Current and Future Development of Windows FE

The WinFE journey…

From Troy Larson’s first vision of the Windows Forensic Environment to the improvements currently being made, WinFE is set to become one of the best forensic boot disks/USBs available.

The ease to which it can be created has been simplified greatly by Björn Ganster’s automated batch files (my initial batch files were elementary compared to Björn’s improvements).  Colin Ramsden is working some aspects of WinFE that really are impressive, such as GUI’s for WinFE, installing hasps drivers, mapping network drives, Apple HFS+ drivers, other program installations help, etc…   Jad Saliba of JadSoftware has plans to work on making IEF run in the WinFE environment.  Add these to Matt Churchhill’s version “WindowsRipper” modified from Harlan Carvey’s  “RegRipper” and you are set to add such a triage functionality to WinFE, that given 20 minutes in front of a computer, you may be able to get everything you need from the machine.  You can either determine if the computer is worth seizing at all, or in the case of a (legal!) snatch and grab op, grab only the data of importance from a host computer without the (criminal/terrorist) user ever knowing their computer was touched.

It is incredible what a group of contributors can have on a project that benefits the community. If you haven't gotten access to the shared folder, you can use this link to sign up for DropBox and I'll share the folder with you.  If you have already gotten a DropBox account, send me an email so I can share the folder with your current login.  I'd make the folder public, but would rather have at least one step to get to it rather than it open to the world so easily.  The neat thing about the shared folder, is that when someone puts in an updated batch file, you have access to it immediately.

For anyone waiting for WinFE to be available for one single and complete won't happen.  There are some MS licensing issues that prevent that, so sit down for a bit, take a look at how to make one, and get started!  You won't regret it.
402 Hits

Internet Evidence Finder (IEF): interview with Jad Saliba of

Jad Saliba, developer of the Internet Evidence Finder (IEF) and other neat software was interviewed recently and mentioned that he has plans to make IEF run portable on WinFE.  If you haven't purchased a copy of IEF (free to LE), take a look at it.  This would be a fantastic triage type application on WinFE as it searches for chat, email fragments (including Gmail!), Facebook snippets and fragments, Limewire, and more.

The day IEF is able to run on WinFE is the day I add it to mine ;)
420 Hits

More Windows FE and triage notes (WindowsRipper?)

Matt Churchhill ( has been doing some work to supercharge RegRipper.  Take a look at his video and while watching, consider how this can affect your method to triage a computer when booted to WinFE...


551 Hits

Windows FE and Triage webinar

This should be a neat webinar on Windows FE and Triage.

Check the "Using WinFE" page for tips on using WinFE for not only triage/preview, but other ways to use the tool.  Until I hear otherwise, I have found that X-Ways Forensics is the most complete forensic tool that can run on the Windows Forensic Environment without having to install dongles or hasps, dependent files, or other installation hassles.  Simply copying the X-Ways Forensic folder runs the program.  Take a look at the Triage/Preview link on this site for some things XWF can do in this sort of scenario.

547 Hits