The WinFE journey…
From Troy Larson’s first vision of the Windows Forensic Environment to the improvements currently being made, WinFE is set to become one of the best forensic boot disks/USBs available.
The ease to which it can be created has been simplified greatly by Björn Ganster’s automated batch files (my initial batch files were elementary compared to Björn’s improvements). Colin Ramsden is working some aspects of WinFE that really are impressive, such as GUI’s for WinFE, installing hasps drivers, mapping network drives, Apple HFS+ drivers, other program installations help, etc… Jad Saliba of
JadSoftware has plans to work on making IEF run in the WinFE environment. Add these to Matt Churchhill’s version “
WindowsRipper” modified from
Harlan Carvey’s “
RegRipper” and you are set to add such a triage functionality to WinFE, that given 20 minutes in front of a computer, you may be able to get everything you need from the machine. You can either determine if the computer is worth seizing at all, or in the case of a (legal!) snatch and grab op, grab only the data of importance from a host computer without the (criminal/terrorist) user ever knowing their computer was touched.
It is incredible what a group of contributors can have on a project that benefits the community. If you haven't gotten access to the shared folder, you can use
this link to sign up for DropBox and I'll share the folder with you. If you have already gotten a DropBox account, send me an email so I can share the folder with your current login. I'd make the folder public, but would rather have at least one step to get to it rather than it open to the world so easily. The neat thing about the shared folder, is that when someone puts in an updated batch file, you have access to it immediately.
For anyone waiting for WinFE to be available for one single and complete download...it won't happen. There are some MS licensing issues that prevent that, so sit down for a bit, take a look at how to make one, and get started! You won't regret it.