
When we want to perform a computer analysis, we need tools that can be run from any device, one of which is Wintaylor which is part of the CAINE (Computer Aided INvestigative Environment) distribution .
What is CAINE?
CAINE is a Linux distribution to perform computer forensic analysis.
What is Wintaylor?
Wintaylor is a set of portable tools and the programs it groups are free software . It is widely used to extract software and hardware information from a computer that uses the Windows operating system .
We can use Wintaylor separately without having to install CAINE, for this we download:
DOWNLOAD WINTAYLOR
Once we have downloaded it, we decompress it and we can execute it from the hard disk or from a flash memory or a flash drive.
Next we will see a set of buttons, each of them belongs to a tool, in this tutorial each tool will be described and how to use it.
1. System Info - System Information
This System Information X tool allows you to inspect the configuration of the computer, collect information about the hardware and software components, and we can also generate reports .
When we start the application, two options appear, the first is that the tool searches event logs and directories and the other option is to search or read a log file that we will indicate. For this tutorial we will select the first option.
Once the equipment has been thoroughly analyzed, an extensive list of all its components is obtained, together with its model, manufacturer or relevant details.
Each item can explore the data such as:
- The processor, trade name, architecture, number of cores, frequency.
- We can obtain information about RAM, motherboard, monitor, video card, printers, sound card, USB devices or network adapters.
- We can also export a report in XML for later use. Within the File > Summary Report option, we will have the option to see all the profiles we have created for several computers.
2. WinAudit - Computer audit
This tool that we saw in the tutorial Computer Audit with WinAudit, is a very useful application, which shows extensive information about the operating system, peripherals, and BIOS error logs . WinAudit is a small tool to thoroughly understand the system both hardware and software, registration and operating system events, security, users.
For example, in the item User Privileges, we can see what permissions a user has, when he is last logged in and how many times he is logged in total.
3. DriveManager - Manage storage devices
This tool allows you to manage the management of storage devices . Drive Manager is a free and portable disk management tool that is used to view information about hard drives, removable devices such as CD / DVD, Flash memories and even your card readers and drives available via network.
You can show and hide or block and unlock drives, access tools such as disk checking, create replacement drive letters for files and folders, search drives, disk speed.
Drive Manager shows the size of the disk, the space used, and both the available space and the percentage of free space, with automatic renewal every 10 seconds, as well as serial volume, product identification.
4. TestDisk - Data recovery
This tool is what we saw in the Recover Hard Disk tutorial with TestDisk and Rstudio tools. TestDisk is cross-platform and is used for recovering lost data on partitions and boot disks, usb hard disk or flash memory and memory cards . TestDisk supports partitions in ext2 / ext3 / ext4, HFS +, HFSX, FAT16, FAT32, FAT, NTFS format.$config[ads_text5] not found
5. FTK Imager - Disk Image Capture Tools
The Forensic Toolkit (FTK Imager) is a set of tools that allows you to manage and capture hard disk images, external storage devices and RAM for research purposes.
FTK Imager supports the storage of disk images in file format in dd format. This tool is what we saw in the tutorial Analyze disk image with FTK Imager.
6. PC ON / OFF - Computer Power On and Off Log
This tool allows us to know what days a computer was turned on, when it was turned off and how many hours it was in operation, this is used to determine when the computer was on, off or in standby mode. This can be used to monitor that a computer is not used at inappropriate times in the case of a company or when external technicians or administrators are given access.$config[ads_text5] not found
You can also perform this verification for a computer on the network and it has a free version that allows you to see 3 weeks the paid version has no limits.
7. WHOIS - Domain Information
WhoisThisDomain is a domain registration search tool that allows us to obtain information about a registered domain.
It automatically connects to the WHOIS database server and through the domain name, retrieves data from the domain's WHOIS record. It is compatible with both generic domains and country code domains. We can create a list of domains to check all together and have them updated.
$config[ads_text5] not found8. LANSCAN - Network Scan Tool
The application is called PortScan and is used as a network scanner that can quickly check an IP range and information about the computers on that network. It is very useful if we want to check the information of the network equipment. It is very simple but you have to know about networks to determine what information we are seeing.
The network scan is performed assigned the IP range, for example 192.168.0.0 to 192.168.0.255 and the application will search all the computers in that network. PortScan analyzes all available ports and shows details such as MAC address, host name, open ports and HTTP servers for each connected machine.
$config[ads_text6] not foundIn addition, you can also ping an IP address or host name. Also in the most recent version it incorporates a network speed test tool to determine the download and upload speed of the network connection. We can use PortScan to obtain information about HTTP, FTP, SMTP and SMB services .
The application is portable so we can download it independently and more updated with more options.
9. HexEdit - Hexadecimal editor and RAM capture
This tool is a hexadecimal editor, which allows you to see what happens in RAM and in the live BIOS, that is, with the computer on and working, it also serves to capture images from memory and disks.
When we start the program from the File menu, we can choose a storage device or a block of RAM or BIOS.
Once we have selected where we will obtain the data, HEXEDIT will show us the content that we can explore. If we have enough knowledge we can edit information directly in memory.
10. PhotoRec - Data recovery from devices and disk images
PhotoRec is a multiplatform data recovery and archiving tool for hard drives, USB flash drives, and digital cameras .
Recovers various image formats, and audio files, Ofiice document formats and many file formats including ZIP.
PhotoRec does not attempt to write to damaged media the user is about to recover. The recovered files are instead written to a directory selected by the user from which PhotoRec is run. It can be used for data recovery when forensic analysis is performed including disk images or RAM memory. PhotoRec is a perfect complement to TestDisk.
In the Analyze disk image with FTK Imager tutorial, I showed how to use PhotoREc with a dd image of a flash memory. You can also see a good article that offers free programs to recover deleted files, where PhotoRec is mentioned.
11. RAM Dump - Capture RAM in Windwos
This section contains a set of tools to capture RAM . The tools are Winen and MDD, they are command line software that will allow us to capture RAM from a USB stick without having administrator privileges.
The command is very simple for example for mdd we indicate:
l aopcion -oAnd a filename where to save the image:
mdd -o dump.dd
In this case in 53 seconds we could make an image of a Windows 7 with 2 GB of RAM.
12. Recuva - Data recovery tool
Recuva is a file recovery tool, we can also find it in the article Free programs to recover deleted files.
This tool can recover files that have been deleted from the computer, from a hard drive, a USB drive, an MP3 player or even a memory card from a photo camera.
Recuva has a recovery wizard to specify what type of file to look for and thus make recovery faster. To do this we start the wizard and then we must select what type of file you want to recover as documents, photos, videos, emails, among other options.
13. USB Write Protector - Protect USB storage devices
It allows protection for USB devices to control the writing of data and transfers, this tool will prevent, for example, that we delete or write a flash drive by accident. USB WriteProtector allows you to block how to unlock write protection. In addition, it can be run from its interface or from the command line.
We must bear in mind that when we have activated the USB Write ON or OFF option, when we connect any USB flash drive, it will automatically adopt the selected option.
14. USB Devices - List of usb devices
USBDeview is a tool that shows all the USB devices that are currently connected to the computer, as well as all the USB devices that you used previously . For each USB device, very detailed information about the device name, description, device type, serial number, the date and time that device was added, and other system, manufacturer and vendor information are displayed.
It also allows you to manage and uninstall the USB devices that were previously used or leave them as historical, it also supports the option to enable and disable any of the USB devices. It can also be used to manage USB network on a remote computer, as long as you have the system administrator and network permissions.
15. Windows File Analyzer - Analysis and Decoding of hidden files
This tool analyzes and decodes some files for forensic analysis . The Thumbs.db file is a file created by Windows when using the thumbnail view. It is a hidden file not seen by users. This allows to obtain this data even if the image has been deleted, in this file the image preview data is stored.
Also links and shortcuts of manipulated files are a source of information as they create a historical record.
Then we have another section called More Tools or More Tools that has multiple applications to run in portable mode, some of them are:
- SkypeLogView : to view saved Skype conversations
- SniffPass : To spy on a specific IP to which we have access
- MyLastSearch : To determine what the last searches were and from which browser
- Windows Registry Recovery : Recover and retrieve information from the Windows registry
We also have the Windows system tools to use from the command line such as netstat, systeminfo, ipconfig and many more.
To conclude we leave a couple of links to tutorials related to audits:
- CentOS 7 audit system
- Linux audit with Lynis
Articles