Forensic Operating Systems
The time has come! The Windows Forensic Environment (aka Windows FE, aka WinFE) project and course has been updated.
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">The Forensic Operating System with Mini-WinFE may re-open early depending upon the numbers on the wait list. If you are interested, please send me an email or DM so that I can plan for increasing the allotted number of registrations.<a href="https://t.co/20jvXlHkV6">https://t.co/20jvXlHkV6</a> <a href="https://t.co/2rj6SLop4B">pic.twitter.com/2rj6SLop4B</a></p>— WinFE ? (@WindowsFE) <a href="https://twitter.com/WindowsFE/status/976752682525315074?ref_src=twsrc%5Etfw">March 22, 2018</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
The course is arranged that you can skip over any topic to go right to what you need right now. So, if you need a WinFE build right now, go to that section first and get the info you are looking for. Complete the entire course for a cert of completion for training hours documentation (5 hours documented training time).
But it’s 2018. Aren’t bootable forensic discs outdated?
We’ve come a long way from using bootable floppies to image drives with Safeback, but it seems the only thing that changed was the bootable media, not the method.
Booting any system to external media is not my first choice, until it is. Some systems can only be acquired, accessed, previewed, triaged, or touched by booting it to external media. Some situations would best be approached by booting to external media.
The real benefits are being able to more quickly acquire data, acquire data forensically when you can’t otherwise, acquire data that you couldn’t acquire at all, find evidence faster, eliminate and prioritize forensic examinations, and make your work more productive.
Who uses WinFE?
· It is taught world-wide by training providers in government, universities, and private courses
· It has been used in criminal and civil cases, and internal corporate matters (and courts!)
· Over 3,500 users signed up and completed the first online WinFE course (now updated)
· Over 10,000 downloads of the WinFE projects in the past 5 years
I am certain that Troy Larson had not idea that giving me instructions to build a WinFE would eventually turn out like this…
With the new WinFE build, the total time from start to finish is less than ten minutes. That includes downloading the WinFE project, setting it up, creating the WinFE.iso, and finally creating a bootable CD/DVD/USB. This means that if you were to build a WinFE today, you’d have it in your DFIR toolbox ready to go anytime in minutes.
But Linux and Mac!
I go over Linux distros and Mac options in the online course, and credit the best of each for what they do best for different needs. I also go over negative points of each as well. Working in this field requires walking into unknown environments all the time, therefore, be prepared with options before you end up in a situation where you find that you should have done this earlier.
What's the big deal?
It's another tool in your toolbox. I can't count the number of times I have been emailed by someone asking me to give them the 2 minute version of how they can build a WinFE, right now, while are onsite dealing with something they were ill-prepared to deal with. Now is the best time to get your bootable forensic operating systems in order, because you will be in that spot one day. Hint: emailing me isn't going to make a WinFE disc magically appear....you have to build it on your own. The good news, you can do it in a few minutes and have a tool that might get you out of a jam that you otherwise would be stuck. Your bootable media should also include Linux and Mac solutions as well, which are discussed in the course too.
The days of Safeback and floppies may be over, but we have been seeing more systems requiring forensic OS boots than ever before by sheer necessity due to hardware configurations.
Download the Mini-WinFE used in this course at: http://www.brettshavers.cc/index.php/mini-winfe-download