Not to get into the long history of WinFE, but rather focus on the course I created about 2 years ago…it’s time for an update to the course. There have been almost 5,000 people that signed up for the online WinFE course since 2014. WinFE has been taught everywhere since its inception, from colleges to federal forensic courses to everything in between.
Technology changes and with that, WinFE needs to be updated along with a second related topic to be included in the course. In the next few weeks, I am updating the WinFE course and adding Linux distros to the mix (only the most current Linux forensic distros, not the outdated and non-maintained systems). The new course is tentatively titled,
"Bootable Forensic Operating Systems"
or something to that affect of having both Windows and Linux forensic boot systems.
The intention of this new course is the same as the previous course: Give forensic analysts additional options in collection, preview/triage, and analysis.
On a side note, I have had about a dozen or so emails about WinFE telling me that;
You have to use a write-blocker
You can’t trust bootable media to be forensically sound
No one does it this way anymore
Today’s computers don’t allow booting to external media
Each time, I have said, “You’re right. Feel free to use what you want.” I really don’t see a need to argue with anyone set in his or her ways in the DFIR field. My opinion is simply that if something works, use it. If something doesn’t work, don’t use it. This applies to WinFE, a Linux forensic boot disc, or a write blocker as much as it applies to X-Ways, EnCase, or FTK.
Seriously, if WinFE works for you in a given situation, and you have a choice, feel free to use it. It’s been battle-proven more than enough. Same with the Linux distros. If you like it, and it works, and it fits to your needs, why not use it.
With that, I still believe forensically sound bootable media still has its place in the forensic world. The upcoming course will talk all about it, including building a WinFE and perhaps even putting together your own Linux distro.