{"id":864,"date":"2012-09-23T20:49:58","date_gmt":"2012-09-23T17:49:58","guid":{"rendered":"http:\/\/saisa.eu\/blogs\/Guidance\/?p=864"},"modified":"2012-09-23T20:49:58","modified_gmt":"2012-09-23T17:49:58","slug":"wintaylor-forensics-tools-on-usb-stick","status":"publish","type":"post","link":"https:\/\/saisa.eu\/blogs\/Guidance\/?p=864","title":{"rendered":"WinTaylor, forensics tools on USB stick"},"content":{"rendered":"<p><a href=\"http:\/\/www.caine-live.net\/page2\/page2.html\">WinTaylor<\/a> is a collection of tools for analyzing or troubleshoothing a PC. WinTaylor itself is a GUI launchboard for several other tools.<\/p>\n<p>Positive:<\/p>\n<ul>\n<li>No installation needed, just execute from USB<\/li>\n<li>In overall, good collection (nirsoft, sysinternals etc.)<\/li>\n<li>Source code available<\/li>\n<\/ul>\n<p>Please note that there are more free (and open source) tools and utilities in the area. WinTaylor provides some nice tools in an easy form (USB).<\/p>\n<p><a href=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/09\/wintaylor.jpg\"><img loading=\"lazy\" alt=\"Wintaylor\" src=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/09\/wintaylor-small.jpg\" width=\"450\" height=\"331\" \/><\/a><\/p>\n<p>From CAINE <a href=\"http:\/\/www.caine-live.net\/index.html\">site<\/a>:<\/p>\n<blockquote>\n<p><a href=\"http:\/\/www.caine-live.net\/index.html\">CAINE<\/a> (Computer Aided INvestigative Environment) is an Italian GNU\/Linux live distribution created as a project of Digital Forensics.<\/p>\n<p>The distro is open source, the Windows side (Wintaylor) is open source.<\/p>\n<p><a href=\"http:\/\/www.caine-live.net\/page2\/page2.html\">WinTaylor<\/a> is the new forensic interface built for Windows and included in CAINE Live CD. It is written in Visual Basic 6 to maximize compatibility with older Windows systems, and provides an internal set of well-known forensic programs.<\/p>\n<p>WinTaylor proposes a simple and complete forensic software integration and inherits the design philosophy of CAINE.<\/p>\n<\/blockquote>\n<p><strong>Installation<\/strong><\/p>\n<p>WinTaylor is included in the <a href=\"http:\/\/www.caine-live.net\/page5\/page5.html\">NBCAINE<\/a> image (CAINE for NoteBook). Installation of the image into USB can be done with <a title=\"Win32 Disk Imager, Tool to write image into a bootable USB\" href=\"http:\/\/saisa.eu\/blogs\/Guidance\/?p=855\">Win32 Disk Imager<\/a> tool.<\/p>\n<p><strong>List of Tools<\/strong><\/p>\n<p>The table below list the tools which can be launched from the GUI.<\/p>\n<table border=\"0\">\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"18\" width=\"130\" align=\"left\">System Info<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" width=\"265\" align=\"left\">\\Programs\\tools\\msi.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"18\" align=\"left\">FTK Imager<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\imager\\ftkimager.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"18\" align=\"left\">Hex Editor<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\hexedit.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"18\" align=\"left\">USB Write Blocker<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\usbwriteprotect.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"18\" align=\"left\">Hash Calculator<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\tools\\nirsoft\\HashMyFiles.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">WinAudit<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\winaudit.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">PC On\/Off<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\pctime\\pconofftime.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">Photorec<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\photorec_win.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">USB Devices<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\tools\\nirsoft\\usbdeview<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">Take a snapshot<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\MWSnap.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">DriveManager<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\tools\\Driveman.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">Whois<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\whoistd.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">RAM Dump<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\ram\\<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">File Analyzer<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\tools\\wfa.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">NirSoftMegaReport<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\tools\\nirsoft\\nmr.bat<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">Testdisk<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\testdisk_win.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">Lan Scanner<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\als\\PortScan.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">Recuva<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\tools\\cygwin\\recuva.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" height=\"17\" align=\"left\">More Tools<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">\\Programs\\tools<\/td>\n<\/tr>\n<\/table>\n<p>In addition, there are more utilities behind the &#8220;More Tools&#8221; button. Some of them are listed in the table below.<\/p>\n<table border=\"0\">\n<tr>\n<td height=\"18\" align=\"left\"><\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" align=\"left\">\\Programs\\tools\\Cygwin:<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">Date, dd, dos2unix, file, hexedit, hostname, less<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" align=\"left\"><\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" align=\"left\">\\Programs\\tools\\fau:<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">dd, volume_dump, wipe, netcat<\/td>\n<\/tr>\n<tr>\n<td height=\"34\" align=\"left\"><\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" align=\"left\">\\Programs\\tools\\nirsoft:<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">CurrPorts, DevManView, IECookiesView, IEHistoryView, InstalledCodec,<br \/>\nProcessActivityView, ProduKey, RecentFilesView, ServiWin<\/td>\n<\/tr>\n<tr>\n<td height=\"34\" align=\"left\"><\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" align=\"left\">\\Programs\\tools\\sysinternals:<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">Desktops, Process Explorer, Process Monitor, Pstools: pslist, psinfo \u2026,<br \/>\nRam map, Rootkitrevealer, TCPview, Vmmap<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" align=\"left\"><\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid\" align=\"left\">\\Programs\\tools\\unxutils:<\/td>\n<td style=\"BORDER-BOTTOM: #000000 1px solid; BORDER-TOP: #000000 1px solid; BORDER-RIGHT: #000000 1px solid\" align=\"left\">Bunzip2, grep,Wget<\/td>\n<\/tr>\n<\/table>\n<p><strong>Examples<\/strong><\/p>\n<p>NirSoftMegaReport creates an HTML output, which is easy to browse, see below:<\/p>\n<p><a href=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/09\/wintaylor-nirsoftmegareport.jpg\"><img loading=\"lazy\" alt=\"Wintaylor-nirsoftmegareport\" src=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/09\/wintaylor-nirsoftmegareport-small.jpg\" width=\"450\" height=\"818\" \/><\/a><\/p>\n<p>Winaudit screenshot:<\/p>\n<p><a href=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/09\/wintaylor-winaudit.jpg\"><img loading=\"lazy\" alt=\"Wintaylor-winaudit\" src=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/09\/wintaylor-winaudit-small.jpg\" width=\"450\" height=\"300\" \/><\/a><\/p>\n<p>Process Monitor screenshot:<\/p>\n<p><a href=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/09\/wintaylor-processmonitor.jpg\"><img loading=\"lazy\" alt=\"Wintaylor-processmonitor\" src=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/09\/wintaylor-processmonitor-small.jpg\" width=\"450\" height=\"181\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Please note, that the functionality of WinTaylor type of launchboard could be made with GUI automation tool as well (<a title=\"Autoit, Tool for automating GUI tasks\" href=\"http:\/\/saisa.eu\/blogs\/Guidance\/?p=33\">AutoIt<\/a>).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WinTaylor is a collection of tools for analyzing or troubleshoothing a PC. WinTaylor itself is a GUI launchboard for several other tools. Positive: No installation needed, just execute from USB In overall, good collection (nirsoft, sysinternals etc.) Source code available &hellip; <a href=\"https:\/\/saisa.eu\/blogs\/Guidance\/?p=864\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17,49],"tags":[],"_links":{"self":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts\/864"}],"collection":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=864"}],"version-history":[{"count":0,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts\/864\/revisions"}],"wp:attachment":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=864"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=864"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=864"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}