Menu
  • Home
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
1 minute reading time (245 words)

Portable Internet Evidence Finder and WinFE

Digital Forensics
Brett Shavers
Saturday, 15 January 2011
1729 Hits
2 Comments

Jad Saliba (of JadSoftware.com) has released an update to his Internet Evidence Finder/IEF in a portable version.  Now this sounds really good to have the ability to plug in a USB drive into a running machine to gather the information that IEF does.   But, to take it a step further, I tried IEF within a booted WinFE system.   And the result....it works perfectly!

To make sure you can get the full grasp of how neat this is, you can boot to WinFE and run IEF across the physical drive, without making any changes to the evidence.  This could be of real importance in an investigation such as a missing person case where internet/chat/webmail may be of immediate intelligence value.  Rather than imaging the hard drive to search for this data from the image, or booting the machine to its operating system and potentially overwriting pertinent data, you can boot to WinFE and run IEF on the write protected drive.   Of course, in a missing person case where chat is involved, it may also be most important to capture the volatile data FIRST before turning off the computer.

In civil case matters, this can be a fairly quick method of obtaining data relevant to the case matter onsite if imaging the hard drive is not allowed.

Although IEF doesn't run on Mac or Linux....if you boot a Mac or Linux machine with WinFE, IEF will run against that Mac or Linux hard drive ;)

Tweet
Share on Pinterest
0
Tags:
winfe
It's time to build your WinFE!
Updated video and other things

About the author

Brett Shavers

Brett Shavers

 

Comments 2

Guest
Guest - Nily on Sunday, 27 March 2011 16:39

I am currently using a mac right now and was just wondering if i could get some info on how to boot a mac with WinFE.

i am currently a college student and have lost some relevant information in my previous email service.

thank you very much.

0 Cancel Reply
I am currently using a mac right now and was just wondering if i could get some info on how to boot a mac with WinFE. i am currently a college student and have lost some relevant information in my previous email service. thank you very much.
Cancel Update Comment
Guest
Guest - Brett Shavers on Monday, 28 March 2011 01:47

Just boot the Mac to a WinFE CD. As long as it an intel Mac, it'll boot to WinFE.

0 Cancel Reply
Just boot the Mac to a WinFE CD. As long as it an intel Mac, it'll boot to WinFE.
Cancel Update Comment
Guest
Friday, 04 December 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link

Brett's blog

Posts List

Tag Cloud

case studies windows fe forensics X-Ways Forensics investigations Windows Forensic Environment X-Ways Forensics Practitioner's Guide University of Washington North korea investigation bitcoin Registry Forensics Placing the Suspect Behind the Keyboard phishing wiretap windows forensic environment imaging Bitcoin Forensics expert RegRipper Hiding Behind the Keyboard Hacker 4cast email surveillance Jimmy Weg book winfe Virtualization dfir writing presentations training tor browser Volume Shadow Copy bitcoin forensics gmail privacy

Search Blog

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.

Even better, support DFIR Training by subscribing at https://www.dfir.training/subscriptions and get access to multiple online courses in digital forensics with included ebooks!

© 2020 Brett Shavers