen Capture. ............................................................................................................................................................ 105

6 Drivers. ......................................................................................................................................................................... 105

Chose Driver to install ................................................................................................................................................ 105

Install all DriverPacks ................................................................................................................................................. 106

Use Drivers from Host OS ........................................................................................................................................... 107

7 System. ......................................................................................................................................................................... 107

Command Prompt ...................................................................................................................................................... 107

Keyboard Switch ........................................................................................................................................................ 107

Letter Swap ................................................................................................................................................................ 108

System Lock ................................................................................................................................................................ 109

Windows Disk Management ...................................................................................................................................... 109

8 Tools. ............................................................................................................................................................................ 109

Disk Mount ................................................................................................................................................................. 109

Image Viewer (IrfanView) .......................................................................................................................................... 110

Open Other Files......................................................................................................................................................... 110

System Report (Registry Report) ................................................................................................................................ 111

Video Frames ............................................................................................................................................................. 111

Video Viewer (VLC) ..................................................................................................................................................... 117

WTE USB STICK .................................................................................................................................................................. 118

(USB STICK CONTENT) ................................................................................................................................................................. 118

1 Standard WTE USB Stick content ................................................................................................................................. 118



SYSTEM STARTUP

http://www.ramsdens.org.uk/ (Mounting disks write protected)

1 In order to avoid mistakes disconnect any external USB drive from target system: Mount and examine it later.

2 Access system target BIOS and change boot options as needed (see document BIOS settings for USB booting.pdf

3 Boot the computer using WTE system from USB STICK or CD

4 Chose one of the options:

WTE Standard (default)

WTE Mini (if standard option dont boot properly try this one)

WTE Maxi (support for: Network; MSI Installer; MS Visual C ++; Volume Shadow Copy Service; USB 3.0)

5 An alert message will be presented after startup

6 WinFE Write Protect Tool Management Console will be displayed



7 Mount evidence disks write protected (Read Only)

Select disk

Click Detail Disk to check

which disk it is

Check that evidence disks are in

Read-Only before mounting it.

If not click Read Only

Click Mount In order to mount the

disk



8 Mount WTE USB Stick allowing writing (Read/Write)

Check that you selected the

WTE USB Stick.

With the WTE USB Stick selected click

Read/Write

Click Mountin order to mount

evidence disk.

An alert message will appear indicating

that the volume will be mounted

allowing writing.



9 Disk and WTE USB Stick ready to be properly mounted

10 Initial screen locked waiting for password

Click Continue to start-up system with mounted disks

If using this application later, you can use it after

system started up in order to mount other evidence

disks, click Close



11 WTE system desktop

12 WTE System Main Menu Start

If you see this warning it means

that the WTE USB Stick is not

mounted.

Mount WTE USB Stick with

writing permission.



13 For main procedures click Help

Synchronizer Letters - WTE 2013 Pag. 13


SYNCHRONIZE LETTERS

(LetterSwap)

1 Synchronize volume letters based on registry from target computers Windows O.S.

The letter X will automatically be assigned to boot virtual volume.

The letter Y will be assigned to the USB Stick (CdUsb.Y marker file will be searched on WTE sticks root).

If the volumes werent mounted with correct letters assigned:

You can run this application manually and try to force letters reassignment (letters abxyz are ignored).

2 Click 1 Letter Swap

3 Browse for WINDOWS folder and click twice to open WINDOWS folder

4 Click OK

5 Refresh explorer [ F5 ] and verify if letters assignment changed and are now corrected

Sometimes, depending on how disk are partitioned and the location of the active partition and were OS is installed,

this reassignemt wont succeed.

System Report (Registry Report) - WTE 2013 Pag. 14


SYSTEM REPORT

http://www.gaijin.at/en/dlregreport.php (Registry Report)

1 From target Operating System copy the registry files

C:\WINDOWS\system32\config\software

C:\WINDOWS\system32\config\system

C:\WINDOWS\system32\config\SAM

2 Save them to WTE USB Stick (by default Y:) into Evidence\Registry folder



3 Copy files regarding relevant Users

C:\Documents and Settings\USERNAME\NTUSER.DAT (for Windows XP Operating System)

C:\Users\USERNAME\NTUSER.DAT (for Windows 8 / 7 / Vista Operating Systems)

4 Save it into the same folder Evidence\Registry at WTE USB Stick

If several relevant users, for each one, create a subfolder at Evidence\Registry\[username] and copy

respective NTUSER.DAT into it.



Use username to name the folder according to NTUSER.DAT



On RegistryReport:

Applications initial screen

5 Click File > Open registry files [Ctrl+D]



6 Click Import from folder

7 Select Evidence\Registry folder (or optionally original folder)



Existing more than one relevant user select the individual path for each one of the NTUSER.DAT files.



8 As preferential option you should select the folders of the original evidence files

Click Import from folder

Select C:\WINDOWS\system32\config folder

Browse for each of the NTUSER.DAT files

C:\Users\USERNAME\NTUSER.DAT (Win 8 / 7 / Vista)

C:\Documents and Settings\USERNAME\NTUSER.DAT (Win XP)



9 After all files properly selected click OK

10 The application appearance with all files selected

Using this option the original location of the evidence files will be displayed on the report, allowing to identifying

immediately which user is the report related.

11 Click File > Create report [Ctrl+R]

Selecting the files saved at

Evidence/Registry from WTE USB Stick

or

Selecting original files from target OS



Applications screen displaying the generated report

Case more than one relevant user you should elaborate a report for each one, and could use first 3 files

just for a first complete report.

For other reports you could use only the NTUSER.DAT regarding each user.

12 After report generation is finished click File > Save as [Ctrl+S]



Save it at Evidence\Registry:

Inside the folder named with the corresponding username:

13 Click File > Exit [Ctrl+X]



14 In order to facilitate the whole process was created a script that will run by clicking the link on the desktop

Clicking System Report on start menu or portable menu you will not have access to this

facility, that way you should run the whole process manually as explained above.

While the script is running will be displayed a small icon at the task bar

Automatically it will be displayed an explorer window opened at users folder.

Select the NTUSER.DAT file regarding the relevant user and click Open to continue.

The script will search for the other necessary system files.



The application RegistryReport will automatically start and generate the report, but you will need to save it

manually.

Before saving the report make sure it was correctly generated, checking in its beginning the location of the

system files used and if were chosen the correct ones.

Do not forget to save the report in the folder concerning each user clicking File > Save as [Ctrl+S].

You will be asked if you want to generate a new report regarding another user, if so you must close

RegistryReport before choosing a new NTUSER.DAT file.

(If you didnt close the application the report generation will not be started automatically, but as the files are

already selected just click File > Create report [Ctrl+R] and proceed)

All the needed system files will be saved automatically into Evidence\Registry at the ending stage so do

not be surprised with some delay until the appearance of the finishing message.



A brief analysis to the generated report

Important points to consider:

Operating System settings

Name of registration of OS

Install date of OS

Date and time of OS last shutdown



Applications or services starting automatically with Operating System startup.

Installed software.

Last user actions recorded by Operating System



Devices connected o Operating System

USB devices (External disks, Pendrives, Photo Cameras, Video cameras, Mobile phones )

Search 1 (QuickSearch) - WTE 2013 Pag. 29


SEARCH 1

http://www.glarysoft.com/quick-search (QuickSearch)

1 This application will be started automatically during WTE startup and at screens bottom will be displayed a small search box

2 As you type the term to search the results will be displayed in real time

Will be displayed files or folder containing the typed word, regardless its position, on the name;

You can only search for a term at a time.

3 Click on columns header to sort results



4 Click on the left tab to filter results by file type

5 Double clicking a result will open file location on an explorer window

6 Right clicking a result will display several options

7 You can open the file with an associated program



8 How to configure file type filters

Click small white arrow at the search box.

Chose Options.

At Category tab select the one to modify and at File Extensions field add, modify or remove any file extension.

You can also Remove or Add a new category



8 Check if the application is working properly typing just a character (e.g.: a) at the search box you should see immediate results

9 If the application is not working use search 2 or 3.

The quick exhibition of the results is possible because the application indexes all files and folder names making use

of MFT form NTFS file system.

Remember that the application will not work on volumes formatted with other file systems then NTFS:

FAT (Flash Cards, Pen Drives, old Disks) EXT2, EXT3, Reiser, (Linux)

HFS(Mac)

If for any reason the application is already running when you mount a disk you will have to close it (click on the

small white arrow and chose Exit) and start it up again so that the application indexes this also that disk.

Search 2 (Locate 32) - WTE 2013 Pag. 33


SEARCH 2

http://locate32.cogit.net/ (Locate 32)

1 This application will be started automatically during WTE startup and will update a database named WTE

Will be displayed a small box at the right bottom of the screen showing database indexation progression:

2 Locate32 saves to a database the names of all files on your hard drives

By default non fixed disks and volumes assigned with letters Y: and X: (used by WTE System) will not be indexed.

3 Once the file indexing has occurred, you can locate files quickly by using the application's search form

Type the terms to search and the results will be displayed in real time:

Check if the application is working tiping just a character (eg: a) at Named field:

4 If the application is not working or displays this messages go to Advance Configuration on this document



SEARCHING

5 Search configuration

Name & Location tab:

a) Named: type the name of the file to search for.

b) Extensions: you can specify extensions; only files with those extensions will be searched.

You can also specify several searching terms separated by [space].

To search files witch name has [,] [;] or [space] use apostrophes [])

You could use logical operations + and -.

You can search a file which name does not contain a term using - (eg: -tmp -log).

You can use * (any character)

c) Look in: specify directories to search for files.



d) Browse You can use this button to specify a directory for "Look in:".

Size and Date tab:

a) Minimum / Maximum file size: delimit the size of the files to look for.



b) Files newer / older then: delimit dates to search:

c) Select which type of date to considerer.

Modified

Created

Last accessed

Click and browse the

calendar

Select dates



Advanced tab (even more options to restrict the searches):

a) Type of file: you can specify type of files to search for (grouped by extension).

a) File containing text: check and use this field to find texts inside of files.

b) Match case: check to specify whether the text to search for is case sensitive or no.

c) Find Now: click to start advanced search.



6 Use pre-configured searches.

Relevant fields will be filed

automatically

Immediately results will be displayed

Will be shown the number of files and

directories found

Click Presets

Select one of the sets



VIEW RESULTS

7 Click twice on a column header to sort results.

8 Click View at main menu and select how to view the results.



SAVE SEARCH RESULTAS

9 In order to export search results to a file click File > Save Results [Ctrl S]:

Save the report at Y:\Evidence\Relevant Searches:

a) At File name field: type the name of the file to save (eg: Searches_[user] or: create a subfolder).



b) At Save as type: select txt or html:

c) For HTML file select a template at Template (HTML only):

WTE Images: for a report with relevant images thumbnails, and some simple information.

WTE List: just a list from relevant files with simple information about each one.



d) At Include: Select what to include on header report:

summary: the number of files and folders found

date: search date

column labels: column header

database info: database name and location (full path)

e) You can check Description and type some text to include as description on header report.

f) At Include results: select what results to export to the report list:

All results: include all search results

Only selected: include only the selected ones (dont forget to select the significant results from

the list)

g) At Details: select what information, related to each result, to include at the report, by default:

Full Path

Date Modified

MD5 checksum: (it could take quite a long time if there are too many results to export)

if you want to display more information in the listing change the choices



WTE- Images html Report Sample:



ADVANCED CONFIGURATION

10 Correcting database ERRORS.

Check that WTE USB Stick as letter Y assigned:

If not

a) Click File > Database info:

Check if the path to database is Y:\Programs\Locate32\Database\files.dbs

b) Click Tools > Settings

Chose Databases tab.

a) Select WTE database, click Edit.



b) At File field change Y for the letter assigned to WTE USB Stick.

c) Click File > Update Databases [F9] in order to update the database and allow searches on that

disk.

If you want to search other volumes then

the local ones check Custom

Then check the other volumes to index

This is an essential procedure if you mount

any disk after this application is already

running (e.g.,: searching external disks or

USB Pen drives).



11 Configure Presets

Define all the options in order to perform your searches as you want and:

a) Click Presets > Save Preset

b) Save it over an old name or give it a new name.



12 Restore application with its default configurations including preconfigured searches (Presets).

Close the application clicking File > Exit:

Run Restore Locate32.exe at WTE Stick Utilities folder or Restore Search 2 (Locate32) at Utility on

Portable Menu:

At Utilities folder from WTE run:

Restore Locate32.exe

or

At Utilities from WTE Portable Menu run:

Restore Search 2 (Locate32)



MORE HELP

13 Click ? at Advanced tab for help.

14 Click Help > Help Topics on main menu bar for help.

Search 3 (Agent Ransack) - WTE 2013 Pag. 49


SEARCH 3

http://www.mythicsoft.com/agentransack (Agent Ransack)

1 Application start screen.

SEARCHING

2 Search configuration

Main tab:

a) File name: Type searching terms on file names or extensions.

You can search multiple terms at once separating them with a ; (semicolon).



b) Not: If checked the file name criteria specifies files to EXCLUDE from the search.

c) Containing text: Specifies the contents to find in the files for a content search.

d) Match Case: Click Aa to change state, if on the file name matching should be case-sensitive.

e) Look in: specifies a single or multiple locations to search.

f) You can specify multiple locations to search separating them by; (semicolon).



g) Subfolders: if unchecked will be searched only files located in the Look in folder; if checked,

subfolders will be searched to.

h) Browse for multiple folders button provides a great mechanism to select the folders to search.

Select the desired folder and click Add

i) Size (kb): You can delimit the size of files to search

j) Modified (After/Before): search by file modified date

k) To activate the date criteria click on the Calendar and select date/time

1. You can chose among recent folders

2. Enter each folder on a separate line

3. Browse for selecting a folder to search



Options tab:

a) File name: Changes the way to search using the expression typed on the field with the same name

at Main tab:

Regular Expression (If checked the file name should be treated as a regular expression)

Match Case (If checked the file name matching should be case-sensitive)

Specifies NOT expression (If checked the file name criteria specifies files to EXCLUDE from the

search)

b) Contents:

Regular Expression

Match Case

c) Enhanced Document Search:

Additional functionality for enhanced text extraction on PDF and Office files

With regular expression check if using a normal DOS expression at Main/File name (e.g.: *.doc; *.jpg)

will be displayed an error message:

Using regular expressions for the same criteria you should use \.(doc|jpg)$



Dates tab: You can search for other date criteria:

a) Modified (After/Before)

b) Created (After/Before)

c) Last Accessed (After/Before)

3 Starting to search

a) Start [F5]: When all configurations are as needed just click to start.

b) Stop [Ctrl+F5]: You can stop when you need.

4 Using preconfigured searches

a) Click File > Open Criteria [Ctrl + O]:



b) Browse to the folder Y:/Utilities/Search Criteria and double click on the .srf file you wish to use.

c) Just click Start.

VIEWING THE RESULTS

5 Sort search results

a) Click View > Sort by:

File name

Location

Size

Type

Date



b) Click column headers to sort results.

SAVE SEARCH RESULTS

6 Select the relevant results

7 Save the results

a) Right click on the selected results and chose Export Results.



b) Or on main menu click File > Export Results.

c) Or click the icon Export results.

d) Export search report into folder Evidence\Relevant Searches.

Check Selected files in order to export just the selected results for the report.

Image Viewer (XnView) - WTE 2013 Pag. 57


IMAGE VIEWER

http://www.xnview.com (XnView)

1 Start screen

2 Click File > Open browse and select the image you want to open.

Most image files are associated so that clicking on the file at Windows Explorer this application

will open it automatically.

3 On Tools > Search [ Ctrl + F ] or click de icon, to search images.

4 Will open a new windows for Search configuration, you can configure:

a) Filename

Insert Filename (or part of it) or leave it blank



b) Look in

c) Include subfolders.

d) Wole word only

e) More Options to restrict the searches

Insert where to Look in or click the button and browse

to the Folder

You can delimit file to search by Size

You can delimit file to search by:

Date modified

File Format



f) By default will search Volume C for

All image files

with more than 10 Kb size

g) Just click Search to start

You can delimit file to search by:

Width and Height

Configure All fields; Comment; Description

You can search at IPTC and EXIF fields



h) You could Stop any time

i) Click Browse to continues

5 Results will be displayed and you can see them as thumbnails



6 Select relevant images and click Create > Web Page or the button

7 Will open a new windows displaying Report configuration

Dont change Template Folder location and Template.

Insert Title and Header as you like.

The other options proved to create a nice report so its

advised to keep it as they are

By default Report will be saved at

..\..\Evidence\Relevant Images

If more than one Report save it under a

subfolder



8 If configuration is ready just click Create

9 Will be created three folders named Images, Thumbnails and nav and an html file named thumb.html, all making part of the report, clicking on thumb.html you could see the report on the browser.

Image Viewer Alternative (Irfan View) - WTE 2013 Pag. 64


IMAGE VIEWER (ALTERNATIVE)

http://www.irfanview.com (Irfan View)

1 Start screen

2 Click File > Open browse and select the image you want to open.

Most image files are associated so that clicking on the file at Windows Explorer this application

will open it automatically.

3 On File > Thumbnails [ T ] a box will open and fill with thumbnails of the images in the directory.



SEARCHING

4 Click File > Search Files [ Ctrl + F ] for searching images and a dialog with search options opens.

j) Filename pattern: Type the name or extension of the files to look for.

Is only allowed one term at a time (e.g.:)

* or *.* Search all files, all extensions

*.jpg Find only for files with the JPG extension

123*.jpg Find only JPG type files with 123 at name begin

*123.jpg Find only JPG type files with 123 anywhere in the name

Image Find only files which contain text image in the name



k) Search in: Specify the location where to search.

l) Browse: Browse for the volume or folder where to search.

m) Search subfolders: Check in order to search also subfolders from specified volumes or folders.



n) Date between: Check and specify dates to search.

o) Find text: Insert text to look for on files metadata.

p) Look in: Check the data type you want to search for the text.

IPTC data

EXIF data

Comment data

5 Click Start search.

If you just want to check the existence of EXIF and/or

IPTC and/or Comment data in a file, write as text a

single * character.



6 If you think you have enough results Stop the search any time and check them.

VIEW THE RESULTS

7 You can Sort files clicking the proper button.



8 Click Show in Thumbnail [ T ] to view and select the relevant images

a) With mouse over the thumbnail will be displayed image basic information:

9 Clicking twice the thumbnail will open the image full size.



a) Click icon i to obtain complete image information.

b) * indicates existing information.

You can find and view:

Exif metadata

IPTC metadata

Comment



SAVE SEARCH RESULTS

10 Select relevant results to export.

a) Right click over one of the

selected thumbnails

11 In order to export the results chose.

Save selected thumbs as HTML file...



12 Create HTML report configuration .

a) Most of the fields are already preconfigured:

Report file name do ficheiro: dont forguet the

extension.html

Destination folder: Y:\Evidence\Relevant Images

Thumbnails subfolder: Thumbnails

Images subfolder: Images

Create thumbs without frame/border: Checked

HTML templates location: Dont change

Copy original images: Recommended

Report Title

Number of columns with thumbnails: recommended

2 (if not dont forget to change)

Information to display in the report bellow thumbnail

for to each image.

Info text alignment for each image.

Click Help to see available placeholders for

file/image properties to include as information.



13 Generated report location

14 Exported files location

a) Exported original images: Y:\Evidence\Relevant Images\Images

b) Exported images thumbnails to be used in the report: Y:\Evidence\Relevant Images\Thumbnails



15 HTML Report example

a) You could right click on the report and edit the html file with MS Word:

b) At MS Word you could select the table and copy it into another Word document (e.g..: a more

elaborated report)

Search Linux & Mac (Linux Reader) - WTE 2013 Pag. 75


LINUX VOLUMES MOUNT

http://www.ext2fsd.com (Ext2Mgr)

1 In WTE main menu click All Programs > Linux & Mac > Linux Volumes Mount.

2 Ext2 Volume Manager will display all disks and partitions, mounted or not.

3 Select the partition to mount, right click and chose Change Drive Letter [ F4 ].



4 Click Add select a drive letter, a way to mount, click OK and Done.

The volume will be mounted and the Explorer will now displayed a new volume with the selected letter assigned.



SEARCH LINUX & MAC

http://www.diskinternals.com/linux-reader/ (LinuxReader)

1 In WTE main menu click All Programs > Linux & Mac > Search Linux & Mac.

Linux Reader will display all volumes, and physical drives, mounted or not:

2 Double click or right click on the volume and select Open partition to browse its content.



3 In top menu click View to change the appearance, by default will be displayed the full path to the selected file and a preview.

4 To search chose Commands > Search [ Ctrl F ] or click the proper icon

5 On the left panel configure your searches then click Search.

Click to expand

Preview Full Path



6 Clicking a hit automatically will show the full path and a quick preview on the bottom of right panel.

Type part of the name,

For a type of file use: *.ext

Multiple searches is not allowed

Text inside a file

Chose where to Look in

Select Date Modified

Select File Size

What to search



7 You can change the appearance of the results clicking the proper icon

8 Selecting a hit automatically will be showed the full path and a quick preview on Preview Panel.

9 Right click on Preview Panel and chose how to preview.



10 At Details in left panel, click on the preview to open a Large Preview.

11 Searching for files containing the typed text inside, and previewing file content.



12 You can click Cancel and stop the search job any time to check the results.

13 To open Folders Panel and browse folders chose View > Folder Tree or click the proper icon

14 To export evidence files select the relevant ones right click and chose Save.



15 Click Next and Browse for destination folder, preferably chose Y:\Evidence\Relevant Files.

a) Click Next:



b) Confirm the files to save and click Next:

c) Just click Finish:

Mail Viewer (Mitec Mail Viewer) - WTE 2013 Pag. 85


MAIL VIEWER

http://www.mitec.cz/mailview.html (Mitec Mail Viewer)

1 In WTE main menu click All Programs > Mail > Mail Viewer.

DBX, EML, MSG files are associated so that clicking on the file at

Windows Explorer this application will open it automatically.

2 Just select the type of mail file to view browse to its location and click OK.

OST Viewer (Kernel OST Viewer) - WTE 2013 Pag. 86


OST VIEWER

http://www.nucleustechnologies.com/ost-viewer.html (Kernel OST Viewer)

1 In WTE main menu click All Programs > Mail > OST Viewer.

OST files are associated so that clicking on the file at Windows

Explorer this application will open it automatically.

2 Search or Browse and select the Source OST File and click OK.

3 Once opened the OST you can navigate in a similar manner as MS Outlook:

The content of HTML messages probably wont be properly showed

PST Viewer (Kernel Outlook PST Viewer) - WTE 2013 Pag. 87


PST VIEWER

http://www.nucleustechnologies.com/pst-viewer.html (Kernel Outlook PST Viewer)

1 In WTE main menu click All Programs > Mail > PST Viewer.

PST files are associated so that clicking on the file at Windows


2 Search or Browse and select the Source PST File and click OK .

3 Once the PST opened you can navigate in a similar manner as MS Outlook.

The content of HTML messages probably wont be properly showed

Network Mount (PE Network Manager) - WTE 2013 Pag. 88


NETWORK MOUNT (WTE Maxi only)

http:// holger.winbuilder.net (PE Network Manager)

1 In WTE main menu click All Programs > Net > Network Mount.

2 Network Manager will scan for devices.

3 Select the Network Adapter to use.



4 If the Network Adapter you want to use is missing you must install drivers for LAN or WLAN.

(See WTE Support Chap. 6: how to install Drivers)

After force scanning for new devices and click the icon to refresh adapters list:

5 Type an IP address or obtain it automatically.



6 For a WIFI connection select the proper Network Adapter and click on the WIFI tab.

7 Double click on one of the available connection and insert the wireless key if needed.

8 A task bar icon will appear and you will be able to control the connection state.

Remote over Internet (Ammyy Admin) - WTE 2013 Pag. 91


REMOTE OVER INTERNET (WTE Maxi only)

http://www.ammyy.com/en/admin_features.html (Ammyy Admin)

1 In WTE main menu click All Programs > Net > Remote over Internet.

2 If you are acting as Client inform your ID to the Operator who intent to connect to you.

3 If you are acting as Operator type the Client ID and click Connect.

4 The Client have to Accept [A] the connection.

Wont be necessary any other configurations the operator can now control your system over internet

5 If both connected to the same network or using static IPs use IP instead of ID .

Remote (TrueRemote) - WTE 2013 Pag. 92


REMOTE (WTE Maxi only)

http://blog.x-row.net/?cat=4 (TrueRemote)

1 In WTE main menu click All Programs > Net > Remote.

2 For this connection Server must be using static IP or in the same network as Client.

3 If you are acting in ServerMode inform your IP to who is intent to connect to you and click OK .

4 If you are acting in ClientMode type the IP from the server you want and click OK.

Remote (TrueRemote) - WTE 2013 Pag. 93


If you need an encrypted connection or sound capture use Brynhildr in a similar way.

http://blog.x-row.net/?cat=9

5 Shouldnt be necessary any other configurations and the Client can access and control the Server system.

Office - WTE 2013 Pag. 94


WTE OFFICE

(Office Tools)

1 A regular MS Windows Calculator.

2 The well-known Internet Explorer.

HTM and HTML files are associated so that

clicking on the file at Windows Explorer this

application will open it automatically.

3 Notepad2 in substitution of the traditional Notepad. www.flos.freeware.ch

TXT files are associated so that clicking on the

file at Windows Explorer this application will

open it automatically.



4 With Open Office read and create office files (including MS Office) .

www.openoffice.org

CAUTION if you open a file and considerer it evidence DO NOT Save

it or Save As to your WTE Evidence Folder it will change file

Metadata

Rader you should open an explorer window and copy the file directly

to your Evidence Folder.

Most office file types are associated

so that clicking on the file at Windows

Explorer this application will open it

automatically.

5 With PDF Reader (Foxit Reader) read and create PDF file types.

www.openoffice.org

PDF files are associated so that clicking on the file at




6 The old MS Wordpad to read and create plain text or RTF files. RTF files are associated so that clicking on the file at Windows


P2P (eMule Met Viewer) - WTE 2013 Pag. 97


P2P (WTE Maxi only)

(P2P Tools)

1 View and export the content of eMule known.met files.

www.gaijint.at

Known.Met files are associated so that clicking on the file at


Click Open on the menu and select the known.met file:

You can use Search 1 to easily find known.met files:

On Search 1 results window Right click on the file and chose Open:

Or on explorer window select the file and click open (or double click):

P2P (eMule Met Viewer) - WTE 2013 Pag. 98


You can see all about the files that have been downloaded and shared by the eMule client:

Select relevant results and export them clicking the icon, or File > Export selected [Ctrl + Shift + E] on menu:

You can also export all items:

WTE Support (WTE Support Tools) - WTE 2013 Pag. 99


WTE SUPPORT

(WTE Support Tools)

1 CD Burning Tool (ImgBurn).

www.imgburn.com

2 Compressed Files (7-Zip).

www.7-zip.org

Most compressed files are associated so that clicking on the file at Windows




3 Files Hash (HashMyFiles).

www.nirsoft.net

Add the files or folders to calculate hashes:

Select File > Add Files [F2] or File > Add Folder [F3] on menu;

Clicking icons

Or simply by drag and drop



Automatically the application will calculate the hashes:

On menu chose View > Chose Columns to select the ones to make visible:

To export results chose View > HTML Report All Items on menu.

Or select the relevant ones and on menu chose View > HTML Report Selected Items:



Or choosing File > Save Selected Items [Ctrl + S] on menu you can save the results as plain text file:

4 Mount Virtual Disks.

http://www.ltr-data.se

Most Virtual DiIsk files are associated so that clicking on the

file at Windows Explorer this application will open it

automatically.



Click Mount new or chose File > Mount new virtual disk [Alt + N] on menu.

Browse for the image file to mount:

Or without opening the application in explorer window you can double click on the image file:



With image file selected click OK.

The virtual volume will be mounted:

To unmount virtual disk just select it:

And click Unmount.



5 Screen Capture.

http://www.faststone.org

6 Drivers.

Chose Driver to install

Browse and select the folder with Drivers to install At WTE USB stick: Y:/DriverPaks/ example installing Wlan Drivers:



With the folder selected click GO Click Next to start installing Click Finish to complete installation

Install all DriverPacks

Automatically will install all Drivers at WTE USB stick: Y:/DriverPaks/



Use Drivers from Host OS

Click: OK to automatically search and install Drivers from Host OS

7 System.

Command Prompt

Keyboard Switch

With [Ctrl +Tab] or clicking the icon on taskbar you can scroll through the available keyboards and select another one to use.

Right click on taskbar Icon, chose Preference and you can add more keyboards



Use [Left Alt +Shift + Letter] to change for another input language:

Letter Swap

(See SYNCHRONIZE LETTERS Topic)



System Lock

(See SYSTEM STARTUP Topic - Chap. 7: screen locked )

Windows Disk Management

Do not change anything you could be writing on evidence disks.

Use it just to take a screenshot for easier disks and partitions visualization

8 Tools.

Disk Mount

(See SYSTEM STARTUP Topic Chap. 3: WinFE Write Protect Tool )



FTK Imager

Image Viewer (IrfanView)

(See IMAGE VIEWER Topic)

Open Other Files

If you dont know how to open a file try using this application.

CAUTION if you open a file and considerer it evidence DO NOT use Save or Save As to your WTE Evidence

Folder cause it will change file Metadata

Rader you should open an explorer window and copy the file directly to your Evidence Folder.



System Report (Registry Report)

(See SYSTEM REPORT Topic)

Video Frames

Select the action to take:

- Extract frames from a single video;

- Extract frames from all videos in a folder,

You could include the ones in subfolders;

- Just Generate a Report from,

all video in folder WTE-Video_Report;

a single video;

In both cases you should have some

images in the folder.

After clicking single video button

you will be asked to select a file to process:



After clicking all videos in a folder button you will be asked to select a folder to process:

- Select the extraction mode:

A number of frames for each video file

An interval to extract each frame

- Insert Thumbnails width

- Option to copy original files

- After extraction mode configured click Next.

If the first option was the one selected and the video duration is unknown you will be prompted to insert an interval in seconds to extract frames.

During extraction will be shown a progress bar.



- Report Configuration:

Insert a Title

Insert a Sub-Title

Insert column number (default: 3)

Insert Thumbs width (default: 300px)

Chose information to include from video file: - MD5 Hash - SHA1 Hash - Last Modified Date - Created Date - Last Accessed Date

- Click Generate Report

- Before report generation you can visuali verify and chose the frames to include in the report.

An explorer windows will open at extracted_frames folder

Browse for video frames and delete the one you

dont want to include in the report.

For better visualization you could use:

[Ctrl+F1] to collapse the ribbon

[Shift+Ctrl+1] to show very big thumbnails

Then click Generate Report



If you just want to generate a report from images already extracted, select generate report from:

- All frames existent at WTE-Video_Report

or

- Frames extracted from a unique video

(the last option will prompt you to select the folder with the extracted frames to include in the report)

Then click Generate Report button.

Then you will be redirected to Report Configuration window.

You can stop any time cliquing Exit button or just clicking [Esc]

You will be prompted to confirm:

This tool will create a folder named WTE-Video_Reportcontaining:

- One sub-folder with the name of the video, if is a repeated name then date/time will be added.

Inside each video folder:

extracted_frames folder with the images from de videos

nav folder with support files,

original_files.info with the name and location of the processed file, hashes and dates

Report.html showing the frames extracted form the videos

Original video file if that option was checked



original_files.info sample:

Report.html sample:



You can also use IMAGE VIEWER (Irfan View) to select and create a quick HTML report with the extracted frames

Open Image Viewer, click Thumbnails an navigate into the corresponding frames folder

Chose the relevant frames right click on one of them and chose Create HTML Report

Give a name to the HTML file

Indicate Destination Folder

Give a page Title

Select Columns quantity

Deselect Write file info text

Click Start



Quickly configure Create HTML report for video frames report clicking Utilities > Restore VideoFrames Report for IrfanView at Portable Start Menu(this should be done with IrfanView closed)

Quickly restore Create HTML report configuration for images report clicking Utilities > Restore Images Report for IrfanView at Portable Start Menu (this should be done with IrfanView closed)

Video Viewer (VLC)

Drag and Drop supported.

Most video files are associated so that clicking on the file at




WTE USB STICK

(USB stick content)

1 Standard WTE USB Stick content

c

WTE Manual

Documents

Transcript of WTE Manual