Menu
  • Home
  • My Books
  • Courses
  • My Events
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • My Events
  • About Me
  • Contact

Brett Shavers | forensics & things

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Print
2 minutes reading time (369 words)

Ye ol’ Windows FE

Digital Forensics
Brett Shavers
Monday, 31 October 2016
4093 Hits
0 Comments

Not to get into the long history of WinFE, but rather focus on the course I created about 2 years ago…it’s time for an update to the course.  There have been almost 5,000 people that signed up for the online WinFE course since 2014.  WinFE has been taught everywhere since its inception, from colleges to federal forensic courses to everything in between.  

Technology changes and with that, WinFE needs to be updated along with a second related topic to be included in the course.  In the next few weeks, I am updating the WinFE course and adding Linux distros to the mix (only the most current Linux forensic distros, not the outdated and non-maintained systems).  The new course is tentatively titled,

"Bootable Forensic Operating Systems"

or something to that affect of having both Windows and Linux forensic boot systems.

The intention of this new course is the same as the previous course: Give forensic analysts additional options in collection, preview/triage, and analysis.

On a side note, I have had about a dozen or so emails about WinFE telling me that;

  1. You have to use a write-blocker

  2. You can’t trust bootable media to be forensically sound

  3. No one does it this way anymore

  4. Today’s computers don’t allow booting to external media

Each time, I have said, “You’re right.  Feel free to use what you want.”  I really don’t see a need to argue with anyone set in his or her ways in the DFIR field.  My opinion is simply that if something works, use it.  If something doesn’t work, don’t use it.  This applies to WinFE, a Linux forensic boot disc, or a write blocker as much as it applies to X-Ways, EnCase, or FTK.

Seriously, if WinFE works for you in a given situation, and you have a choice, feel free to use it.  It’s been battle-proven more than enough.  Same with the Linux distros. If you like it, and it works, and it fits to your needs, why not use it.

With that, I still believe forensically sound bootable media still has its place in the forensic world.  The upcoming course will talk all about it, including building a WinFE and perhaps even putting together your own Linux distro.

Tweet
Tags:
winfe Windows Forensic Environment
Jimmy Weg's blog archive
X-Ways Forensics Sucks….

About the author

Brett Shavers

Brett Shavers

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Tuesday, 19 February 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Brett's blog

Posts List

Tag Cloud

gmail bitcoin training bitcoin forensics imaging book dfir writing case studies 4cast X-Ways Forensics windows fe X-Ways Forensics Practitioner's Guide Volume Shadow Copy University of Washington Virtualization RegRipper wiretap tor browser investigations Placing the Suspect Behind the Keyboard email Hiding Behind the Keyboard Registry Forensics Hacker Windows Forensic Environment windows forensic environment phishing winfe Bitcoin Forensics North korea forensics surveillance investigation privacy Jimmy Weg

Search Blog

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!

http://www.patreon.com/DFIRTraining 

© 2019 Brett Shavers