Giving more usability to WinFE, OSForensics has several features that I can see being beneficial in triage of a system with OSForensics.  OSForensics can be run on a live system (not the optimal decision in most cases), a mounted image, or in a forensically booted WinFE system.



The program's interface is simple and encompasses quite a bit of the basic forensic processes (searching, indexing, hashing, etc...).  Of particular interest is that some of these standard forensic processes can easily be used in a WinFE booted system for basic triage.

As an example, a scan of images of the suspect computer can be conducted with OSForensics.    This type of triage may certainly help determine which computer systems contain illicit images and need forensic analysis.

Another feature that can benefit cases is that of indexing.  OSForensics allows for indexing of files, including email (pst, mbox.msg,eml, and dbx), for keyword searches.    Searches can also be restricted by date ranges.

Although OSForensics doesn't appear to be as powerful as a tool such as X-Ways Forensics, I definitely foresee a place where it can used, particularly in a First Responder role.

I'll be giving a demo of WinFE to www.ctin.org on March 10 (online).  I'll be showing some neat developments in the work as well as discuss solving build problems.



There are a few spots left and you have to be a CTIN member to view the presentation.  But maybe it is something worthwhile to join anyway as most all the training is free to members.

Just to clear up any questions on whether WinFE can 'do a Mac', well...it can.  And Linux too.  And of course it can do Windows as well.   As long as the machine can be booted to a WinFE CD or USB, then you can image the hard drive.  Actually, you can do a whole lot more than just image it...you can triage it, preview it, search it, or just copy files and folders from it.  If the drive is encrypted and you have the key, you can access the drive.  And what about VSS (Volume Shadow Service/Copies)....you can access those too, all through WinFE.

I can promise that as soon as you build a WinFE CD or bootable USB, you will regret not having done it months or years earlier (it's been around since 2008....).  And if building a forensic boot OS makes you hesitate at all, there is no need because if you use WinBuilder, it is as simple as pointing and clicking to fully customize your Windows FE CD or bootable USB.