For those that have been using WinFE and wanting to know about recent updates, I have only a little news to mention.    WinFE is still just as good today as when Troy Larson first created it, so not much in the update area there.  WinFE still boots the same computer systems and you can do the same forensic work as before, not much has changed since then.   DiskPart is still the primary (only) method to toggle drives on/offline, which isn't difficult to do.  Still command line, but easy commands to use.

WinFE Batch File Building Method

And building WinFE is the same as before, no changes there either.  If you use the batch file method, you can write your own or you can download pre-made batch files using the Box.net widget on this site to the right.   Several to choose and modify to suit your preferences.

The location of the batch files on this blog looks like the below screenshot, so if you don't see it, you may need to have Java enabled in your browser.

WinFE WinBuilder Building Method

If you are using WinBuilder (www.reboot.pro), there have been a continual update of the WinFE scripts by RoyM.  The reboot.pro site is also the best place for forum support directly with the script writers if you have problems building your WinFE.  RoyM (and others) has taken a great lead in the WinFE WinBuilder development.  My hat is off to all the contributors.

Other Forensic Boot Systems

The "other" forensic boot systems have had a few updates, some major.  I would highly recommend checking out Raptor, CAINE, and DEFT!  A major difference between WinFE and several of the Linux forensic boot systems is that many of the Linux systems are pre-made forensic OS's, with freeware/open source tools already installed.  WinFE requires you to add the apps you want to use, which may be freeware, open source, or commercial.    A more complete forensic G0-Bag Kit has all of them....just in case....

 

It's been awhile, a long while, since there has been anything added to the WinFE project, and the bad news is that nothing is new other than Microsoft not quite accepting of Colin Ramsden's write protect tool.   As that is not good news, both Troy and Colin are working toward an effort that may meet Microsoft's needs for an acceptable (to Microsoft...) write protect application other than DiskPart.

Sorry for the news on no news, but WinFE still works as it is, you just need to use the command line to toggle drives on/offline.

There have been numerous presentations showing how to build and use a WinFE boot disc around the world.  Most recently I see that IACIS has given a demo this year along with several HTCIA Chapters and a DOD conference as well.  A write up of Imaging a MacBook by Sean Morrissey shows just how easy WinFE is to use on a MacBook based on one demo at IACIS.

As simple as it is to use, it has become even easier to build using WinBuilder.  Probably the most significant difference when using WinBuilder rather than building via WAIK and the command line is the numerous options that can be automatically added, particularly in that of supporting more software able to run on WinFE.



Many examiners have already tried to build and use WinFE, but I know there are a few of you out there that just haven't sat down to give it a whirl.   If you can speak to anyone that uses WinFE, they will each tell you that it is well worth it!

The next coolest thing to be added to WinFE is Colin Ramsden's GUI currently being finalized.   Say goodbye to the DiskPart command line!