Creating a Fuji/WinFE external drive

This post walks through how to build a combined Fuji Cartridge and WinFE drive, giving you a single setup that can handle forensic imaging for both macOS and Windows systems. Having everything on one device makes it easier to switch between platforms without needing multiple drives or tools.

The focus here is on preparing the external drive, setting up the partitions, and getting the Fuji Cartridge and WinFE in place. By the end, you’ll have a flexible, portable solution that can be used across a variety of imaging scenarios.

Building the WinFE (Windows Forensic Environment) itself isn’t covered in this post. If you need help with that piece, you can follow the instructions available at https://www.winfe.net/build .

Bill of Materials (BOM)

Fuji: Forensic Unattended Juicy Imaging
WinFE: Windows Forensic Environment
balenaEtcher

Preparing a Fuji Cartridge drive

Begin with an empty external drive; in this example, a 2 TB device is used.

An elevated Command Line Interface (CLI) session should be opened. From the prompt, run diskpart and press Enter.

Once the DiskPart utility launches, the prompt will appear as follows:

DISKPART>

Execute the following commands in sequence:

Type: List Disk <enter>

Type: Select Disk X (X being your USB Hard Disk Drive) <Enter>

Type: Clean <Enter>

Type: Create Partition Primary Size = 256 <Enter>

Type: Exit <Enter>

At this stage, the disk layout should appear as follows:

Next, launch balenaEtcher and select Flash from file.

Browse to and select the FujiApp-1.2.0.dmg image file.

Next, Select target.

Choose the appropriate disk and confirm the selection.

Click Flash! to begin the imaging process.

When prompted, confirm by selecting Yes, I’m sure.

Upon successful completion, a confirmation screen will appear. Close the application.

The disk should now reflect the updated structure:

Preparing a WinFE bootable USB Hard Disk Drive.

Open another elevated CLI session and launch DiskPart again:

DISKPART>

At the DISKPART> prompt, execute the following:

Type: List Disk <enter>

Type: Select Disk X (X being your USB Hard Disk Drive) <Enter>

Create an additional partition:

Type: Create Partition Primary Size = 8000 <Enter>

Format the partition:

Type: Format FS=FAT32 Quick <Enter>

Assign a drive letter:

Type: Assign <Enter> 

Create a final partition using the remaining space:

Type: Create Partition Primary <Enter> 

Format this partition:

Type: Format FS=exFAT Quick <Enter>

Assign a drive letter:

Type: Assign <Enter> 

Exit DiskPart:

Type: Exit <Enter>

The disk layout should now appear as follows:

Using File Explorer, right-click the FAT32 partition, select Properties, and assign the volume label WinFE, then click OK.

Next, right-click the exFAT partition, select Properties, and assign the volume label Fuji, then click OK.

The final disk configuration should resemble the following:

Navigate to the WinFE framework package. *Note: Building WinFE is outside the scope of this post"
F:\IntelWinFE\USB\x86-x64\

There should be a bunch of files and folders within this location (boot, efi, sources ....).

Copy all of these files and folders to the root of your newly prepared WINFE volume.

Return to the CLI, and type the following, do not include the trailing '' as part of the Hard Disk Drive Letter:

bootsect.exe /nt60 <FAT32 volume letter>: /force /mbr

The following is normal in the output:

Bootcode is only updated on MBR partitioned disks. A different partitioning scheme is used on this disk.

Optional Fuji Live

If the environment will be used with a live macOS system, copy the universal Fuji DMG file to the Fuji volume.

OneDrive Updates

OneDrive Evolution

OneDrive Evolution has been updated to OneDrive Version 25.228.1120.0001

OneDrive Evolution

SyncEngineDatabase.db Schema Update

Schema version has been updated to 40. lastProcessedChange has been added to the od_ScopeInfo_Records table.

SyncEngineDatabase Schema v40

SafeDelete.db Schema Update

Schema version has been updated to 10. folderContainsIgnoredItems has been added to the items_moved_to_recycle_bin table.

SafeDelete Schema v10

Let's Talk About Consent

User Account Control (UAC) is one of Windows’ core security features, designed to prevent applications from silently gaining administrative privileges. Most users only see the familiar “Do you want to allow this app to make changes to your device?” prompt, but behind that dialog is a sequence of components working together. Understanding how a simple right-click -> Run as Administrator leads to a secure, isolated elevation flow requires looking at how Windows brokers the request, how it displays the UAC dialog, how it protects sensitive metadata, and how it ultimately launches elevated processes. The following sections break down this flow and introduces ConsentManager, a utility that makes the hidden parts of UAC visible.

How does UAC work

When you run a program "as Administrator", Windows doesn't actually let the program you clicked, like cmd.exe, launch directly with higher privileges. Instead, Explorer hands the request off to a special service called AppInfo, which manages UAC. When AppInfo decides that a UAC prompt is needed, it launches consent.exe. AppInfo passes a structured data block into consent.exe that contains everything the UI needs to display, such as the program name, the requested executable path, the elevation type, and metadata used to draw the UAC dialog. This data is stored inside the AppInfo process and handed to consent.exe by giving it a pointer to a memory block within AppInfo's address space. Consent.exe reads that block directly to know what to show on screen. If you approve the prompt, AppInfo creates the elevated process. To make everything appear normal, Windows then assigns that new process a parent process ID pointing back to Explorer, even though Explorer didn't create it.

Credit: Pavel Yosifovich Parent Process vs. Creator Process

This "re-parenting" helps the elevated app inherit the right environment and preserves the illusion that Explorer launched it. The true creator is AppInfo and the details of the UAC request, including the data block read by consent.exe, aren't visible to normal monitoring tools once the process starts.

What this process looks like

Taking a look at process create events and process exit events, we'll go through what a typical elevation of powershell would look like when clicking "Run as Administrator".

1. svchost launches consent.exe with the pid of svchost, the size of the data block, and the offset to the data block. consent.exe 9724 604 000001D5BC160390

   

2. After UAC is successful, consent.exe exist with a status of 0x0.

   

3. powershell is launched elevated with explorer as its parent.

   

What do we see if it is not successful? We'll do the same thing with cmd.exe this time but we will close the UAC prompt instead of entering credentials this time.

1. svchost launches consent.exe with the pid of svchost, the size of the data block, and the offset to the data block. consent.exe 9724 424 000001D5BC83E770

   

2. UAC prompt is closed without entering credentials. consent.exe exits with a status code of 0x4C7

   

That's pretty much it. No information that cmd.exe was the program trying to be elevated.

Enter ConsentMonitor

ConsentMonitor is a utility designed to monitor consent.exe and capture the memory block passed to it during a UAC prompt. ConsentMonitor captures the passed memory block to provide visibility into what process was attempting to elevate, making it easier to analyze UAC activity.

Let's look at the unsuccessful elevation again but this time with ConsentManager running.

1. svchost launches consent.exe with the pid of svchost, the size of the data block, and the offset to the data block. consent.exe 9724 424 000001D5BC83E770

   

2. ConsentManager captures this data and shows all active sessions on the system.

   

3. ConsentManager parses the data block and outputs in a hex viewer style format and an easier to read format. We can see that cmd.exe is the process that is trying to elevate.

   

4. UAC prompt is closed without entering credentials. consent.exe exits with a status code of 0x4C7

   

ConsentMonitor can also be ran so the output goes to the console instead of a custom evtx log. I hope this shed a little light into UAC and some of it's shortcomings when trying to investigate. So check out ConsentMonitor and let me know what you think.

OneDrive updates

What's new in OneDriveExplorer

OnedDriveExplorer v2025.11.07 now includes a dedicated parser for Microsoft.FilesOnDemand.db. This new parser shows what files are available for editing in offline mode. Also of note, ListSync and FilesOnDemand CSVs can be loaded in the GUI.

OneDriveExplorer

OneDrive Evolution

OneDrive Evolution has been updated to OneDrive Version 25.216.1104.0001

OneDrive Evolution

SyncEngineDatabase.db Schema Update

Schema version has been updated to 39. scenarioName column has been added to the od_ServiceOperationHistory table.

SyncEngineDatabase Schema v39

OneDrive Quick Access

What is Quick access?

Quick access makes it simple to find your frequently used storage locations, including recently used shared libraries, channels, and folders.¹

With offline mode enabled, it is possible to reconstruct this interface using locally stored data.

Microsoft.FileUsageSync.db

Microsoft.FileUsageSync.db contains the data used to populate the Quick Access interface. This file is located at:
%LOCALAPPDATA%\Microsoft\OneDrive\ListSync\Business<1-9>\settings.

Three tables within this database are of particular interest:

• quick_access
• quick_access_formatted
• quick_access_metadata

Together, these tables store information such as pin states, site acronyms, and associated site icons.

quick_access table

The quick_access table provides foundational metadata for each entry in the Quick Access list. It contains the following fields:

• ListId
• WebId
• SiteId
• LastAccessDateTime
• PinnedOrder

The purpose of the PinnedOrder value remains unclear, though it likely determines display order for pinned items.

quick_access_formatted table

The quick_access_formatted table holds the majority of the structured data required to rebuild the Quick Access interface. It includes:

• ListId
• WebId
• SiteId
• Format
  • QuickAccessRecent
  • PinnedItem
  • QuickAccessPinned
• FormattedValue

Each Format type corresponds to a specific category of item behavior:

• QuickAccessRecent - recently accessed items
• PinnedItem - generated when an item is pinned
• QuickAccessPinned - created or removed when the Quick Access endpoint is updated

The FormattedValue field contains a JSON structure that varies by format type. This structure includes key attributes such as access URLs, titles, colors, icons, and metadata necessary for UI reconstruction.

FormattedValue Header	PinnedItem	QuickAccessRecent	QuickAccessPinned
accessUrl		X	X
containerTitle		X	X
contentClass		X	X
color	X
favoritesOrder	X
icon	X
isDefaultDocumentLibrary	X	X
isDocLib	X
isTeamsChannelSite		X	X
isTeamsConnectedSite		X	X
lastAccessDateTime		X	X
lastPolled	X
listId	X	X	X
listItemId		X	X
listUrl	X
order	X
operation		X	X
pinOrder			X
siteAcronym	X	X
siteColor	X	X
siteIconUrl	X
siteId	X	X	X
siteTitle	X
siteUrl	X
spoId		X	X
title	X	X	X
uniqueId		X	X
webId	X	X	X
webTemplateConfiguration	X
webUrl		X	X

quick_access_metadata table

The quick_access_metadata table tracks synchronization details that define the operational state of Quick Access. Its fields include:

• SyncEndpoint
  • QuickAccessEndpoint
  • PinnedItemsEndpoint
• InitialSyncComplete
• ResyncRequired
• SyncedVersion
• LastSyncTime

*Note: If QuickAccessEndpoint is older than PinnedItemsEndpoint, QuickAccessPinned is out of sync. It takes roughly two minutes to sync when a pin state changes

Reconstructing the Quick Access Interface

Below is an example 'FormattedValue' from the quick_access_formatted table:

{
  "title": "IT Security",
  "siteAcronym": "IS",
  "siteColor": "#1C4259",
  "siteIconUrl": "https://contoso.sharepoint.com/sites/IT%20Security/_layouts/15/images/siteicon.png",
  "siteUrl": "https://contoso.sharepoint.com/sites/IT%20Security",
  "accessUrl": "https://contoso.sharepoint.com/sites/IT%20Security/Shared%20Documents",
  "isDefaultDocumentLibrary": 1,
  "isTeamsConnectedSite": 1,
  "listId": "a51d76a5-7b26-4b33-8d55-4cfbc656038a",
  "webId": "c5e85660-c9b0-4268-ad8b-23e1f862dd1c",
  "siteId": "e34301fe-78ae-4a23-9984-bf7edfc744f7",
  "lastAccessDateTime": "2025-09-29T14:38:00Z"
}

JSON Field	UI Element or Behavior
title	Main display text on the card
siteAcronym	Initials displayed inside the colored tile
siteColor	Tile background color
siteIconUrl	Optional site icon (overrides acronym if present)
siteUrl	Base site link (used for hover or metadata)
accessUrl	Clickable target for user navigation
Format (table column)	Determines grouping (Recent, Pinned, etc.)
PinnedOrder (from quick_access)	Determines on-screen position

Visual Breakdown

SQL query to extract data from quick_access and quick_access_formatted

SELECT
    qf.Format,
    qa.PinnedOrder,
    json_extract(qf.FormattedValue, '$.pinOrder') AS pinOrder,
    json_extract(qf.FormattedValue, '$.order') AS "order",
    json_extract(qf.FormattedValue, '$.favoritesOrder') AS favoritesOrder,
    json_extract(qf.FormattedValue, '$.spoId') AS spoId,
    json_extract(qf.FormattedValue, '$.siteId') AS siteId,
    json_extract(qf.FormattedValue, '$.webId') AS webId,
    json_extract(qf.FormattedValue, '$.listId') AS listId,
    json_extract(qf.FormattedValue, '$.uniqueId') AS uniqueId,
    json_extract(qf.FormattedValue, '$.lastPolled') AS lastPolled,
    json_extract(qf.FormattedValue, '$.lastAccessDateTime') AS lastAccessDateTime,
    json_extract(qf.FormattedValue, '$.title') AS title,
    json_extract(qf.FormattedValue, '$.siteTitle') AS siteTitle,
    json_extract(qf.FormattedValue, '$.containerTitle') AS containerTitle,
    json_extract(qf.FormattedValue, '$.accessUrl') AS accessUrl,
    json_extract(qf.FormattedValue, '$.listUrl') AS listUrl,
    json_extract(qf.FormattedValue, '$.webUrl') AS webUrl,
    json_extract(qf.FormattedValue, '$.siteUrl') AS siteUrl,
    json_extract(qf.FormattedValue, '$.operation') AS operation,
    json_extract(qf.FormattedValue, '$.contentClass') AS contentClass,
    json_extract(qf.FormattedValue, '$.listItemId') AS listItemId,
    json_extract(qf.FormattedValue, '$.isDocLib') AS isDocLib,
    json_extract(qf.FormattedValue, '$.isDefaultDocumentLibrary') AS isDefaultDocumentLibrary,
    json_extract(qf.FormattedValue, '$.isTeamsConnectedSite') AS isTeamsConnectedSite,
    json_extract(qf.FormattedValue, '$.isTeamsChannelSite') AS isTeamsChannelSite,
    json_extract(qf.FormattedValue, '$.siteAcronym') AS siteAcronym,
    json_extract(qf.FormattedValue, '$.color') AS color,
    json_extract(qf.FormattedValue, '$.siteColor') AS siteColor,
    json_extract(qf.FormattedValue, '$.icon') AS icon,
    json_extract(qf.FormattedValue, '$.siteIconUrl') AS siteIconUrl,
    json_extract(qf.FormattedValue, '$.siteLogoUrl') AS siteLogoUrl,
    json_extract(qf.FormattedValue, '$.webTemplateConfiguration') AS webTemplateConfiguration
FROM quick_access AS qa
JOIN quick_access_formatted AS qf
    ON qa.ListId = qf.ListId
   AND qa.WebId = qf.WebId
   AND qa.SiteId = qf.SiteId;

Referecnces

---

1. https://support.microsoft.com/en-us/office/getting-started-with-quick-access-eb533c0a-7ee9-40d4-8d29-0a88cc9e0231↩

OneDrive. Let's take this offline

At the beginning of this year, I started adding data from the offline databases into OneDrive Explorer. This data enhanced other artifacts that were being parsed. One thing that was lacking is a dedicated parser for the offline database (Microsoft.ListSync.db). The latest version of OneDriveExplorer now allows for parsing this data, giving a better representation of OneDrive from an offline perspective.

OneDrive Offline Mode (Project Nucleus)

To get a better understanding of what offline mode is and how it works, lets take a step back to its origins, Project Nucleus.

What is Project Nucleus?

Project Nucleus was announced at Ignite 2020 as part of Microsoft 365 / SharePoint platform enhancements.¹ Project Nucleus is aimed at improving performance and usability of Microsoft’s web apps, especially when interacting with large content/data sets and unreliable/slow network connections.

Key features include:

• A local cache on the client device (using a component described sometimes as “Microsoft.SharePoint.exe”) to store data locally and sync with the cloud.
• Support for offline work in web apps (e.g. Microsoft Lists) so users can interact with content even without network connectivity.
• Faster operations like sorting, filtering, grouping in large lists, because many operations can be done against the local cache rather than round-tripping to the server each time.

Nucleus is effectively a foundational engine inside Microsoft 365 web apps, powering offline/resilient experiences like OneDrive Web Offline Mode and faster large-list operations.

OneDrive offline mode

Microsoft announced a new feature coming to OneDrive for Business called Offline Mode in April 2024. The feature allows you to continue to use the web version of OneDrive without an internet connection. It works by downloading your file metadata and running a web server (Microsoft.SharePoint.exe) located in Program Files\Microsoft Onedrive<OneDrive_Version>\.

OneDriveExplorer Microsoft.ListSync.db parsing

By reconstructing the folders in Microsoft.ListSync.db, we can get a better view of what the user has access to when working offline. This data returns slightly different results when compared to what is synced on the endpoint. In this example we can see that SyncEngineDatabase.db (endpoint folders) contains 36458 file(s) - 189 deleted, 1418 folder(s) where as Microsoft.ListSync.db (offline mode) contains 36662 file(s) - 0 deleted, 1452 folder(s). That's an additional 204 files and 34 folders that offline mode gives us.

Another interesting point of data we get with offline mode is that folders contain creation and modify dates. This is not present in the endpoint (SyncEngineDatabase.db) data.

Conclusion

Project Nucleus has come a long way to add offline mode to OneDrive. With the updates to OneDriveExplorer, we now have the ability to parse this artifact on its own instead of just enhancing other artifacts. Try out the new feature and be on the lookout to updates and improvements to offline mode artifacts. The latest version of OneDriveExplorer can be downloaded here.

---

1. https://redmondmag.com/articles/2020/09/23/sharepoint-syntex-project-nucleus.aspx?utm_source=chatgpt.com↩

Weekly Update 6/6/2025

 OneDrive Evolution

OneDrive Evolution has been updated to OneDrive version 25.106.0602.0001. Starting with version 25.102.0527.0001, there is a new folder under settings named .Dbfs.dbfs_bootstrap. It is not known at this time what the folder pertains to, but it does contain a database (dbfs.db). Below is a screenshot of the contents of the database.

OneDrive Evolution 

SyncEngineDatabase.db Updates

Starting with version 25.105.0601.0001 of OneDrive, the SyncEngineDatabase.db schema has been updated to v38. A new table has been added to the database (od_ServiceOperationHistory).

SyncEngineDatabase Schema v38