Menu
  • Home
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
1 minute reading time (245 words)

Portable Internet Evidence Finder and WinFE

Digital Forensics
Brett Shavers
Saturday, 15 January 2011
1504 Hits
2 Comments

Jad Saliba (of JadSoftware.com) has released an update to his Internet Evidence Finder/IEF in a portable version.  Now this sounds really good to have the ability to plug in a USB drive into a running machine to gather the information that IEF does.   But, to take it a step further, I tried IEF within a booted WinFE system.   And the result....it works perfectly!

To make sure you can get the full grasp of how neat this is, you can boot to WinFE and run IEF across the physical drive, without making any changes to the evidence.  This could be of real importance in an investigation such as a missing person case where internet/chat/webmail may be of immediate intelligence value.  Rather than imaging the hard drive to search for this data from the image, or booting the machine to its operating system and potentially overwriting pertinent data, you can boot to WinFE and run IEF on the write protected drive.   Of course, in a missing person case where chat is involved, it may also be most important to capture the volatile data FIRST before turning off the computer.

In civil case matters, this can be a fairly quick method of obtaining data relevant to the case matter onsite if imaging the hard drive is not allowed.

Although IEF doesn't run on Mac or Linux....if you boot a Mac or Linux machine with WinFE, IEF will run against that Mac or Linux hard drive ;)

Tweet
Share on Pinterest
0
Tags:
winfe
It's time to build your WinFE!
Updated video and other things

About the author

Brett Shavers

Brett Shavers

 

Comments 2

Guest
Guest - Nily on Sunday, 27 March 2011 16:39

I am currently using a mac right now and was just wondering if i could get some info on how to boot a mac with WinFE.

i am currently a college student and have lost some relevant information in my previous email service.

thank you very much.

0 Cancel Reply
I am currently using a mac right now and was just wondering if i could get some info on how to boot a mac with WinFE. i am currently a college student and have lost some relevant information in my previous email service. thank you very much.
Cancel Update Comment
Guest
Guest - Brett Shavers on Monday, 28 March 2011 01:47

Just boot the Mac to a WinFE CD. As long as it an intel Mac, it'll boot to WinFE.

0 Cancel Reply
Just boot the Mac to a WinFE CD. As long as it an intel Mac, it'll boot to WinFE.
Cancel Update Comment
Already Registered? Login Here
Guest
Saturday, 30 May 2020
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link

Brett's blog

Posts List

Tag Cloud

windows forensic environment University of Washington phishing North korea bitcoin Hiding Behind the Keyboard tor browser Hacker gmail surveillance winfe X-Ways Forensics Practitioner's Guide training privacy investigations Registry Forensics book Windows Forensic Environment forensics imaging writing Bitcoin Forensics RegRipper Jimmy Weg Volume Shadow Copy email Placing the Suspect Behind the Keyboard investigation dfir Virtualization 4cast X-Ways Forensics windows fe wiretap case studies presentations bitcoin forensics

Search Blog

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.

Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!

http://www.patreon.com/DFIRTraining 

© 2020 Brett Shavers