Jad Saliba (of JadSoftware.com) has released an update to his Internet Evidence Finder/IEF in a portable version.  Now this sounds really good to have the ability to plug in a USB drive into a running machine to gather the information that IEF does.   But, to take it a step further, I tried IEF within a booted WinFE system.   And the result....it works perfectly!

To make sure you can get the full grasp of how neat this is, you can boot to WinFE and run IEF across the physical drive, without making any changes to the evidence.  This could be of real importance in an investigation such as a missing person case where internet/chat/webmail may be of immediate intelligence value.  Rather than imaging the hard drive to search for this data from the image, or booting the machine to its operating system and potentially overwriting pertinent data, you can boot to WinFE and run IEF on the write protected drive.   Of course, in a missing person case where chat is involved, it may also be most important to capture the volatile data FIRST before turning off the computer.

In civil case matters, this can be a fairly quick method of obtaining data relevant to the case matter onsite if imaging the hard drive is not allowed.

Although IEF doesn't run on Mac or Linux....if you boot a Mac or Linux machine with WinFE, IEF will run against that Mac or Linux hard drive ;)

If you haven't seen Marc Remmert's video on creating a WinFE ISO, here is his video.  Although the WinBuilder method greatly simplifies what Marc shows in his video, it certainly recommended to see what is actually happening to a Win"P"E to make it into a Win"F"E, no matter the process used, at least understand the changes being made, the reason for the changes, and the validation of the changes.  And for those that insist that WinFE is not WinFE and that it is WinPE...well, you are sorta correct.  WinFE is the 'forensic' modification of a WinPE, so it really is something different.

[youtube=http://www.youtube.com/watch?v=J3T5wnPiObI]

On the WinBuilder topic, a great group of beta testers have started to put WinBuilder through its paces.  Again, although the end result is that you will be able to create a WinFE ISO with a few clicks, it is best to know what is happening behind the scenes and Marc's video gives you that insight.

Just before the latest WinBuilder WinFE gets released, would you like to take it on a test run first before the rest of the world gets it?  There are some neat features (Bitlocker support, DiskPart batch file, plus others), but the main concern is testing to see if anything needs to be fixed, corrected, added, or taken away from the build.



If you have the time to make a build or two and run it against your computer, send me an email and I'll send you the build (not the ISO, you have to build that, but you get the Winbuilder app to build it).  I'd appreciate any comments, good-bad-or indifferent.   I'll cut off the number of beta testers as soon as a decent number can reply to this request by email to; This email address is being protected from spambots. You need JavaScript enabled to view it..  So give me your email to get your beta!