Follow up: Windows FE and Live Forensic Triage

For anyone that missed this WinFE webinar-""...I did view it today.  The WinFE discussion started about 30 minutes into the webinar, and only lasted for about 10 minutes.   Fortunately, there was a question/answer after the presentation for about 10 minutes.   However, the only information given on building your own WinFE was to contact Microsoft and an article in Hackin9 magazine (there was no reference to this WinFE site as a resource to build your own WinFE…even after submitting the web address information…).

Given some interest, I’d gladly host a webinar on WinFE, (more than 10 minutes worth, showing how to build your own, and not based on selling you some software…).
378 Hits

WinFE Wish List

Troy Larson and Colin Ramsden are working on making some changes and adding features of interest to Windows FE. If you have any ideas as to what you'd like to see, please post them in the forum.

Some of the features of interest are Bitlocker support and VSS support. Feel free to shoot your requests here since you have the best hands on WinFE looking for ideas to implement, and a rare opportunity to 'develop' WinFE as a WinFE user.

477 Hits

Create your own WinFE ISO, for free, in just a few minutes

The below video shows how simply and quickly you can create a WinFE ISO. As you'll see in the video, all you need to do is...
1) Install Windows AIK
2) Download the WinFE batch files
3) Run "createfolders.bat"
4) Copy your forensic tools into a folder
5) Run "createwinfe.bat"
6) Burn your CD with the created ISO


2909 Hits

Gargoyle and Windows Forensic Environment

It is great to see that the Windows Forensic Environment is being used as an accepted forensic platform by software manufactures, such as F-Response (blogged about running F-Response on WinFE) and WetStone.   WetStone has a version of their malware software available  on the WinFE system (although WetStone calls it the Windows Forensic Edition rather than Environment,  I believe they mean the same thing).

469 Hits

WinFE Teaser Screenshots

Colin Ramsden has been working feverishly on some modifications to WinFE that will appeal to everyone.    For some teaser screenshots, take a look here.   Bitlocker support, installing drivers while already booted to WinFE, clean shutdown that ejects the CD, and an easy to use Disk Management Console.  Believe it or not, Colin has even more to add.

Given the ability to make your own WinFE ISO with Colin's work, you surely will have one of the best forensic boot environments to date.

545 Hits

New Site and Updates

As you can see, the WinFE site has been migrated to WordPress.  This format allows me a little more freedom than Blogger as well as less time maintaining a website.  This site and work is patient ;)

You can now find the batch files accessed through direct downloads.  I am more than happy to put up additional work or corrections/improvements to what is posted.  At this point, Colin Ramsden is working on his code in creating something I call the "SuperDuper Version" of Windows FE.  I'll let him describe the details when he is finished, but I promise, from what I've seen so far, it is really cool.

565 Hits

More Windows FE and triage notes (WindowsRipper?)

Matt Churchhill ( has been doing some work to supercharge RegRipper.  Take a look at his video and while watching, consider how this can affect your method to triage a computer when booted to WinFE...


526 Hits

Windows FE and Triage webinar

This should be a neat webinar on Windows FE and Triage.

Check the "Using WinFE" page for tips on using WinFE for not only triage/preview, but other ways to use the tool.  Until I hear otherwise, I have found that X-Ways Forensics is the most complete forensic tool that can run on the Windows Forensic Environment without having to install dongles or hasps, dependent files, or other installation hassles.  Simply copying the X-Ways Forensic folder runs the program.  Take a look at the Triage/Preview link on this site for some things XWF can do in this sort of scenario.

528 Hits