Brett's Ramblings
2 minutes reading time
(351 words)
Current and Future Development of Windows FE
The WinFE journey…
From Troy Larson’s first vision of the Windows Forensic Environment to the improvements currently being made, WinFE is set to become one of the best forensic boot disks/USBs available.
The ease to which it can be created has been simplified greatly by Björn Ganster’s automated batch files (my initial batch files were elementary compared to Björn’s improvements). Colin Ramsden is working some aspects of WinFE that really are impressive, such as GUI’s for WinFE, installing hasps drivers, mapping network drives, Apple HFS+ drivers, other program installations help, etc… Jad Saliba of JadSoftware has plans to work on making IEF run in the WinFE environment. Add these to Matt Churchhill’s version “WindowsRipper” modified from Harlan Carvey’s “RegRipper” and you are set to add such a triage functionality to WinFE, that given 20 minutes in front of a computer, you may be able to get everything you need from the machine. You can either determine if the computer is worth seizing at all, or in the case of a (legal!) snatch and grab op, grab only the data of importance from a host computer without the (criminal/terrorist) user ever knowing their computer was touched.
It is incredible what a group of contributors can have on a project that benefits the community. If you haven't gotten access to the shared folder, you can use this link to sign up for DropBox and I'll share the folder with you. If you have already gotten a DropBox account, send me an email so I can share the folder with your current login. I'd make the folder public, but would rather have at least one step to get to it rather than it open to the world so easily. The neat thing about the shared folder, is that when someone puts in an updated batch file, you have access to it immediately.
For anyone waiting for WinFE to be available for one single and complete download...it won't happen. There are some MS licensing issues that prevent that, so sit down for a bit, take a look at how to make one, and get started! You won't regret it.
From Troy Larson’s first vision of the Windows Forensic Environment to the improvements currently being made, WinFE is set to become one of the best forensic boot disks/USBs available.
The ease to which it can be created has been simplified greatly by Björn Ganster’s automated batch files (my initial batch files were elementary compared to Björn’s improvements). Colin Ramsden is working some aspects of WinFE that really are impressive, such as GUI’s for WinFE, installing hasps drivers, mapping network drives, Apple HFS+ drivers, other program installations help, etc… Jad Saliba of JadSoftware has plans to work on making IEF run in the WinFE environment. Add these to Matt Churchhill’s version “WindowsRipper” modified from Harlan Carvey’s “RegRipper” and you are set to add such a triage functionality to WinFE, that given 20 minutes in front of a computer, you may be able to get everything you need from the machine. You can either determine if the computer is worth seizing at all, or in the case of a (legal!) snatch and grab op, grab only the data of importance from a host computer without the (criminal/terrorist) user ever knowing their computer was touched.
It is incredible what a group of contributors can have on a project that benefits the community. If you haven't gotten access to the shared folder, you can use this link to sign up for DropBox and I'll share the folder with you. If you have already gotten a DropBox account, send me an email so I can share the folder with your current login. I'd make the folder public, but would rather have at least one step to get to it rather than it open to the world so easily. The neat thing about the shared folder, is that when someone puts in an updated batch file, you have access to it immediately.
For anyone waiting for WinFE to be available for one single and complete download...it won't happen. There are some MS licensing issues that prevent that, so sit down for a bit, take a look at how to make one, and get started! You won't regret it.
About the author
Comments 2
Guest - Rob
on Monday, 14 June 2010 00:18
Guest - ihuntcrows
on Thursday, 16 December 2010 18:47
Posts List
Tag Cloud
Hacker
Volume Shadow Copy
training
email
gmail
investigations
dfir
book
Virtualization
phishing
windows fe
presentations
Windows Forensic Environment
case studies
wiretap
Jimmy Weg
4cast
University of Washington
bitcoin forensics
Placing the Suspect Behind the Keyboard
forensics
Bitcoin Forensics
RegRipper
imaging
winfe
windows forensic environment
tor browser
Registry Forensics
X-Ways Forensics Practitioner's Guide
Hiding Behind the Keyboard
surveillance
investigation
bitcoin
X-Ways Forensics
North korea
privacy
writing
Search Blog
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!
© 2019 Brett Shavers