The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE 10
Are forensic bootable OSs still useful today?
Depending on who you ask, forensic bootable OSs are either extremely valuable or of no practical use. The answer is based on your job, which is why WinFE works great for some and not at all for others. For traditional forensics on deadbox machines, WinFE has a place. In ediscovery matters for data collection, WinFE certainly has a place with custodian machines. For devices that can’t be imaged or accessed other than booting the machine, WinFE has a solid place in the DFIR toolbox. If your job does not involving imaging machines in a forensically sound matter, then WinFE may not be useful to you. The value of WinFE is solely dependent on if you can use it in your job.
What is (Mini) WinFE?
WinFE (Windows forensic Environment) is a forensically sound, bootable Windows operation system, created by Troy Larson and built using a string of command lines. In short, Troy turned WinPe into a WinFe.
Mini-WinFE is easier method of building a WinFE that gives a more ‘fuller’ version of WinPE. I selected WinBuilder, a project in use for years for customizing WinPEs, to be used as the WinFE building project. A smaller, lighter, quicker build (Mini-WinFE) became the defacto WinFE build because of ease of build and ease of use. Mini-WinFE has now evolved into using PE Bakery with Misty updating the Mini-WinFE project and Colin Ramsden’s updating the Write Protect Tool.
WinFE 10 is the most substantial improvement to WinFE since its inception by Troy Larson. Colin Ramsden did an amazing job of completely updating the WinFE Write Protect tool in his build project and with the WinFE acquisition of ARM devices. The next phase of WinFE 10 was to implement Colin Ramsden’s upgraded write protect app into the WinBuilder build of Mini-WinFE. In this most recent improvement of Mini-WinFE, PE Bakery was chosen as an improved replacement for WinBuilder. Both Colin and Misty have now updated the Mini-WinFE with Colin’s latest Write Protect tool.
The primary difference between Mini-WinFE and WinFE 10 is that the Mini-WinFE build, unfortunately, does not acquire ARM devices as does Colin’s WinFE 10 build. However, Mini-WinFE is easier and faster to build which is great for anyone needing a WinFE but not needing an ARM WinFE (WinFE 10).
Using Colin Ramsden’s build of WinFE 10, you have the new capability to image ARM devices. He also completely updated his write protect tool, and his build method also includes a new forensic imaging tool that works in ARM. That is 100% cool.
For the build download of Colin’s new WinFE, check out Colin’s website, https://www.winfe.net/.
Ultimate Cheats! Windows Forensic Environment (https://www.amazon.com/Ultimate-Cheats-Windows-Forensic-Environment/dp/1790322782). Covers all-things-WinFE and is a good reference to building all versions of WinFE, from the first version to the current WinFE 10 version.
DFIR books: Multiple books have referenced WinFE, but few (if any) have any details on the how-to-build a WinFE.
If you are in law enforcement (LE), there are a few sources of WinFE training:
- SEARCH https://www.search.org/get-help/training/high-tech-crime-investigations/instructor-led-training/windows-forensic-environment/
- RCFL https://www.rcfl.gov/orange-county/training-schedule/secure-techniques-for-on-site-preview-stop-nw3c
- Others As part of FLETC, IACIS, short conference presentations, and others.
For non-LE, the training is even less, but you may be able to find WinFE incorporated in some college-level forensic programs.
An online WinFE course that includes printable proof of completion as part of a Patreon subscription at https://www.patreon.com/DFIRtraining. The work-at-home/stay-at-home special of 60% off is ongoing and includes other courses too. The curriculum of the online course can be seen at: http://courses.dfironlinetraining.com/windows-forensic-environment-winfe.
The future of WinFE
Until/unless a day comes when devices cannot be booted forensically, WinFE will continue to be a useful tool in your DFIR toolbox. WinFE has been around for over a decade, used to acquire evidence in both civil and criminal cases worldwide, taught everywhere, noted as a community accepted forensic tool in many DFIR books, and is awesome as an acquisition tool!
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.