You can now download the WinFE WinBuilder.  Thanks to everyone that helped support this effort, it was well worth it.



As to a guide on how to use WinFE, it probably isn't really needed since WinFE is simply a forensic boot disc.  So, you might not need any help in putting WinFE to good use.  However...there may be a few things you didn't know you could do with WinFE that could be of interest.   Since that might be the case, here is a quick guide on tips on using WinFE as well as tips for building with WinBuilder.

Users Guide to WinFE

For support on how to use WinBuilder (troubleshooting, advanced features), check out the WinBuilder website at http://reboot.pro.

To reiterate some points about WinFE (and to hopefully prevent 'hate mail' coming to me from commercial products...), WinFE is an addition to your forensic toolkit. It doesn't replace any tools, only supplements what you are using anyway.   Commercial products that do the same thing that WinFE does work too, keep buying those if you want, you don't have to use WinFE.  And for the Linux lovers out there (Hey, I'm one of you guys too!), there is time and place for everything, sometimes WinFE is best, another time CAINE or DEFT or ???*nix may be best.

As far as anyone making a profit out of WinFE, no need to ask, because no one is;  it is a community project of customizing a Windows PE to fit your needs.

And yes, there are even some more neat things to be added to WinFE in the future...but as of now, you have access to a solid forensic environment.

For additional credits to this project;

Jad Saliba (of JadSoftware.com) has released an update to his Internet Evidence Finder/IEF in a portable version.  Now this sounds really good to have the ability to plug in a USB drive into a running machine to gather the information that IEF does.   But, to take it a step further, I tried IEF within a booted WinFE system.   And the result....it works perfectly!

To make sure you can get the full grasp of how neat this is, you can boot to WinFE and run IEF across the physical drive, without making any changes to the evidence.  This could be of real importance in an investigation such as a missing person case where internet/chat/webmail may be of immediate intelligence value.  Rather than imaging the hard drive to search for this data from the image, or booting the machine to its operating system and potentially overwriting pertinent data, you can boot to WinFE and run IEF on the write protected drive.   Of course, in a missing person case where chat is involved, it may also be most important to capture the volatile data FIRST before turning off the computer.

In civil case matters, this can be a fairly quick method of obtaining data relevant to the case matter onsite if imaging the hard drive is not allowed.

Although IEF doesn't run on Mac or Linux....if you boot a Mac or Linux machine with WinFE, IEF will run against that Mac or Linux hard drive ;)

If you haven't seen Marc Remmert's video on creating a WinFE ISO, here is his video.  Although the WinBuilder method greatly simplifies what Marc shows in his video, it certainly recommended to see what is actually happening to a Win"P"E to make it into a Win"F"E, no matter the process used, at least understand the changes being made, the reason for the changes, and the validation of the changes.  And for those that insist that WinFE is not WinFE and that it is WinPE...well, you are sorta correct.  WinFE is the 'forensic' modification of a WinPE, so it really is something different.

[youtube=http://www.youtube.com/watch?v=J3T5wnPiObI]

On the WinBuilder topic, a great group of beta testers have started to put WinBuilder through its paces.  Again, although the end result is that you will be able to create a WinFE ISO with a few clicks, it is best to know what is happening behind the scenes and Marc's video gives you that insight.