WTE Manual

2014
Windows Triage
Environment
Pedro Gilberto
[WTE MANUAL]
Windows Triage Environment Manual (Lang. English)
Windows Triage Environment (WTE)
SYSTEM STARTUP .................................................................................................................................................................. 6

HTTP://WWW.RAMSDENS.ORG.UK/
(MOUNTING DISKS WRITE PROTECTED) ........................................................................................... 6

1 In order to avoid mistakes disconnect any external USB drive from target system: Mount and examine it later. .......... 6
2 Access system target BIOS and change boot options as needed (see document BIOS settings for USB booting.pdf ... 6
3 Boot the computer using WTE system from USB STICK or CD .......................................................................................... 6
4 Chose one of the options: ................................................................................................................................................. 6
5 An alert message will be presented after startup ............................................................................................................ 6
6 WinFE Write Protect Tool Management Console will be displayed ................................................................................. 6
7 Mount evidence disks write protected (Read Only) ......................................................................................................... 7
8 Mount WTE USB Stick allowing writing (Read/Write) ..................................................................................................... 8
9 Disk and WTE USB Stick ready to be properly mounted ................................................................................................... 9
10 Initial screen locked waiting for password ..................................................................................................................... 9
11 WTE system desktop .................................................................................................................................................... 10
12 WTE System Main Menu Start .................................................................................................................................. 10
13 For main procedures click Help ................................................................................................................................. 12
SYNCHRONIZE LETTERS ........................................................................................................................................................ 13

(LETTERSWAP) ............................................................................................................................................................................. 13
1 Synchronize volume letters based on registry from target computers Windows O.S. .................................................. 13
2 Click 1 Letter Swap ................................................................................................................................................... 13
3 Browse for WINDOWS folder and click twice to open WINDOWS folder ................................................................ 13
4 Click OK .......................................................................................................................................................................... 13
5 Refresh explorer [ F5 ] and verify if letters assignment changed and are now corrected .............................................. 13
SYSTEM REPORT .................................................................................................................................................................. 14
HTTP://WWW.GAIJIN.AT/EN/DLREGREPORT.PHP
(REGISTRY REPORT) ................................................................................................ 14

1 From target Operating System copy the registry files ................................................................................................... 14
2 Save them to WTE USB Stick (by default Y:) into Evidence\Registry folder................................................................... 14
3 Copy files regarding relevant Users ............................................................................................................................... 15
4 Save it into the same folder Evidence\Registry at WTE USB Stick................................................................................. 15
5 Click File > Open registry files [Ctrl+D] .......................................................................................................................... 17
6 Click Import from folder ................................................................................................................................................ 18
7 Select Evidence\Registry folder (or optionally original folder) ...................................................................................... 18
8 As preferential option you should select the folders of the original evidence files ........................................................ 20
9 After all files properly selected click OK ......................................................................................................................... 21
10 The application appearance with all files selected ...................................................................................................... 21
11 Click File > Create report [Ctrl+R] ................................................................................................................................ 21
12 After report generation is finished click File > Save as [Ctrl+S] ................................................................................... 22
13 Click File > Exit [Ctrl+X] ................................................................................................................................................ 23
14 In order to facilitate the whole process was created a script that will run by clicking the link on the desktop ........... 24
A brief analysis to the generated report ............................................................................................................................ 26
SEARCH 1 ............................................................................................................................................................................. 29
HTTP://WWW.GLARYSOFT.COM/QUICK-SEARCH
(QUICKSEARCH) ....................................................................................................... 29
1 This application will be started automatically during WTE startup and at screens bottom will be displayed a small
search box ............................................................................................................................................................................ 29
2 As you type the term to search the results will be displayed in real time ...................................................................... 29
3 Click on columns header to sort results .......................................................................................................................... 29
System Startup - WTE 2013
Pag. 1

4 Click on the left tab to filter results by file type.............................................................................................................. 30
5 Double clicking a result will open file location on an explorer window.......................................................................... 30
6 Right clicking a result will display several options ......................................................................................................... 30
7 You can open the file with an associated program ........................................................................................................ 30
8 How to configure file type filters .................................................................................................................................... 31
8 Check if the application is working properly typing just a character (e.g.: a) at the search box you should see
immediate results ................................................................................................................................................................ 32
9 If the application is not working use search 2 or 3. ....................................................................................................... 32
SEARCH 2 ............................................................................................................................................................................. 33
HTTP://LOCATE32.COGIT.NET/
(LOCATE 32) ................................................................................................................................. 33

1 This application will be started automatically during WTE startup and will update a database named WTE .............. 33
2 Locate32 saves to a database the names of all files on your hard drives ...................................................................... 33
3 Once the file indexing has occurred, you can locate files quickly by using the application's search form ..................... 33
4 If the application is not working or displays this messages go to Advance Configuration on this document ............... 33
5 Search configuration ................................................................................................................................................... 34
6 Use pre-configured searches. ......................................................................................................................................... 38
7 Click twice on a column header to sort results. .............................................................................................................. 39
8 Click View at main menu and select how to view the results. ....................................................................................... 39
9 In order to export search results to a file click File > Save Results [Ctrl S]:.................................................................... 40
10 Correcting database ERRORS. ...................................................................................................................................... 44
11 Configure Presets ......................................................................................................................................................... 46
12 Restore application with its default configurations including preconfigured searches (Presets). ............................... 47
13 Click ? at Advanced tab for help. ................................................................................................................................. 48
14 Click Help > Help Topics on main menu bar for help. .................................................................................................. 48
SEARCH 3 ............................................................................................................................................................................. 49
HTTP://WWW.MYTHICSOFT.COM/AGENTRANSACK
(AGENT RANSACK) ................................................................................................ 49

1 Application start screen. ................................................................................................................................................ 49
2 Search configuration ................................................................................................................................................... 49
3 Starting to search ........................................................................................................................................................ 53
4 Using preconfigured searches ..................................................................................................................................... 53
5 Sort search results ....................................................................................................................................................... 54
6 Select the relevant results .............................................................................................................................................. 55
7 Save the results ........................................................................................................................................................... 55
IMAGE VIEWER .................................................................................................................................................................... 57

HTTP://WWW.XNVIEW.COM
(XNVIEW) ........................................................................................................................................ 57
1 Start screen .................................................................................................................................................................... 57
2 Click File > Open browse and select the image you want to open. ................................................................................ 57
3 On Tools > Search [ Ctrl + F ] or click de icon, to search images. ................................................................................... 57
4 Will open a new windows for Search configuration, you can configure: ....................................................................... 57
5 Results will be displayed and you can see them as thumbnails ..................................................................................... 60
6 Select relevant images and click Create > Web Page or the button ........................................................................... 61
7 Will open a new windows displaying Report configuration ........................................................................................... 61
8 If configuration is ready just click Create ....................................................................................................................... 62
9 Will be created three folders named Images, Thumbnails and nav and an html file named thumb.html, all making
part of the report, clicking on thumb.html you could see the report on the browser. ........................................................ 62
IMAGE VIEWER (ALTERNATIVE) ........................................................................................................................................... 64

Pag. 2

HTTP://WWW.IRFANVIEW.COM
(IRFAN VIEW) ............................................................................................................................... 64

1 Start screen .................................................................................................................................................................... 64
2 Click File > Open browse and select the image you want to open. ................................................................................ 64
3 On File > Thumbnails [ T ] a box will open and fill with thumbnails of the images in the directory. ............................. 64
4 Click File > Search Files [ Ctrl + F ] for searching images and a dialog with search options opens. ............................... 65
5 Click Start search. .......................................................................................................................................................... 67
6 If you think you have enough results Stop the search any time and check them. ......................................................... 68
7 You can Sort files clicking the proper button. ................................................................................................................ 68
8 Click Show in Thumbnail [ T ] to view and select the relevant images .......................................................................... 69
9 Clicking twice the thumbnail will open the image full size. ............................................................................................ 69
10 Select relevant results to export. .................................................................................................................................. 71
11 In order to export the results chose. ............................................................................................................................ 71
12 Create HTML report configuration . ............................................................................................................................ 72
13 Generated report location............................................................................................................................................ 73
14 Exported files location .................................................................................................................................................. 73
15 HTML Report example.................................................................................................................................................. 74
LINUX VOLUMES MOUNT .................................................................................................................................................... 75

HTTP://WWW.EXT2FSD.COM
(EXT2MGR)..................................................................................................................................... 75
1 In WTE main menu click All Programs > Linux & Mac > Linux Volumes Mount. ............................................................ 75
2 Ext2 Volume Manager will display all disks and partitions, mounted or not. ................................................................ 75
3 Select the partition to mount, right click and chose Change Drive Letter [ F4 ]. ........................................................... 75
4 Click Add select a drive letter, a way to mount, click OK and Done. .......................................................................... 76
SEARCH LINUX & MAC ......................................................................................................................................................... 77

HTTP://WWW.DISKINTERNALS.COM/LINUX-READER/
(LINUXREADER) ................................................................................................. 77
1 In WTE main menu click All Programs > Linux & Mac > Search Linux & Mac. .............................................................. 77
2 Double click or right click on the volume and select Open partition to browse its content. .......................................... 77
3 In top menu click View to change the appearance, by default will be displayed the full path to the selected file and a
preview. ............................................................................................................................................................................... 78
4 To search chose Commands > Search [ Ctrl F ] or click the proper icon......................................................................... 78
5 On the left panel configure your searches then click Search. ........................................................................................ 78
6 Clicking a hit automatically will show the full path and a quick preview on the bottom of right panel. ....................... 79
7 You can change the appearance of the results clicking the proper icon ........................................................................ 80
8 Selecting a hit automatically will be showed the full path and a quick preview on Preview Panel. ............................. 80
9 Right click on Preview Panel and chose how to preview. .............................................................................................. 80
10 At Details in left panel, click on the preview to open a Large Preview........................................................................ 81
11 Searching for files containing the typed text inside, and previewing file content........................................................ 81
12 You can click Cancel and stop the search job any time to check the results. ............................................................... 82
13 To open Folders Panel and browse folders chose View > Folder Tree or click the proper icon ................................... 82
14 To export evidence files select the relevant ones right click and chose Save. .............................................................. 82
15 Click Next and Browse for destination folder, preferably chose Y:\Evidence\Relevant Files. .................................... 83
MAIL VIEWER ...................................................................................................................................................................... 85

HTTP://WWW.MITEC.CZ/MAILVIEW.HTML
(MITEC MAIL VIEWER) ..................................................................................................... 85

1 In WTE main menu click All Programs > Mail > Mail Viewer. ....................................................................................... 85
2 Just select the type of mail file to view browse to its location and click OK. ................................................................. 85
OST VIEWER ........................................................................................................................................................................ 86

HTTP://WWW.NUCLEUSTECHNOLOGIES.COM/OST-VIEWER.HTML
(KERNEL OST VIEWER) ....................................................................... 86

Pag. 3

1 In WTE main menu click All Programs > Mail > OST Viewer. ........................................................................................ 86
2 Search or Browse and select the Source OST File and click OK. ..................................................................................... 86
3 Once opened the OST you can navigate in a similar manner as MS Outlook: ............................................................... 86
PST VIEWER ......................................................................................................................................................................... 87
HTTP://WWW.NUCLEUSTECHNOLOGIES.COM/PST-VIEWER.HTML
(KERNEL OUTLOOK PST VIEWER).......................................................... 87

1 In WTE main menu click All Programs > Mail > PST Viewer.......................................................................................... 87
2 Search or Browse and select the Source PST File and click OK . .................................................................................... 87
3 Once the PST opened you can navigate in a similar manner as MS Outlook. ................................................................ 87
NETWORK MOUNT (WTE MAXI ONLY) ................................................................................................................................. 88

HTTP:// HOLGER.WINBUILDER.NET
(PE NETWORK MANAGER) .......................................................................................................... 88

1 In WTE main menu click All Programs > Net > Network Mount. .................................................................................. 88
2 Network Manager will scan for devices. ........................................................................................................................ 88
3 Select the Network Adapter to use. ............................................................................................................................... 88
4 If the Network Adapter you want to use is missing you must install drivers for LAN or WLAN. .................................... 89
5 Type an IP address or obtain it automatically. ............................................................................................................... 89
6 For a WIFI connection select the proper Network Adapter and click on the WIFI tab. .................................................. 90
7 Double click on one of the available connection and insert the wireless key if needed. ................................................ 90
REMOTE OVER INTERNET (WTE MAXI ONLY) ....................................................................................................................... 91

HTTP://WWW.AMMYY.COM/EN/ADMIN_FEATURES.HTML
(AMMYY ADMIN) ....................................................................................... 91

1 In WTE main menu click All Programs > Net > Remote over Internet. ......................................................................... 91
2 If you are acting as Client inform your ID to the Operator who intent to connect to you. ............................................ 91
3 If you are acting as Operator type the Client ID and click Connect. .............................................................................. 91
4 The Client have to Accept [A] the connection. ............................................................................................................... 91
5 If both connected to the same network or using static IPs use IP instead of ID ............................................................ 91
REMOTE (WTE MAXI ONLY) ................................................................................................................................................. 92

HTTP://BLOG.X-ROW.NET/?CAT=4
(TRUEREMOTE) ........................................................................................................................ 92
1 In WTE main menu click All Programs > Net > Remote. ................................................................................................ 92
2 For this connection Server must be using static IP or in the same network as Client. ................................................... 92
3 If you are acting in ServerMode inform your IP to who is intent to connect to you and click OK ................................. 92
4 If you are acting in ClientMode type the IP from the server you want and click OK. .................................................... 92
WTE OFFICE ......................................................................................................................................................................... 94

(OFFICE TOOLS) ........................................................................................................................................................................... 94
1 A regular MS Windows Calculator. ................................................................................................................................ 94
2 The well-known Internet Explorer. ................................................................................................................................ 94
3 Notepad2 in substitution of the traditional Notepad. ................................................................................................... 94
4 With Open Office read and create office files (including MS Office) . ........................................................................... 95
5 With PDF Reader (Foxit Reader) read and create PDF file types. .................................................................................. 95
6 The old MS Wordpad to read and create plain text or RTF files. ................................................................................... 96
P2P (WTE MAXI ONLY) ......................................................................................................................................................... 97
(P2P TOOLS) ............................................................................................................................................................................... 97
1 View and export the content of eMule known.met files. .............................................................................................. 97
WTE SUPPORT ..................................................................................................................................................................... 99
(WTE SUPPORT TOOLS) ................................................................................................................................................................ 99
Pag. 4

1 CD Burning Tool (ImgBurn). ........................................................................................................................................... 99
2 Compressed Files (7-Zip). ............................................................................................................................................... 99
3 Files Hash (HashMyFiles).............................................................................................................................................. 100
4 Mount Virtual Disks...................................................................................................................................................... 102
5 Screen Capture. ............................................................................................................................................................ 105
6 Drivers. ......................................................................................................................................................................... 105
Chose Driver to install ................................................................................................................................................ 105
Install all DriverPacks ................................................................................................................................................. 106
Use Drivers from Host OS ........................................................................................................................................... 107
7 System. ......................................................................................................................................................................... 107
Command Prompt ...................................................................................................................................................... 107
Keyboard Switch ........................................................................................................................................................ 107
Letter Swap ................................................................................................................................................................ 108
System Lock ................................................................................................................................................................ 109
Windows Disk Management ...................................................................................................................................... 109
8 Tools. ............................................................................................................................................................................ 109
Disk Mount ................................................................................................................................................................. 109
Image Viewer (IrfanView) .......................................................................................................................................... 110
Open Other Files......................................................................................................................................................... 110
System Report (Registry Report) ................................................................................................................................ 111
Video Frames ............................................................................................................................................................. 111
Video Viewer (VLC) ..................................................................................................................................................... 117
WTE USB STICK .................................................................................................................................................................. 118
(USB STICK CONTENT) ................................................................................................................................................................. 118
1 Standard WTE USB Stick content ................................................................................................................................. 118
Pag. 5
http://www.ramsdens.org.uk/
SYSTEM STARTUP
(Mounting disks write protected)
1 In order to avoid mistakes disconnect any external USB drive from target system: Mount and examine it later.
2 Access system target BIOS and change boot options as needed (see document BIOS settings for USB
booting.pdf
3 Boot the computer using WTE system from USB STICK or CD
4 Chose one of the options:
WTE Standard (default)
WTE Mini (if standard option dont boot properly try this one)
WTE Maxi (support for: Network; MSI Installer; MS Visual C ++; Volume Shadow Copy Service; USB 3.0)
5 An alert message will be presented after startup
6 WinFE Write Protect Tool Management Console will be displayed
Pag. 6

7 Mount evidence disks write protected (Read Only)
Select disk
Click Detail Disk to check
which disk it is
Check that evidence disks are in

Read-Only before mounting it.
If not click Read Only
Click Mount In order to mount the
disk
Pag. 7

8 Mount WTE USB Stick allowing writing (Read/Write)
Check that you selected the

WTE USB Stick.
With the WTE USB Stick selected click

Read/Write
Click Mountin order to mount
evidence disk.
An alert message will appear indicating
that the volume will be mounted
allowing writing.
Pag. 8

9 Disk and WTE USB Stick ready to be properly mounted
Click Continue to start-up

system with mounted disks
If using this application later, you can use it after

system started up in order to mount other evidence
disks, click Close
10 Initial screen locked waiting for password
Pag. 9

11 WTE system desktop
If you see this warning it means

that the WTE USB Stick is not
mounted.
Mount WTE USB Stick with
writing permission.
12 WTE System Main Menu Start
Pag. 10
Pag. 11

13 For main procedures click Help
Pag. 12
SYNCHRONIZE LETTERS
(LetterSwap)
1 Synchronize volume letters based on registry from target computers Windows O.S.
The letter X will automatically be assigned to boot virtual volume.

The letter Y will be assigned to the USB Stick (CdUsb.Y marker file will be searched on WTE sticks root).
If the volumes werent mounted with correct letters assigned:
You can run this application manually and try to force letters reassignment (letters abxyz are ignored).
2 Click 1 Letter Swap
3 Browse for WINDOWS folder and click twice to open WINDOWS folder
4 Click OK
5 Refresh explorer [ F5 ] and verify if letters assignment changed and are now corrected
Sometimes, depending on how disk are partitioned and the location of the active partition and were OS is installed,
this reassignemt wont succeed.
Synchronizer Letters - WTE 2013
Pag. 13
http://www.gaijin.at/en/dlregreport.php
SYSTEM REPORT
(Registry Report)
1 From target Operating System copy the registry files
C:\WINDOWS\system32\config\software
C:\WINDOWS\system32\config\system
C:\WINDOWS\system32\config\SAM
2 Save them to WTE USB Stick (by default Y:) into Evidence\Registry folder
System Report (Registry Report) - WTE 2013
Pag. 14

3 Copy files regarding relevant Users
C:\Documents and Settings\USERNAME\NTUSER.DAT (for Windows XP Operating System)

C:\Users\USERNAME\NTUSER.DAT (for Windows 8 / 7 / Vista Operating Systems)
4 Save it into the same folder Evidence\Registry at WTE USB Stick
If several relevant users, for each one, create a subfolder at Evidence\Registry\[username] and copy
respective NTUSER.DAT into it.
Pag. 15
Use username to name the folder according to NTUSER.DAT
Pag. 16
On RegistryReport:
Applications initial screen
5 Click File > Open registry files [Ctrl+D]
Pag. 17

6 Click Import from folder
7 Select Evidence\Registry folder (or optionally original folder)
Pag. 18

Existing more than one relevant user select the individual path for each one of the NTUSER.DAT files.
Pag. 19
8 As preferential option you should select the folders of the original evidence files
Click Import from folder

Select C:\WINDOWS\system32\config folder
Browse for each of the NTUSER.DAT files
C:\Users\USERNAME\NTUSER.DAT (Win 8 / 7 / Vista)

C:\Documents and Settings\USERNAME\NTUSER.DAT (Win XP)
Pag. 20

9 After all files properly selected click OK
10 The application appearance with all files selected
Selecting the files saved at

Evidence/Registry from WTE USB Stick
or
Selecting original files from target OS
Using this option the original location of the evidence files will be displayed on the report, allowing to identifying
immediately which user is the report related.
11 Click File > Create report [Ctrl+R]
Pag. 21
Applications screen displaying the generated report
Case more than one relevant user you should elaborate a report for each one, and could use first 3 files
just for a first complete report.
For other reports you could use only the NTUSER.DAT regarding each user.
12 After report generation is finished click File > Save as [Ctrl+S]
Pag. 22
Save it at Evidence\Registry:
Inside the folder named with the corresponding username:
13 Click File > Exit [Ctrl+X]
Pag. 23

14 In order to facilitate the whole process was created a script that will run by clicking the link on the desktop
Clicking System Report on start menu or portable menu you will not have access to this
facility, that way you should run the whole process manually as explained above.
While the script is running will be displayed a small icon at the task bar
Automatically it will be displayed an explorer window opened at users folder.
Select the NTUSER.DAT file regarding the relevant user and click Open to continue.
The script will search for the other necessary system files.
Pag. 24
The application RegistryReport will automatically start and generate the report, but you will need to save it
manually.
Before saving the report make sure it was correctly generated, checking in its beginning the location of the
system files used and if were chosen the correct ones.
Do not forget to save the report in the folder concerning each user clicking File > Save as [Ctrl+S].
You will be asked if you want to generate a new report regarding another user, if so you must close
RegistryReport before choosing a new NTUSER.DAT file.
(If you didnt close the application the report generation will not be started automatically, but as the files are
already selected just click File > Create report [Ctrl+R] and proceed)
All the needed system files will be saved automatically into Evidence\Registry at the ending stage so do
not be surprised with some delay until the appearance of the finishing message.
Pag. 25
A brief analysis to the generated report
Important points to consider:
Operating System settings
Name of registration of OS
Install date of OS
Date and time of OS last shutdown
Pag. 26
Applications or services starting automatically with Operating System startup.
Installed software.
Last user actions recorded by Operating System
Pag. 27
Devices connected o Operating System
USB devices (External disks, Pendrives, Photo Cameras, Video cameras, Mobile phones )
Pag. 28
http://www.glarysoft.com/quick-search
SEARCH 1
(QuickSearch)
1 This application will be started automatically during WTE startup and at screens bottom will be displayed a
small search box
2 As you type the term to search the results will be displayed in real time
Will be displayed files or folder containing the typed word, regardless its position, on the name;
You can only search for a term at a time.
3 Click on columns header to sort results
Search 1 (QuickSearch) - WTE 2013
Pag. 29

4 Click on the left tab to filter results by file type
5 Double clicking a result will open file location on an explorer window

6 Right clicking a result will display several options
7 You can open the file with an associated program
Pag. 30

8 How to configure file type filters
Click small white arrow at the search box.
Chose Options.
At Category tab select the one to modify and at File Extensions field add, modify or remove any file
extension.
You can also Remove or Add a new category
Pag. 31

8 Check if the application is working properly typing just a character (e.g.: a) at the search box you should see
immediate results
9 If the application is not working use search 2 or 3.

The quick exhibition of the results is possible because the application indexes all files and folder names making use
of MFT form NTFS file system.
Remember that the application will not work on volumes formatted with other file systems then NTFS:
FAT (Flash Cards, Pen Drives, old Disks)

EXT2, EXT3, Reiser, (Linux)
HFS(Mac)
If for any reason the application is already running when you mount a disk you will have to close it (click on the
small white arrow and chose Exit) and start it up again so that the application indexes this also that disk.
Pag. 32
http://locate32.cogit.net/
SEARCH 2
(Locate 32)
1 This application will be started automatically during WTE startup and will update a database named WTE
Will be displayed a small box at the right bottom of the screen showing database indexation progression:
2 Locate32 saves to a database the names of all files on your hard drives
By default non fixed disks and volumes assigned with letters Y: and X: (used by WTE System) will not be
indexed.
3 Once the file indexing has occurred, you can locate files quickly by using the application's search form
Type the terms to search and the results will be displayed in real time:
Check if the application is working tiping just a character (eg: a) at Named field:
4 If the application is not working or displays this messages go to Advance Configuration on this document
Search 2 (Locate 32) - WTE 2013
Pag. 33
SEARCHING
5 Search configuration
Name & Location tab:

a)
Named: type the name of the file to search for.
b)
Extensions: you can specify extensions; only files with those extensions will be searched.
c)
You can also specify several searching terms separated by [space].
To search files witch name has [,] [;] or [space] use apostrophes [])
You could use logical operations + and -.
You can search a file which name does not contain a term using - (eg: -tmp -log).
You can use * (any character)
Look in: specify directories to search for files.
Pag. 34
d)
Browse You can use this button to specify a directory for "Look in:".
Size and Date tab:

a)
Minimum / Maximum file size: delimit the size of the files to look for.
Pag. 35

b)
Files newer / older then: delimit dates to search:
Click and browse the

calendar
Select dates
c)
Select which type of date to considerer.
Modified
Created
Last accessed
Pag. 36
Advanced tab (even more options to restrict the searches):

a)
Type of file: you can specify type of files to search for (grouped by extension).
a)
File containing text: check and use this field to find texts inside of files.
b)
Match case: check to specify whether the text to search for is case sensitive or no.
c)
Find Now: click to start advanced search.
Pag. 37

6 Use pre-configured searches.
Click Presets
Select one of the sets
Relevant fields will be filed

automatically
Immediately results will be displayed
Will be shown the number of files and
directories found
Pag. 38
VIEW RESULTS
7 Click twice on a column header to sort results.
8 Click View at main menu and select how to view the results.
Pag. 39
SAVE SEARCH RESULTAS

9 In order to export search results to a file click File > Save Results [Ctrl S]:
Save the report at Y:\Evidence\Relevant Searches:
a)
At File name field: type the name of the file to save (eg: Searches_[user] or: create a subfolder).
Pag. 40

b)
At Save as type: select txt or html:
c)
For HTML file select a template at Template (HTML only):
WTE Images: for a report with relevant images thumbnails, and some simple information.
WTE List: just a list from relevant files with simple information about each one.
Pag. 41
d)
At Include: Select what to include on header report:
summary: the number of files and folders found

date: search date
column labels: column header
database info: database name and location (full path)
e)
You can check Description and type some text to include as description on header report.
f)
At Include results: select what results to export to the report list:
g)
All results: include all search results

Only selected: include only the selected ones (dont forget to select the significant results from
the list)
At Details: select what information, related to each result, to include at the report, by default:
Full Path
Date Modified
MD5 checksum: (it could take quite a long time if there are too many results to export)
if you want to display more information in the listing change the choices
Pag. 42

WTE- Images html Report Sample:
Pag. 43
ADVANCED CONFIGURATION
10 Correcting database ERRORS.
Check that WTE USB Stick as letter Y assigned:
a)
Click File > Database info:
b)
If not
Check if the path to database is Y:\Programs\Locate32\Database\files.dbs
Click Tools > Settings
Chose Databases tab.
a)
Select WTE database, click Edit.
Pag. 44
b)
At File field change Y for the letter assigned to WTE USB Stick.
If you want to search other volumes then

the local ones check Custom
Then check the other volumes to index
This is an essential procedure if you mount

any disk after this application is already
running (e.g.,: searching external disks or
USB Pen drives).
c)
Click File > Update Databases [F9] in order to update the database and allow searches on that
disk.
Pag. 45

11 Configure Presets
Define all the options in order to perform your searches as you want and:
a)
Click Presets > Save Preset
b)
Save it over an old name or give it a new name.
Pag. 46

12 Restore application with its default configurations including preconfigured searches (Presets).
Close the application clicking File > Exit:

Run Restore Locate32.exe at WTE Stick Utilities folder or Restore Search 2 (Locate32) at Utility on
Portable Menu:
At Utilities folder from WTE run:

Restore Locate32.exe
or
At Utilities from WTE Portable Menu run:
Restore Search 2 (Locate32)
Pag. 47
MORE HELP
13 Click ? at Advanced tab for help.
14 Click Help > Help Topics on main menu bar for help.
Pag. 48
http://www.mythicsoft.com/agentransack
SEARCH 3
(Agent Ransack)
1 Application start screen.
SEARCHING
2 Search configuration
Main tab:
a)
File name: Type searching terms on file names or extensions.
You can search multiple terms at once separating them with a ; (semicolon).
Search 3 (Agent Ransack) - WTE 2013
Pag. 49

b)
Not: If checked the file name criteria specifies files to EXCLUDE from the search.
c)
Containing text: Specifies the contents to find in the files for a content search.
d)
Match Case: Click Aa to change state, if on the file name matching should be case-sensitive.
e)
Look in: specifies a single or multiple locations to search.
f)
You can specify multiple locations to search separating them by; (semicolon).
Pag. 50

g)
Subfolders: if unchecked will be searched only files located in the Look in folder; if checked,
subfolders will be searched to.
h)
Browse for multiple folders button provides a great mechanism to select the folders to search.
Select the desired folder and click Add
1. You can chose among recent folders

2. Enter each folder on a separate line
3. Browse for selecting a folder to search
i)
Size (kb): You can delimit the size of files to search
j)
Modified (After/Before): search by file modified date
k)
To activate the date criteria click on the Calendar and select date/time
Pag. 51
Options tab:
a)
File name: Changes the way to search using the expression typed on the field with the same name
at Main tab:
Regular Expression (If checked the file name should be treated as a regular expression)
Match Case (If checked the file name matching should be case-sensitive)
Specifies NOT expression (If checked the file name criteria specifies files to EXCLUDE from the
search)
b)
Contents:
Regular Expression
Match Case
c)
Enhanced Document Search:

Additional functionality for enhanced text extraction on PDF and Office files
With regular expression check if using a normal DOS expression at Main/File name (e.g.: *.doc; *.jpg)
will be displayed an error message:
Using regular expressions for the same criteria you should use \.(doc|jpg)$
Pag. 52
Dates tab: You can search for other date criteria:

a)
b)
c)
Modified (After/Before)
Created (After/Before)
Last Accessed (After/Before)
3 Starting to search
a)
Start [F5]: When all configurations are as needed just click to start.
b)
Stop [Ctrl+F5]: You can stop when you need.
4 Using preconfigured searches

a)
Click File > Open Criteria [Ctrl + O]:
Pag. 53

b)
Browse to the folder Y:/Utilities/Search Criteria and double click on the .srf file you wish to use.
c)
Just click Start.
VIEWING THE RESULTS

5 Sort search results
a)
Click View > Sort by:
File name
Location
Size
Type
Date
Pag. 54

b)
Click column headers to sort results.
SAVE SEARCH RESULTS

6 Select the relevant results
7 Save the results

a)
Right click on the selected results and chose Export Results.
Pag. 55

b)
Or on main menu click File > Export Results.
c)
Or click the icon Export results.
d)
Export search report into folder Evidence\Relevant Searches.
Check Selected files in order to export just the selected results for the report.
Pag. 56
IMAGE VIEWER
(XnView)
http://www.xnview.com
1 Start screen
2 Click File > Open browse and select the image you want to open.
Most image files are associated so that clicking on the file at Windows Explorer this application
will open it automatically.
3 On Tools > Search [ Ctrl + F ] or click de icon, to search images.
4 Will open a new windows for Search configuration, you can configure:
a)
Filename
Insert Filename (or part of it) or leave it blank
Image Viewer (XnView) - WTE 2013
Pag. 57
b)
Look in
c)
Include subfolders.
d)
Wole word only
e)
More Options to restrict the searches
Insert where to Look in or click the button and browse

to the Folder
You can delimit file to search by Size
You can delimit file to search by:

Date modified
File Format
Pag. 58
You can delimit file to search by:

Width and Height
Configure All fields; Comment; Description
You can search at IPTC and EXIF fields
f)
g)
By default will search Volume C for
All image files
with more than 10 Kb size
Just click Search to start
Pag. 59
h)
You could Stop any time
i)
Click Browse to continues
5 Results will be displayed and you can see them as thumbnails
Pag. 60
6 Select relevant images and click Create > Web Page or the button
7 Will open a new windows displaying Report configuration

Dont change Template Folder location and Template.
Insert Title and Header as you like.

The other options proved to create a nice report so its
advised to keep it as they are
By default Report will be saved at

..\..\Evidence\Relevant Images
If more than one Report save it under a
subfolder
Pag. 61
8 If configuration is ready just click Create
9 Will be created three folders named Images, Thumbnails and nav and an html file named thumb.html, all
making part of the report, clicking on thumb.html you could see the report on the browser.
Pag. 62
Pag. 63
http://www.irfanview.com
IMAGE VIEWER (ALTERNATIVE)

(Irfan View)
1 Start screen
2 Click File > Open browse and select the image you want to open.
Most image files are associated so that clicking on the file at Windows Explorer this application
will open it automatically.
3 On File > Thumbnails [ T ] a box will open and fill with thumbnails of the images in the directory.
Image Viewer Alternative (Irfan View) - WTE 2013
Pag. 64
SEARCHING
4 Click File > Search Files [ Ctrl + F ] for searching images and a dialog with search options opens.
j)
Filename pattern: Type the name or extension of the files to look for.
Is only allowed one term at a time (e.g.:)

* or *.*
Search all files, all extensions
*.jpg
Find only for files with the JPG extension
123*.jpg
Find only JPG type files with 123 at name begin
*123.jpg
Find only JPG type files with 123 anywhere in the name
Image
Find only files which contain text image in the name
Pag. 65
k)
Search in: Specify the location where to search.
l)
Browse: Browse for the volume or folder where to search.
m) Search subfolders: Check in order to search also subfolders from specified volumes or folders.
Pag. 66
n)
Date between: Check and specify dates to search.
o)
Find text: Insert text to look for on files metadata.
p)
Look in: Check the data type you want to search for the text.
IPTC data
EXIF data
Comment data
If you just want to check the existence of EXIF and/or

IPTC and/or Comment data in a file, write as text a
single * character.
5 Click Start search.
Pag. 67

6 If you think you have enough results Stop the search any time and check them.
VIEW THE RESULTS

7 You can Sort files clicking the proper button.
Pag. 68

8 Click Show in Thumbnail [ T ] to view and select the relevant images
a)
With mouse over the thumbnail will be displayed image basic information:
9 Clicking twice the thumbnail will open the image full size.
Pag. 69

a)
Click icon i to obtain complete image information.
b)
* indicates existing information.
You can find and view:

Exif metadata
IPTC metadata
Comment
Pag. 70
SAVE SEARCH RESULTS

10 Select relevant results to export.
a)
Right click over one of the

selected thumbnails
11 In order to export the results chose.

Save selected thumbs as HTML file...
Pag. 71

12 Create HTML report configuration .
a)
Most of the fields are already preconfigured:

Report file name do ficheiro: dont forguet the
extension.html
Destination folder: Y:\Evidence\Relevant Images
Thumbnails subfolder: Thumbnails
Images subfolder: Images
Create thumbs without frame/border: Checked
HTML templates location: Dont change
Copy original images: Recommended
Report Title
Number of columns with thumbnails: recommended
2 (if not dont forget to change)
Information to display in the report bellow thumbnail

for to each image.
Info text alignment for each image.
Click Help to see available placeholders for
file/image properties to include as information.
Pag. 72

13 Generated report location
14 Exported files location

a)
Exported original images: Y:\Evidence\Relevant Images\Images
b)
Exported images thumbnails to be used in the report: Y:\Evidence\Relevant Images\Thumbnails
Pag. 73

15 HTML Report example
a)
You could right click on the report and edit the html file with MS Word:
b)
At MS Word you could select the table and copy it into another Word document (e.g..: a more
elaborated report)
Pag. 74
http://www.ext2fsd.com
LINUX VOLUMES MOUNT

(Ext2Mgr)
1 In WTE main menu click All Programs > Linux & Mac > Linux Volumes Mount.
2 Ext2 Volume Manager will display all disks and partitions, mounted or not.
3 Select the partition to mount, right click and chose Change Drive Letter [ F4 ].
Search Linux & Mac (Linux Reader) - WTE 2013
Pag. 75

4 Click Add select a drive letter, a way to mount, click OK and Done.
The volume will be mounted and the Explorer will now displayed a new volume with the selected letter assigned.
Pag. 76
http://www.diskinternals.com/linux-reader/
SEARCH LINUX & MAC

(LinuxReader)
1 In WTE main menu click All Programs > Linux & Mac > Search Linux & Mac.
Linux Reader will display all volumes, and physical drives, mounted or not:
2 Double click or right click on the volume and select Open partition to browse its content.
Pag. 77

3 In top menu click View to change the appearance, by default will be displayed the full path to the selected file
and a preview.
Preview
Full Path
4 To search chose Commands > Search [ Ctrl F ] or click the proper icon
5 On the left panel configure your searches then click Search.
Click to expand
Pag. 78
Type part of the name,

For a type of file use: *.ext
Multiple searches is not allowed
Text inside a file
Chose where to Look in
Select Date Modified
Select File Size
What to search
6 Clicking a hit automatically will show the full path and a quick preview on the bottom of right panel.
Pag. 79

7 You can change the appearance of the results clicking the proper icon
8 Selecting a hit automatically will be showed the full path and a quick preview on Preview Panel.
9 Right click on Preview Panel and chose how to preview.
Pag. 80

10 At Details in left panel, click on the preview to open a Large Preview.
11 Searching for files containing the typed text inside, and previewing file content.
Pag. 81

12 You can click Cancel and stop the search job any time to check the results.
13 To open Folders Panel and browse folders chose View > Folder Tree or click the proper icon
14 To export evidence files select the relevant ones right click and chose Save.
Pag. 82

15 Click Next and Browse for destination folder, preferably chose Y:\Evidence\Relevant Files.
a)
Click Next:
Pag. 83

b)
Confirm the files to save and click Next:
c)
Just click Finish:
Pag. 84
http://www.mitec.cz/mailview.html
MAIL VIEWER
(Mitec Mail Viewer)
1 In WTE main menu click All Programs > Mail > Mail Viewer.
DBX, EML, MSG files are associated so that clicking on the file at
Windows Explorer this application will open it automatically.
2 Just select the type of mail file to view browse to its location and click OK.
Mail Viewer (Mitec Mail Viewer) - WTE 2013
Pag. 85
http://www.nucleustechnologies.com/ost-viewer.html
OST VIEWER
(Kernel OST Viewer)
1 In WTE main menu click All Programs > Mail > OST Viewer.
OST files are associated so that clicking on the file at Windows

Explorer this application will open it automatically.
2 Search or Browse and select the Source OST File and click OK.
3 Once opened the OST you can navigate in a similar manner as MS Outlook:
The content of HTML messages probably wont be properly showed
OST Viewer (Kernel OST Viewer) - WTE 2013
Pag. 86
PST VIEWER
http://www.nucleustechnologies.com/pst-viewer.html (Kernel Outlook PST Viewer)
1 In WTE main menu click All Programs > Mail > PST Viewer.
PST files are associated so that clicking on the file at Windows

2 Search or Browse and select the Source PST File and click OK .
3 Once the PST opened you can navigate in a similar manner as MS Outlook.
The content of HTML messages probably wont be properly showed
PST Viewer (Kernel Outlook PST Viewer) - WTE 2013
Pag. 87
http:// holger.winbuilder.net
NETWORK MOUNT (WTE Maxi only)

(PE Network Manager)
1 In WTE main menu click All Programs > Net > Network Mount.
2 Network Manager will scan for devices.
3 Select the Network Adapter to use.
Network Mount (PE Network Manager) - WTE 2013
Pag. 88

4 If the Network Adapter you want to use is missing you must install drivers for LAN or WLAN.
(See WTE Support Chap. 6: how to install Drivers)
After force scanning for new devices and click the icon to refresh adapters list:
5 Type an IP address or obtain it automatically.
Pag. 89

6 For a WIFI connection select the proper Network Adapter and click on the WIFI tab.
7 Double click on one of the available connection and insert the wireless key if needed.
8 A task bar icon will appear and you will be able to control the connection state.
Pag. 90
REMOTE OVER INTERNET (WTE Maxi only)

http://www.ammyy.com/en/admin_features.html
(Ammyy Admin)
1 In WTE main menu click All Programs > Net > Remote over Internet.
2 If you are acting as Client inform your ID to the Operator who intent to connect to you.
3 If you are acting as Operator type the Client ID and click Connect.
4 The Client have to Accept [A] the connection.
Wont be necessary any other configurations
the operator can now control your system over internet
5 If both connected to the same network or using static IPs

use IP instead of ID .
Remote over Internet (Ammyy Admin) - WTE 2013
Pag. 91
http://blog.x-row.net/?cat=4
REMOTE (WTE Maxi only)

(TrueRemote)
1 In WTE main menu click All Programs > Net > Remote.
2 For this connection Server must be using static IP or in the same network as Client.
3 If you are acting in ServerMode inform your IP to who is intent to connect to you and click OK .
4 If you are acting in ClientMode type the IP from the server you want and click OK.
Remote (TrueRemote) - WTE 2013
Pag. 92
If you need an encrypted connection or sound capture use Brynhildr in a similar way.
http://blog.x-row.net/?cat=9
5 Shouldnt be necessary any other configurations and the Client can access and control the Server system.
Remote (TrueRemote) - WTE 2013
Pag. 93
WTE OFFICE
(Office Tools)
1 A regular MS Windows Calculator.
2 The well-known Internet Explorer.
HTM and HTML files are associated so that

clicking on the file at Windows Explorer this
application will open it automatically.
3 Notepad2 in substitution of the traditional Notepad.
www.flos.freeware.ch
TXT files are associated so that clicking on the

file at Windows Explorer this application will
open it automatically.
Office - WTE 2013
Pag. 94

4 With Open Office read and create office files (including MS Office) .
www.openoffice.org
CAUTION if you open a file and considerer it evidence DO NOT Save

it or Save As to your WTE Evidence Folder it will change file
Metadata
Rader you should open an explorer window and copy the file directly
to your Evidence Folder.
Most office file types are associated

so that clicking on the file at Windows
Explorer this application will open it
automatically.
5 With PDF Reader (Foxit Reader) read and create PDF file types.
www.openoffice.org
PDF files are associated so that clicking on the file at

Office - WTE 2013
Pag. 95
6 The old MS Wordpad to read and create plain text or RTF files.
RTF files are associated so that clicking on the file at Windows

Office - WTE 2013
Pag. 96
P2P (WTE Maxi only)

(P2P Tools)
1 View and export the content of eMule known.met files.
www.gaijint.at
Known.Met files are associated so that clicking on the file at

Click Open on the menu and select the known.met file:
You can use Search 1 to easily find known.met files:
On Search 1 results window Right click on the file and chose Open:
Or on explorer window select the file and click open (or double click):
P2P (eMule Met Viewer) - WTE 2013
Pag. 97

You can see all about the files that have been downloaded and shared by the eMule client:
Select relevant results and export them clicking the icon, or File > Export selected [Ctrl + Shift + E] on menu:
You can also export all items:
P2P (eMule Met Viewer) - WTE 2013
Pag. 98
WTE SUPPORT
(WTE Support Tools)
1 CD Burning Tool (ImgBurn).
www.imgburn.com
2 Compressed Files (7-Zip).
www.7-zip.org
Most compressed files are associated so that clicking on the file at Windows
WTE Support (WTE Support Tools) - WTE 2013
Pag. 99
3 Files Hash (HashMyFiles).
www.nirsoft.net
Add the files or folders to calculate hashes:

Select File > Add Files [F2] or File > Add Folder [F3] on menu;
Clicking icons
Or simply by drag and drop
Pag. 100

Automatically the application will calculate the hashes:
On menu chose View > Chose Columns to select the ones to make visible:
To export results chose View > HTML Report All Items on menu.
Or select the relevant ones and on menu chose View > HTML Report Selected Items:
Pag. 101

Or choosing File > Save Selected Items [Ctrl + S] on menu you can save the results as plain text file:
4 Mount Virtual Disks.
http://www.ltr-data.se
Most Virtual DiIsk files are associated so that clicking on the

file at Windows Explorer this application will open it
automatically.
Pag. 102

Click Mount new or chose File > Mount new virtual disk [Alt + N] on menu.
Browse for the image file to mount:
Or without opening the application

in explorer window you can double click
on the image file:
Pag. 103

With image file selected click OK.
The virtual volume will be mounted:
To unmount virtual disk just select it:
And click Unmount.
Pag. 104

5 Screen Capture.
http://www.faststone.org
6 Drivers.
Chose Driver to install
Browse and select the folder with Drivers to install

At WTE USB stick: Y:/DriverPaks/
example installing Wlan Drivers:
Pag. 105

With the folder selected click GO
Click Next to start installing
Click Finish to complete installation
Install all DriverPacks
Automatically will install all Drivers at WTE USB stick: Y:/DriverPaks/
Pag. 106
Use Drivers from Host OS
Click: OK to automatically search and install Drivers from Host OS
7 System.
Command Prompt
Keyboard Switch
With [Ctrl +Tab] or clicking the icon on taskbar you can scroll through the available keyboards and select another
one to use.
Right click on taskbar Icon, chose Preference and you can add more keyboards
Pag. 107
Use [Left Alt +Shift + Letter] to change for another input language:
Letter Swap
(See SYNCHRONIZE LETTERS Topic)
Pag. 108
System Lock
(See SYSTEM STARTUP Topic - Chap. 7: screen locked )
Windows Disk Management
Do not change anything you could be writing on evidence disks.

Use it just to take a screenshot for easier disks and partitions
visualization
8 Tools.
Disk Mount
(See SYSTEM STARTUP Topic Chap. 3: WinFE Write Protect Tool )
Pag. 109
FTK Imager
Image Viewer (IrfanView)

(See IMAGE VIEWER Topic)
Open Other Files
If you dont know how to open a file try using this application.
CAUTION if you open a file and considerer it evidence DO NOT use Save or Save As to your WTE Evidence
Folder cause it will change file Metadata
Rader you should open an explorer window and copy the file directly to your Evidence Folder.
Pag. 110
System Report (Registry Report)
(See SYSTEM REPORT Topic)
Video Frames
Select the action to take:

- Extract frames from a single video;
- Extract frames from all videos in a folder,
You could include the ones in subfolders;
- Just Generate a Report from,

all video in folder WTE-Video_Report;
a single video;
In both cases you should have some
images in the folder.
After clicking single video button

you will be asked to select a file to process:
Pag. 111

After clicking all videos in a folder button you will be asked to select a folder to process:
- Select the extraction mode:

A number of frames for each video file
An interval to extract each frame
- Insert Thumbnails width
- Option to copy original files
- After extraction mode configured click Next.

If the first option was the one selected and the
video duration is unknown you will be prompted
to insert an interval in seconds to extract frames.
During extraction will be shown a progress bar.

Pag. 112
- Report Configuration:
Insert a Title
Insert a Sub-Title
Insert column number (default: 3)
Insert Thumbs width (default: 300px)
Chose information to include from video file:
- MD5 Hash
- SHA1 Hash
- Last Modified Date
- Created Date
- Last Accessed Date
- Click Generate Report
- Before report generation you can visuali verify and

chose the frames to include in the report.
An explorer windows will open at extracted_frames folder
Browse for video frames and delete the one you

dont want to include in the report.
For better visualization you could use:
[Ctrl+F1] to collapse the ribbon
[Shift+Ctrl+1] to show very big thumbnails
Then click Generate Report
Pag. 113

If you just want to generate a report from images
already extracted, select generate report from:
- All frames existent at WTE-Video_Report
or
- Frames extracted from a unique video
(the last option will prompt you to select the folder
with the extracted frames to include in the report)
Then click Generate Report button.
Then you will be redirected to Report Configuration window.
You can stop any time cliquing Exit button

or just clicking [Esc]
You will be prompted to confirm:
This tool will create a folder named WTE-Video_Reportcontaining:

- One sub-folder with the name of the video, if is a repeated name then date/time will be added.
Inside each video folder:
extracted_frames folder with the images from de videos
nav folder with support files,
original_files.info with the name and location of the processed file, hashes and dates
Report.html showing the frames extracted form the videos
Original video file if that option was checked
Pag. 114
original_files.info sample:
Report.html sample:
Pag. 115

You can also use IMAGE VIEWER (Irfan View) to select and create a quick HTML report with the extracted frames
Open Image Viewer, click Thumbnails an navigate into the corresponding frames folder
Chose the relevant frames right click on one of them and chose Create HTML Report
Give a name to the HTML file

Indicate Destination Folder
Give a page Title
Select Columns quantity
Deselect Write file info text
Click Start
Pag. 116

Quickly configure Create HTML report for video frames report clicking Utilities > Restore VideoFrames Report
for IrfanView at Portable Start Menu(this should be done with IrfanView closed)
Quickly restore Create HTML report configuration for images report clicking Utilities > Restore Images Report
for IrfanView at Portable Start Menu (this should be done with IrfanView closed)
Video Viewer (VLC)
Drag and Drop supported.

Most video files are associated so that clicking on the file at
Pag. 117
WTE USB STICK

(USB stick content)
1 Standard WTE USB Stick content
Pag. 118

WTE Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WTE Manual

Uploaded by

Copyright:

Available Formats

2014

Windows Triage Environment (WTE)

SYSTEM STARTUP .................................................................................................................................................................. 6

(MOUNTING DISKS WRITE PROTECTED) ........................................................................................... 6

SYNCHRONIZE LETTERS ........................................................................................................................................................ 13

(REGISTRY REPORT) ................................................................................................ 14

System Startup - WTE 2013

Windows Triage Environment (WTE)

(LOCATE 32) ................................................................................................................................. 33

(AGENT RANSACK) ................................................................................................ 49

IMAGE VIEWER .................................................................................................................................................................... 57

IMAGE VIEWER (ALTERNATIVE) ........................................................................................................................................... 64

Windows Triage Environment (WTE)

(IRFAN VIEW) ............................................................................................................................... 64

LINUX VOLUMES MOUNT .................................................................................................................................................... 75

SEARCH LINUX & MAC ......................................................................................................................................................... 77

MAIL VIEWER ...................................................................................................................................................................... 85

(MITEC MAIL VIEWER) ..................................................................................................... 85

OST VIEWER ........................................................................................................................................................................ 86

System Startup - WTE 2013

(KERNEL OST VIEWER) ....................................................................... 86

Windows Triage Environment (WTE)

(KERNEL OUTLOOK PST VIEWER).......................................................... 87

NETWORK MOUNT (WTE MAXI ONLY) ................................................................................................................................. 88

(PE NETWORK MANAGER) .......................................................................................................... 88

REMOTE OVER INTERNET (WTE MAXI ONLY) ....................................................................................................................... 91

(AMMYY ADMIN) ....................................................................................... 91

REMOTE (WTE MAXI ONLY) ................................................................................................................................................. 92

WTE OFFICE ......................................................................................................................................................................... 94

Windows Triage Environment (WTE)

System Startup - WTE 2013

Windows Triage Environment (WTE)

5 An alert message will be presented after startup

6 WinFE Write Protect Tool Management Console will be displayed

System Startup - WTE 2013

Windows Triage Environment (WTE)

Check that evidence disks are in

System Startup - WTE 2013

Windows Triage Environment (WTE)

Check that you selected the

With the WTE USB Stick selected click

System Startup - WTE 2013

Windows Triage Environment (WTE)

Click Continue to start-up

If using this application later, you can use it after

10 Initial screen locked waiting for password

System Startup - WTE 2013

Windows Triage Environment (WTE)

If you see this warning it means

12 WTE System Main Menu Start

System Startup - WTE 2013

Windows Triage Environment (WTE)

System Startup - WTE 2013

Windows Triage Environment (WTE)

System Startup - WTE 2013

Windows Triage Environment (WTE)

The letter X will automatically be assigned to boot virtual volume.

2 Click 1 Letter Swap

Synchronizer Letters - WTE 2013

Windows Triage Environment (WTE)

1 From target Operating System copy the registry files

System Report (Registry Report) - WTE 2013

Windows Triage Environment (WTE)

C:\Documents and Settings\USERNAME\NTUSER.DAT (for Windows XP Operating System)