By now, most everyone involved with forensics knows about the latest release of FTK Imager 3.0.   In my opinion, this is perhaps the best release ever of FTK Imager and probably one of the top releases of software this  year because of one of the newest features and the price (FREE and MOUNTS IMAGES!).  Given other expensive software, or free software  that doesn't work as expected, or difficult to manage manual procedures to mount images, to now have FTK Imager 3.0 quickly and neatly mount an image is a nice addition to my Start Menu.



So the bigger deal with FTK Imager 3.0....it runs in WinFE.  With FTK Imager 3.0, you can mount images in WinFE and conduct analysis in the Windows Forensic Environment with any other tool that runs in WinFE, such as X-Ways Forensics, ProDiscover, or Encase.



Now I know what you are probably thinking.  FTK Imager "Lite" 2.9 will run in WinFE and that version doesn't support image mounting.  FTK Imager 3.0 needs to be installed, which is problematic in WinFE.  Well, right and wrong. FTK Imager 3.0 only needs to be installed on any system, then copy the program folder onto WinFE  to run as if it were installed.  Voila!  No need for the Lite version when you can have the full meal deal.

Now how's that for having a completely self-contained Windows Forensic Environment, running minimal processes on just about any system...technically, this is called, "Niiiccceee...."

And yet another use for WinFE.

This year, at the University of Washington's Digital Forensics Certificate Program, I am having each student create their own Windows Forensic Environment with as many forensic applications as we can fit on a USB drive.   This fulfills several objectives that any school or training program can incorporate at virtually no cost.

Students in forensic programs can learn to create a forensically sound bootable media and validate it through testing (how's that for a takehome assignment?).  Since WinFE can be used as a forensic platform on almost any computer (for those students without a 'forensic machine' at home), this bootable media may be more than enough to practice and do homework assignments on their home computer (...they can image...they can run forensic tools against an image or hard drive...they can do quite a bit).  Forensic software developers...consider making your applications run in a portable mode and VOILA, you just reached a second use (and market) for your application/s.  Anything that runs on WinFE is a tool I want and so far, only X-Ways Forensics fits that bill as a full fledged, portable forensic suite.

And yes, a Linux forensic environment can do many of these things as well, so why not do both?  The cost of a Linux CD...same as WinFE :)

I came across WinBuilder today (http://www.boot-land.net/), which provides downloads to a GUI based, Windows Live CD builder.  I'm willing to try anything, so I gave it a whirl and was happy I did.

With WinBuilder, many of the functions of Windows that are not in the basic WinFE builds are included.   This includes the Windows"Start" button, computer management tools, and even network access.

Running WinBuilder is not complicated and scriptable.  The one thing it does not do (at this time) is make your CD forensically safe with the 2 registry changes.  However, this is easy enough to do manually or by writing a script to be used during the build.

I'm not sure how I missed this before, but I may have now found my primary method of making a WinFE disc, using WinBuilder instead of a batch file.  Oh yeah, you don't need WAIK either.