It's been awhile, a long while, since there has been anything added to the WinFE project, and the bad news is that nothing is new other than Microsoft not quite accepting of Colin Ramsden's write protect tool.   As that is not good news, both Troy and Colin are working toward an effort that may meet Microsoft's needs for an acceptable (to Microsoft...) write protect application other than DiskPart.

Sorry for the news on no news, but WinFE still works as it is, you just need to use the command line to toggle drives on/offline.

There have been numerous presentations showing how to build and use a WinFE boot disc around the world.  Most recently I see that IACIS has given a demo this year along with several HTCIA Chapters and a DOD conference as well.  A write up of Imaging a MacBook by Sean Morrissey shows just how easy WinFE is to use on a MacBook based on one demo at IACIS.

As simple as it is to use, it has become even easier to build using WinBuilder.  Probably the most significant difference when using WinBuilder rather than building via WAIK and the command line is the numerous options that can be automatically added, particularly in that of supporting more software able to run on WinFE.



Many examiners have already tried to build and use WinFE, but I know there are a few of you out there that just haven't sat down to give it a whirl.   If you can speak to anyone that uses WinFE, they will each tell you that it is well worth it!

The next coolest thing to be added to WinFE is Colin Ramsden's GUI currently being finalized.   Say goodbye to the DiskPart command line!

Always test your tools (this includes WinFE).  Considering that NIST recently discovered that some Ubuntu based forensic boot discs could make modifications to a booted suspect drive (modifies the $logfile upon booting....),  these sort of news breaks are a friendly reminder to test your tools.  Additionally, when 'bugs' are found in forensic tools, it may help to review any cases that may be affected by a past use of a tool.  Even Guidance Software just released a firmware update to a hardware physical write blocker in which writes to the evidence drive were not protected.  How's that for reassurance with hardware write blockers being known as the absolute write protection tool?

You can't rely upon someone else's work, you can't even rely upon the label of a box of something you buy.  You just have to spend the time to test it personally.

If you've not tested a tool that you used and later find that there was a problem with it, how long will you worry about one of those times you relied upon it to come back to haunt you in a past case?

Better that you tested it ("I know it works because I tested it") rather than rely on someone else to test it ("But the company/website/brochure said it worked...").