I’m a fan of WinFE. I’ve used it, written about it, helped develop it, taught it, and assisted others to teach it. The way that I talk about it, you’d think that WinFE is the best thing that ever came along, does everything you need in forensics, and nothing can out do what it does. Actually, WinFE doesn’t do much at all. But that for what it does, it does ingeniously.
The top 5 cool things
#5 Forensically boot a Windows, Mac, Linux machine to a Windows Forensic Environment
#4 Forensically Boot a Surface Pro to a Windows Forensic Environment
#3 Image storage drives (full, sparse, or targeted) with Windows tools
#2 Perform a triage or preview with Windows tools
#1 Do a complete exam with Windows tools on the evidence machine
There are even more things you can do as well that makes WinFE cool, but this is a good start. Being a free tool makes it cool too.
What’s the big deal?
WinFE forensically boots to Windows. That means you can use Windows-based forensic tools!
The numbers
3,447 * Years ago, I threw together a quick WinFE online class for free. Over 3,000 took the course before I eventually took it offline since WinFE has had several updates since the course was developed.
5,592 * I recently put on a longer Forensic Operating System course (that focused on WinFE more than other live CDs) and as of today, more than 5,500 have taken that course.
15,000 * That’s the number where I stopped counting the downloads of the WinFE script and various WinFE builders from over the years. That doesn’t mean 15,000 WinFE users, just that it is a lot of downloads of past and current WinFE build projects. That also does not include WinFE basic builds where Microsoft downloads are required (and not a WinFE project).
The point is that WinFE is a valid tool used by many, and since there is no marketing department for it, I'm marketing it because I use it and prefer that it remain relevant in the community...so I can keep using it :)
The latest WinFE course
I had been asked for a new course just on WinFE and not any of the other live CDs, so here it is. I included the multiple types of WinFE builds including Windows To Go in order to cover everything about a Windows-based, forensically sound, bootable operating system. This course is only for those who did not take the Forensic Operating System course, since the WinFE information is the same in both courses.
Of course there is a promotion
For any course I publish, you probably noticed that for a few days, I have a promotional discount. This course is no different. I ask that you share the promotion because invariably I get emails asking to extend the promotion (no extensions….sorry).
The new Windows Forensic Environment online course is open! Use promo code "miniwinfe" for 50% off through April 10 for the first 100 registrations.https://t.co/urGlmsKHLH #dfir #infosec pic.twitter.com/duU3fEYnHU
— WinFE (@WindowsFE) April 8, 2018
The Windows Forensic Environment social group
Since WinFE isn’t a commercial tool, with no developers or support staff, it has been pretty much living on its own, being pushed about by its community of users. Searching for WinFE gets you about a dozen websites, most of which is outdated information, without any sole collection point. Therefore, there is now a group for it.
I will be putting everything in the social group as it comes up in terms of updates to WinFE building, usage, powerpoints for training, and curriculum if you want to have a turn-key model to add it in a forensic course that you teach. Only those who have registered for either this new WinFE or Forensic Operating System course are invited. The social group is a repository for community support, related downloads, and updates to the WinFE projects; it is not a beginner’s class in what WinFE is.
The time to self-learn WinFE can take days. There is no help desk, tech support, help line, or single point of reference information for WinFE. If you don’t have patience to self-learn how to build it, you will give up. Even tho the Internet is full of instructional guidelines, the good is intermingled with the outdated. This course is the most current and up-to-date WinFE building and the WinFE social group will have all future updates for you to get it right the first time.
ps: Pass the quiz at the end of the course and receive a certificate of course completion (3 hours) in the instruction of building and using WinFE.
Article Link: http://www.brettshavers.cc/index.php/brettsblog/entry/5-cool-things-you-can-do-with-the-windows-forensic-environment-winfe