Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
2 minutes reading time (309 words)

It's time to build your WinFE!

Digital Forensics
Brett Shavers
Saturday, 15 January 2011
6197 Hits
14 Comments

You can now download the WinFE WinBuilder.  Thanks to everyone that helped support this effort, it was well worth it.



As to a guide on how to use WinFE, it probably isn't really needed since WinFE is simply a forensic boot disc.  So, you might not need any help in putting WinFE to good use.  However...there may be a few things you didn't know you could do with WinFE that could be of interest.   Since that might be the case, here is a quick guide on tips on using WinFE as well as tips for building with WinBuilder.

Users Guide to WinFE

For support on how to use WinBuilder (troubleshooting, advanced features), check out the WinBuilder website at http://reboot.pro.

To reiterate some points about WinFE (and to hopefully prevent 'hate mail' coming to me from commercial products...), WinFE is an addition to your forensic toolkit. It doesn't replace any tools, only supplements what you are using anyway.   Commercial products that do the same thing that WinFE does work too, keep buying those if you want, you don't have to use WinFE.  And for the Linux lovers out there (Hey, I'm one of you guys too!), there is time and place for everything, sometimes WinFE is best, another time CAINE or DEFT or ???*nix may be best.

As far as anyone making a profit out of WinFE, no need to ask, because no one is;  it is a community project of customizing a Windows PE to fit your needs.

And yes, there are even some more neat things to be added to WinFE in the future...but as of now, you have access to a solid forensic environment.

For additional credits to this project;

This project uses the project Win7PE_SE as Base building, thank's to ChrisR for his great work ( Win7PE_SE http://reboot.pro/12427/).  Also, thanks to theYahoouk , JFX, Altorian, Lancelot, and RuiPaz with the Win7PE project on which this WinFE WinBuilder is based.
Tweet
Share on Pinterest
0
Tags:
winfe
But does it do Mac?
Portable Internet Evidence Finder and WinFE

About the author

Brett Shavers

Brett Shavers

 

Comments 14

Guest
Guest - Lancelot on Sunday, 16 January 2011 01:44

Taking any tool or codes and using it for some other purposes is okey to the contributers of open-source free world.

Even no credits are required at all

At least above is my thoughts.

But I agree with ChrisR,
http://reboot.pro/13622/page__view__findpost__p__119415
it is truely a shame and very un-gentleman not giving and credits by only adding 1 script to "Win7PE SE" project ( http://reboot.pro/12427/ ) many people (Yahoouk , JFX, Altorian, ChrisR, RuiPaz.... including me) worked hard with many many contributers, and announcing it like a new project.

0 Cancel Reply
Taking any tool or codes and using it for some other purposes is okey to the contributers of open-source free world. Even no credits are required at all At least above is my thoughts. But I agree with ChrisR, http://reboot.pro/13622/page__view__findpost__p__119415 it is truely a shame and very un-gentleman not giving and credits by only adding 1 script to "Win7PE SE" project ( http://reboot.pro/12427/ ) many people (Yahoouk , JFX, Altorian, ChrisR, RuiPaz.... including me) worked hard with many many contributers, and announcing it like a new project.
Cancel Update Comment
Guest
Guest - Brett Shavers on Sunday, 16 January 2011 10:14

Credit to all who I know that contributed to both WinFE and the WinBuilder WinFE project (if I've missed anyone, I'm happy to add to the list):

Troy Larson, Senior Forensic Examiner of Microsoft, created the Windows Forensic Environment (WinFE) by making two subtle, yet significant, changes in the Windows Pre-installed Environment (WinPE) registry. Nuno Brito for developing the WinBuilder application for WinPE building. Chris Roules for developing the Win7PE build for Winbulder (along with several older administrators and Yahoouk JFX). And Royal Meirer for writing the script that implements Troy Larson’s registry modifications. A combination of outstanding individuals contributing to a superb method of building a WinFE.

WinFE existed with just the WinPE registry mods by Troy as a standalone utility and not built using WinBuilder; WinBuilder existed without anything related to WinFE as a standalone application; Win7PE existed because of WinBuilder as a project; all I did was ask if WinBuilder could build a WinFE....and Royal wrote a script that put all of the above together into a simple way to build a WinFE.

Please send me the names as they wish to be seen in credit for Win7PE so I can credit them in a posting, I'm not here to take away the spotlight from anyone, just trying to get a job done.

0 Cancel Reply
Credit to all who I know that contributed to both WinFE and the WinBuilder WinFE project (if I've missed anyone, I'm happy to add to the list): Troy Larson, Senior Forensic Examiner of Microsoft, created the Windows Forensic Environment (WinFE) by making two subtle, yet significant, changes in the Windows Pre-installed Environment (WinPE) registry. Nuno Brito for developing the WinBuilder application for WinPE building. Chris Roules for developing the Win7PE build for Winbulder (along with several older administrators and Yahoouk JFX). And Royal Meirer for writing the script that implements Troy Larson’s registry modifications. A combination of outstanding individuals contributing to a superb method of building a WinFE. WinFE existed with just the WinPE registry mods by Troy as a standalone utility and not built using WinBuilder; WinBuilder existed without anything related to WinFE as a standalone application; Win7PE existed because of WinBuilder as a project; all I did was ask if WinBuilder could build a WinFE....and Royal wrote a script that put all of the above together into a simple way to build a WinFE. Please send me the names as they wish to be seen in credit for Win7PE so I can credit them in a posting, I'm not here to take away the spotlight from anyone, just trying to get a job done.
Cancel Update Comment
Guest
Guest - ChrisR on Sunday, 16 January 2011 20:11

I'm agree with Lancelot.
Thank you for the credit and for clarifying things.

I think it's good to added Lancelot. He really provided a lot and hard work on different versions of Win7PE_SE since the beginning of this project.

0 Cancel Reply
I'm agree with Lancelot. Thank you for the credit and for clarifying things. I think it's good to added Lancelot. He really provided a lot and hard work on different versions of Win7PE_SE since the beginning of this project.
Cancel Update Comment
Guest
Guest - David Kovar on Sunday, 27 February 2011 07:15

I downloaded the WinFE Builder from the link provided, but the contents appear to be a standard WinPE builder. In particular, there is no option for installing FTK Imager and "WinFE" isn't mentioned anywhere.

-David

0 Cancel Reply
I downloaded the WinFE Builder from the link provided, but the contents appear to be a standard WinPE builder. In particular, there is no option for installing FTK Imager and "WinFE" isn't mentioned anywhere. -David
Cancel Update Comment
Guest
Guest - Brett Shavers on Sunday, 27 February 2011 08:31

It is a standard WinPE builder (Win7PE) but has an additional script in the "tweaks" section that has the FTK imager option to select or deselect. There is no option to not choose the WinFE registry modification as that is hard coded in the script to prevent creating a Win"P"E when you wanted a Win"F"E. There is a coming update with some additional scripts to include a GUI for DiskPart and installation of other forensic programs during the build.

Practically, anyone can copy the WinFE script from this build and use it on a different build, but this particular WinBuilder was chosen and tested specifically with WinFE in mind, so for use in any other build, it will require more work and testing to make sure it works in different builds.

0 Cancel Reply
It is a standard WinPE builder (Win7PE) but has an additional script in the "tweaks" section that has the FTK imager option to select or deselect. There is no option to not choose the WinFE registry modification as that is hard coded in the script to prevent creating a Win"P"E when you wanted a Win"F"E. There is a coming update with some additional scripts to include a GUI for DiskPart and installation of other forensic programs during the build. Practically, anyone can copy the WinFE script from this build and use it on a different build, but this particular WinBuilder was chosen and tested specifically with WinFE in mind, so for use in any other build, it will require more work and testing to make sure it works in different builds.
Cancel Update Comment
Guest
Guest - David Kovar on Sunday, 27 February 2011 09:00

Please disregard my last message. I found the FE elements, it just didn't match the screenshots.

0 Cancel Reply
Please disregard my last message. I found the FE elements, it just didn't match the screenshots.
Cancel Update Comment
Guest
Guest - Brett Shavers on Monday, 28 February 2011 11:54

The FE script will be changing as things are added, but should always be in the 'tweaks' section. Colin Ramsden's DiskPart GUI will be the next addition along with a few other goodies.

0 Cancel Reply
The FE script will be changing as things are added, but should always be in the 'tweaks' section. Colin Ramsden's DiskPart GUI will be the next addition along with a few other goodies.
Cancel Update Comment
Guest
Guest - peet on Wednesday, 20 July 2011 06:58

when will that happen? we now got july

0 Cancel Reply
when will that happen? we now got july ;)
Cancel Update Comment
Guest
Guest - Brett Shavers on Wednesday, 20 July 2011 07:16

Here is the issue...in all polite fairness to Microsoft, we (myself and the writers of Colin's app) asked for the blessing to freely release the app to the public. Although Colin's app does not make any persistent changes to the WinP/FE, nor violates the EULA, we think best to have Microsoft attorneys also agree to prevent any problems with its use in criminal/civil cases. Rather than be considered a 'hack' to WinFE, we believe it best to ensure that Colin's app, as an option to DiskPart, is not considered anything other than a GUI to DiskPart.

So, with that, we are waiting and gently prodding, for an answer from Microsoft. The second after hearing that they either don't care one way or the other, or that they have no issues with releasing it, the script will be made available for immediate use. Perhaps we should send Microsoft a bouquet of roses and a bottle of wine??

The app works well. Push button control of all drives and USB devices. Plus some other neat little addons too.

0 Cancel Reply
Here is the issue...in all polite fairness to Microsoft, we (myself and the writers of Colin's app) asked for the blessing to freely release the app to the public. Although Colin's app does not make any persistent changes to the WinP/FE, nor violates the EULA, we think best to have Microsoft attorneys also agree to prevent any problems with its use in criminal/civil cases. Rather than be considered a 'hack' to WinFE, we believe it best to ensure that Colin's app, as an option to DiskPart, is not considered anything other than a GUI to DiskPart. So, with that, we are waiting and gently prodding, for an answer from Microsoft. The second after hearing that they either don't care one way or the other, or that they have no issues with releasing it, the script will be made available for immediate use. Perhaps we should send Microsoft a bouquet of roses and a bottle of wine?? The app works well. Push button control of all drives and USB devices. Plus some other neat little addons too.
Cancel Update Comment
Guest
Guest - wesleyhe on Friday, 27 July 2012 10:18

why not just provide the script for winFE tools. I have added so much to my PE disk and would like to just add that script in. can you provide this?

0 Cancel Reply
why not just provide the script for winFE tools. I have added so much to my PE disk and would like to just add that script in. can you provide this?
Cancel Update Comment
Guest
Guest - Brett Shavers on Friday, 27 July 2012 14:58

The script can be downloaded from Colin's site (address in the post) or from this blog from the Box.com widget (WP.script). You have to be aware that there are scripts that can access the hard drive even with the WinFE script, such as the MMC script.

0 Cancel Reply
The script can be downloaded from Colin's site (address in the post) or from this blog from the Box.com widget (WP.script). You have to be aware that there are scripts that can access the hard drive even with the WinFE script, such as the MMC script.
Cancel Update Comment
Guest
Guest - Jason on Wednesday, 08 August 2012 05:47

Brett - tried to access the WinFE Builder at http://winbuilder.net/downloads/WinFE_Builder.zip but get a 404 non-existent link message. Did the builder location change recently, or am I just missing something obvious? Thanks.

0 Cancel Reply
Brett - tried to access the WinFE Builder at http://winbuilder.net/downloads/WinFE_Builder.zip but get a 404 non-existent link message. Did the builder location change recently, or am I just missing something obvious? Thanks.
Cancel Update Comment
Guest
Guest - Brett Shavers on Wednesday, 08 August 2012 06:08

I just removed that link as it was for an older winbuilder. Since Winbuilder is updated faster than I can keep up, it is better to download Winbuilder from http://www.reboot.pro and add the write protect script to your download. That ensures you get the latest build. So, no, you weren't missing anything, just a dead link (thanks!).

0 Cancel Reply
I just removed that link as it was for an older winbuilder. Since Winbuilder is updated faster than I can keep up, it is better to download Winbuilder from www.reboot.pro and add the write protect script to your download. That ensures you get the latest build. So, no, you weren't missing anything, just a dead link (thanks!).
Cancel Update Comment
Guest
Guest - Lancelot on Wednesday, 08 August 2012 23:24

Hi Jason,

WinFE you refer is Win7PESE + Forensic plugin
You can download Win7PESE from its HomePage
http://w7pese.cwcodes.net/Compressed/
+
Add "Forensic plugin" from
http://www.ramsdens.org.uk/download.html
(at the bottom)

Here you can also find "WinFE Lite" which builds from waik source by using cmd batches.

@Brett Shaders:
Dropbox links I clicked on mainpage http://winfe.wordpress.com are also death..
And yes, since wb updated without backward compatibilities and causing death links and projects... nothing new
That is one of the reason we have solid links and forum elsewhere with project-compatible wb version inside zip distributions.

0 Cancel Reply
Hi Jason, WinFE you refer is Win7PESE + Forensic plugin You can download Win7PESE from its HomePage http://w7pese.cwcodes.net/Compressed/ + Add "Forensic plugin" from http://www.ramsdens.org.uk/download.html (at the bottom) Here you can also find "WinFE Lite" which builds from waik source by using cmd batches. @Brett Shaders: Dropbox links I clicked on mainpage http://winfe.wordpress.com are also death.. And yes, since wb updated without backward compatibilities and causing death links and projects... nothing new ;) That is one of the reason we have solid links and forum elsewhere with project-compatible wb version inside zip distributions.
Cancel Update Comment
Guest
Friday, 02 December 2022

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.

Brett's blog

© 2022 Brett Shavers