One of the common requests we get for Magnet OUTRIDER is for it to be on a bootable device, so that with powered off machines, you can boot into a secure environment to run the tool (and other tools like Magnet ACQUIRE). Because OUTRIDER is a Windows-based tool, we can’t prepackage it for you on a USB drive that has a free Linux OS on it and is bootable, but there is a way you can do this yourself with just a few steps using something called Windows-To-Go.
What You’ll Need
- Your OUTRIDER dongle and/or a high-speed USB3 external drive (ideally an SSD)
- Please note: For this method to work well, Windows-To-Go needs to be installed to a high-speed device. The OUTRIDER dongle you receive from Magnet Forensics is a high speed USB3 flash drive, but flash drives generally won’t be suitable for this environment. If you want to have everything on one drive (recommended), you’ll need to purchase the software-only license for OUTRIDER and license it to your own high-speed USB/SSD drive.
- Rufus (free and open source USB tool)
- A Windows 10 ISO file (if you don’t have one, this can help: https://www.microsoft.com/en-ca/software-download/windows10)
You should also have the proper Microsoft licensing in place at your organization for you to do this.
Before we get started, it’s important to talk a bit about Windows-To-Go. What is it? This page provides a full overview, direct from Microsoft.
Essentially, Windows-To-Go is a Windows workspace that can be booted from a USB drive and because of that, it is very portable. It’s important to note as a disclaimer that Windows-To-Go is no longer supported by Microsoft as of version 2004 of Windows 10. You can continue to use Rufus to make Windows-To-Go but it won’t be an officially supported feature. Some may find this discomforting, but if you think about how many folks still use WinPE/WinFE out there and the far greater limitations of those environments, this feels like a much more modern and recent option to utilize.
Let’s Get Started!
- First step is to backup all the files on your OUTRIDER dongle to a folder on your computer (can just be anywhere, e.g. a folder on your desktop) – copy all the files and folders from the dongle to that folder.
- Next, download Rufus (https://rufus.ie/) if you haven’t already. You’ll also need to make sure you have the Windows 10 ISO file handy for the next steps.
- Run Rufus and configure the following options:
- Device: Make sure this is pointing at your OUTRIDER dongle/high-speed external drive
- Boot selection: Disk or ISO image
- Click the SELECT button next to this option and browse to your Windows 10 ISO file
- Image option: Windows To Go
- Volume label: Win2Go (or something that will make it clear this is the Windows To Go USB)
- Everything else can be left on the defaults, unless you’re an advanced Rufus user and want to customize anything. Your Rufus window should look something like this:
- Click START and let Rufus do its thing. If you get a pop-up asking you to select the version of Windows you want to install, Windows 10 Pro is probably your best option.
(This part can take a while, so now would be a good time to grab a coffee or tea. ?)
- Once Rufus has successfully completed, open up Windows Explorer and browse to the drive you selected. You should see a file structure similar to this:
- Let’s create a folder in the root of the drive called “Tools”.
- If you used the OUTRIDER dongle to create the Win2Go drive, then within this folder, create a folder called “OUTRIDER” and copy all the files & folders you copied from the OUTRIDER dongle in step 1 into this folder. This is where you will run OUTRIDER from when in the booted environment. Otherwise, skip to 6b – you will run OUTRIDER from your OUTRIDER dongle.
- Feel free to put other tools like Magnet ACQUIRE here as well! The great thing is, if they require installation (i.e. are not portable), you can install them like you normally would when we do our initialization boot in step 8 and then they’ll be good to go for future boots.
- An important step is a quick registry edit to ensure that internal drives are not brought online automatically. This keeps internal drives offline and inaccessible until they are brought online manually, which can be done in a read-only manner. You’ll want to run the below commands, replacing “X” with the drive letter of your Windows-To-Go drive.
reg load HKLM\WINTOGO_SYSTEM X:\Windows\System32\Config\SYSTEM
reg add HKLM\WINTOGO_SYSTEM\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 4 /f
reg unload HKLM\WINTOGO_SYSTEM
Note: Read more about the SanPolicy key here. You can change the above “/d 4” to “/d 3” if you want everything kept offline by default, but if you need to plug in a 2nd USB drive (like the OUTRIDER dongle if you didn’t use it to create the Windows-To-Go USB), it won’t mount automatically so you’ll need to do that manually using the Windows diskpart utility.
Next, let’s safely eject the USB and take it to a computer where we can do an initialization boot. This process completes the installation of Windows-To-Go on the USB drive and allows us to set up any software we want to have available in that environment. Since OUTRIDER does not require installation, it will be ready to go on the first boot.
Depending on the version of Windows 10 you had on the ISO used with Rufus, the setup screens will differ slightly – it will look similar to what you see when you do a fresh install of Windows on a computer.
Once you’re done working through that, you’ll be logged-in and can now start to use Windows as you normally would, running and/or installing applications (which will persist for your subsequent startups using the Windows-To-Go USB). Note that your Windows-To-Go USB will be your “C:\” drive, and with no other external drives connected, you won’t see any other drives. Any internal drives will be set to “offline” which means they can’t be accessed, and the volumes within those drives won’t be mounted. Note: It’s important that drives are marked “read-only” when making them “online” using a tool like the Windows diskpart utility, to ensure that the volumes on the drive that auto-mount are as a result also mounted only with read-only access.
That’s it! You now have a USB drive that you can boot from and run OUTRIDER or other tools from when you run into a powered-down computer.
Scanning Drives with OUTRIDER in a Windows-To-Go Environment
When you launch OUTRIDER in a Windows-To-Go environment, it will detect that it is running in that environment and provide a simple Drive Manager to assist in bringing drives online in a read-only state. When you get to the below screen, you’ll see a “Drive Manager” button appear that isn’t normally visible:
Clicking that button will display the Drive Manager window:
Any drives other than the one OUTRIDER is running from will show up in this window, with their online/offline and read-only/writable status. Selecting a drive and clicking the “Mount Selected Drive (Read-Only)” button will run the Windows diskpart tool to make the drive online, ensuring it gets mounted as read-only. If the mounting is successful, you’ll see a message like this:
Click OK and close the Drive Manager window to see the mounted volumes – from there select the volumes you want to scan and continue with configuring your OUTRIDER scan as you normally would.
Technical Advice Disclaimer
Magnet Forensics is dedicated to engaging with the DFIR community through our blogs and whitepapers. However, properly addressing technological issues often includes numerous variables that require independent assessment and strategies designed for each specific circumstance. Since Magnet Forensics cannot have complete insight into all variables involved in a specific situation, this blog/whitepaper is for informational purposes and should not be read as professional advice recommending techniques or technologies to address your specific situation. We do not accept responsibility for any omission, error, or inaccuracy in this blog/whitepaper or any action taken in reliance thereon.