Brett's Ramblings
Mini-WinFE 10 and WinFE 10 Updated
The short story on the newest Mini-WinFE 10 (aka, the download link):
Mini-WinFE has been updated and upgraded. I update WinFE developments (including the downloads for Mini-WinFE) at https://www.patreon.com/posts/34814255. The Mini-WinFE builder is a free download.
Mini-WinFE 10
Are forensic bootable OSs still useful today?
Depending on who you ask, forensic bootable OSs are either extremely valuable or of no practical use. The answer is based on your job, which is why WinFE works great for some and not at all for others. For traditional forensics on deadbox machines, WinFE has a place. In ediscovery matters for data collection, WinFE certainly has a place with custodian machines. For devices that can’t be imaged or accessed other than booting the machine, WinFE has a solid place in the DFIR toolbox. If your job does not involving imaging machines in a forensically sound matter, then WinFE may not be useful to you. The value of WinFE is solely dependent on if you can use it in your job.
What is (Mini) WinFE?
WinFE (Windows forensic Environment) is a forensically sound, bootable Windows operation system, created by Troy Larson and built using a string of command lines. In short, Troy turned WinPe into a WinFe.
Mini-WinFE is easier method of building a WinFE that gives a more ‘fuller’ version of WinPE. I selected WinBuilder, a project in use for years for customizing WinPEs, to be used as the WinFE building project. A smaller, lighter, quicker build (Mini-WinFE) became the defacto WinFE build because of ease of build and ease of use. Mini-WinFE has now evolved into using PE Bakery with Misty updating the Mini-WinFE project and Colin Ramsden’s updating the Write Protect Tool.
Mini-WinFE 10
WinFE 10 is the most substantial improvement to WinFE since its inception by Troy Larson. Colin Ramsden did an amazing job of completely updating the WinFE Write Protect tool in his build project and with the WinFE acquisition of ARM devices. The next phase of WinFE 10 was to implement Colin Ramsden’s upgraded write protect app into the WinBuilder build of Mini-WinFE. In this most recent improvement of Mini-WinFE, PE Bakery was chosen as an improved replacement for WinBuilder. Both Colin and Misty have now updated the Mini-WinFE with Colin’s latest Write Protect tool.
The primary difference between Mini-WinFE and WinFE 10 is that the Mini-WinFE build, unfortunately, does not acquire ARM devices as does Colin’s WinFE 10 build. However, Mini-WinFE is easier and faster to build which is great for anyone needing a WinFE but not needing an ARM WinFE (WinFE 10).
WinFE 10
Using Colin Ramsden’s build of WinFE 10, you have the new capability to image ARM devices. He also completely updated his write protect tool, and his build method also includes a new forensic imaging tool that works in ARM. That is 100% cool.
For the build download of Colin’s new WinFE, check out Colin’s website, https://www.winfe.net/.
WinFE Resources
WinFE Documentation
Ultimate Cheats! Windows Forensic Environment (https://www.amazon.com/Ultimate-Cheats-Windows-Forensic-Environment/dp/1790322782). Covers all-things-WinFE and is a good reference to building all versions of WinFE, from the first version to the current WinFE 10 version. 
DFIR books: Multiple books have referenced WinFE, but few (if any) have any details on the how-to-build a WinFE.
Training
If you are in law enforcement (LE), there are a few sources of WinFE training:
- SEARCH https://www.search.org/get-help/training/high-tech-crime-investigations/instructor-led-training/windows-forensic-environment/
- RCFL https://www.rcfl.gov/orange-county/training-schedule/secure-techniques-for-on-site-preview-stop-nw3c
- Others As part of FLETC, IACIS, short conference presentations, and others.
For non-LE, the training is even less, but you may be able to find WinFE incorporated in some college-level forensic programs.
An online WinFE course that includes printable proof of completion as part of a Patreon subscription at https://www.patreon.com/DFIRtraining. The work-at-home/stay-at-home special of 60% off is ongoing and includes other courses too. The curriculum of the online course can be seen at: http://courses.dfironlinetraining.com/windows-forensic-environment-winfe.
The future of WinFE
Until/unless a day comes when devices cannot be booted forensically, WinFE will continue to be a useful tool in your DFIR toolbox. WinFE has been around for over a decade, used to acquire evidence in both civil and criminal cases worldwide, taught everywhere, noted as a community accepted forensic tool in many DFIR books, and is awesome as an acquisition tool!
About the author
Comments 2
There is, but it is not easy. I remember seeing a Winbuilder script at one point, but do not know if it worked.
Microsoft says it is possible (https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference), "WinPE-NetFX contains a subset of the .NET Framework 4.5 that is designed for client applications. Not all Windows binaries are present in Windows PE, and therefore not all Windows APIs are present or usable."
I had started to put together a build process, but the difficulty in making it easy to do did not seem possible or worthwhile (basically, too difficult to make an easy-to-build-WinFE-with-dot net). There are Youtube videos and blogs that describe putting dot net into a winpe, which would be the same as WinFE.
Personally, and the reason for Mini-WinFE, is to be used as a lightweight, small footprint, fast forensic Windows boot OS. To go beyond Mini-WinFE dips into Windows to Go territory where you can have it all, but a higher price of slow build time, fewer devices to boot from, and the licensing restrictions.
By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
© 2023 Brett Shavers