An easy quickstart guide to build your WinFE ISO...

1) Extract WinBuilder to the root of your C:/ drive

2) Run WinBuilder

3) Click 3 buttons and you are done.

If you want more features, such as additional programs, network support, audio, more drivers, customized wallpaper, create a bootable WinFE flashdrive, etc..., then you just need to push a few more buttons.  Download and read the write up (Users Guide to WinFE) for details on adding features.  It's just as easy as pushing the 3 buttons.

These screenshots show all that is needed.  Now, after looking at what is needed to create your WinFE, what is the reason you haven't started yet?.....





One of the biggest benefits (besides imaging storage media) of WinFE is the ability to create a customized triage system at virtually no cost.  Purchasing a pre-made system may not be an issue when only one or a few systems are needed, but when outfitting an entire unit or perhaps an entire police department, bulk purchases of software to be issued individually most likely may not happen.  Completing disregarding the ability to triage due to cost does not benefit the community or country.  Finding solutions does.

With a WinFE "triage system", the cost can be minimal due to the multitude of freely available software available.  Not to be confused with shareware, pirated software, or other questionable software, there are plenty available at no cost that are effective and easy to use (and did I mention the keyword "free"?).

So, when contemplating purchasing a pre-built system, consider that a customized system can be simply created that fits the needs and budget of your organization or your case.

There are several tools of worthy mention, but plenty more that are just as viable for triage and forensic quality software.

For law enforcement and military, there is the excellent (and free!) search tool "Field Search".  Field Search is a tool initially developed to run on a live machine to scan for images, internet history, and other items of evidential value.



Field Search can also run under a WinFE booted system, giving it the capability of being "forensic" in that instead of running on the suspect machine and altering the system, it can now be run without altering the system.   Field Search is an extremely quick and easy program to use for First Responders and those in combat zones.  The use of this program in a forensic environment just doubled its potential.

The only limits to the software that will run on WinFE are those that depend upon the dependent files.  As an example, the Microsoft .NET framework is needed to run ChromeAnalysis and FoxAnalysis.   .NET is installed in the WinFE with the check of a box when using WinBuilder to build a WinFE ISO.  With that,  both FoxAnalysis and ChromeAnalysis from www.forensic-software.co.uk run in the WinFE booted system giving more options in triage.  Both of these tools provide an intensive internet history capability in any forensic examination, and can be easily used in a triage/preview situation.  

Other types of forensic software can also be used to target specifically desired information.  RegRipper can be used to run against an entire drive and output specific results to a text file.  RegRipper (freely available!) can be modified in a multitude to ways to target what may be needed in a given scenario, either by using pre-made plugins or writing a unique plugin based on what is needed.

 

WinFE allows you to customize a triage booting system based on several factors other than just a budget.  As an example, a police department can have a WinFE customized for First Responders with a bare minimal selection of triage tools, Field Search being a prime example.   Investigators could have additional tools (with some additional training) that can go beyond the First Responders' needs.  With this type of system, by the time a forensic examiner is given evidence to examine, the evidence has been prioritized by the First Responder and case investigator to best determine how resources should be spent.  Compared to literally dumping multiple computers onto an examiner's desk and asking for "everything", triage can be conducted for more effective results and quicker turnaround.  This can be applied to non-LE work as well.

 

 

Since WinFE can boot virtually any intel based computer, (this also includes Macs and *nix machines), the majority of situations can be handled with it.   Forensic Linux boot discs can be used in the same fashion as WinFE, using Linux software, however, I would hazard a guess to opin that most computer users are using the Windows Operating System.  Giving an unfamiliar operating system to a First Responder may be creating a problem due to mistakes being made by not knowing 'which buttons to push' to find the evidence...Those with more experience with Linux should not have that problem.  Given the option to outfit a battalion of combat troops with this capability...I'd probably lean heavily toward a Windows based system...

Fairly soon, if not already in some jurisdictions, the days of giving the forensic examiner dozens of hard drives that have not been previewed or triaged in some fashion by someone, will be over.   A WinFE triage system can be configured to find basic information (user accounts, internet history, graphics, etc...) which can be used to prioritize, or even eliminate, media to be examined.  Some information that can be gleaned onsite during triage could substantially affect the outcome of the situation (combat arena?  searching for victims related to an electronic crime scene? or other scenarios where an extensive examination will yield results that may be useless months later?).

Using a triage system can save more hours than you may initially realize.  If just one computer hard drive is triaged, and determined not to be of importance (as compared to the other 10 in the investigation...), then it need not be imaged (saving hours) and need not be examined (saving days).   It's very easy to determine the ROI or manhours saved with one hard drive, extrapolate that to dozens or more hard drives.  How's that for cutting down the workload?

 

Giving more usability to WinFE, OSForensics has several features that I can see being beneficial in triage of a system with OSForensics.  OSForensics can be run on a live system (not the optimal decision in most cases), a mounted image, or in a forensically booted WinFE system.



The program's interface is simple and encompasses quite a bit of the basic forensic processes (searching, indexing, hashing, etc...).  Of particular interest is that some of these standard forensic processes can easily be used in a WinFE booted system for basic triage.

As an example, a scan of images of the suspect computer can be conducted with OSForensics.    This type of triage may certainly help determine which computer systems contain illicit images and need forensic analysis.

Another feature that can benefit cases is that of indexing.  OSForensics allows for indexing of files, including email (pst, mbox.msg,eml, and dbx), for keyword searches.    Searches can also be restricted by date ranges.

Although OSForensics doesn't appear to be as powerful as a tool such as X-Ways Forensics, I definitely foresee a place where it can used, particularly in a First Responder role.