Brett's Blog

Just some ramblings.

Another Discount on the XWF Guide at $37.96

Amazon reduced the price, grab it while you can before it goes up (again).


320 Hits

C4All X-tension update

Update November 14, 2014

Download link to version 3.6.2.d
This update changes the way the video stills are treated when extracting movies.
-now video stills are extracted if the parent movie is extracted, regardless of whehter
the video still has been type verified.





That is for version 3.6.2.d that fixes a few issues with C4All not handling some characters.


Continue reading
589 Hits

Barely any updates to WinFE :(

winfeUnfortunately there are so few updates nowadays to WinFE, that this blog is woefully neglected...on a positive note, since WinFE practically needs no updates, there is hardly a need to keep up on WinFE once you have mastered building it.

The best and most current source of all-things-WinFE is from a free online course at so other than taking the course, this blog will not have additional information building WinFE.

The course includes downloads and links to downloads to build every publicly known version and build type of WinFE, from the basic WinFE, WinFE Lite, WTE WinFE, Mini-WinFE, and WinBuilder WinFE.

The WinFE wordpress blog will be used only for sporadic WinFE updates and related information since WinFE has practically reached the best it can be at current software standards (Windows 8).  The only posts that may be original from here on out would be case examples, but that quickly grows old (I booted a machine to WinFE and imaged it...).  A few instances are very neat, like imaging a Surface Pro, and for those interesting cases, I'll post them as I come across them or am sent information about them.

At its foundation, WinFE is a strong forensic OS platform, built on the latest Windows operating system, which can run most types of forensic software.  That's about it.  Simple, but amazingly effective at a forensic boot platform.  Since it is so very simple, the updates to the WinFE blog become less and less.  Therefore, the free webinar course covers everything you need to learn about WinFE along with every download needed, plus tips on building, using, and testifying to the use of WinFE.

After you view the course and build a few WinFEs, you'll see that WinFE is only a forensic boot OS.  But you will also see that because it is a Windows boot OS, you can do so many things with it that you can not do with a Linux forensic OS or with a hardware writeblocker.  That is the beauty of WinFE.  Simple. Ingenious. Hard to improve upon (at this point...).

You have my permission to use the WinFE course and its materials in a manner that benefits WinFE at no cost.  That means you can use information from the course to teach WinFE at conferences or any training session.  WinFE is free (technically, you need a Windows OS license...but otherwise its free), and I've made the course free as well.  When teaching or writing about WinFE related to the source and you choose to attribute to the source, that's nice of you, but not necessary if you don't want.

Take a run at the WinFE course.  Watch all the videos or only the videos of interest. They are broken down by build types and how-to videos.  The most important benefit you can get out of the course (other than learning how to build/use WInFE) is getting some formalized training in front of you about WinFE.  It's one thing to spend hours (days?) figuring out something but quite another when you can get the meat-and-potatoes of what you need to know in the shortest period of time.  I'd reckon that even if you attend a presentation on WinFE, you will get so much more out of the online course that you won't regret the time spent.

I've also said a few times, that once you build and use a WinFE, you will regret not having done so years earlier.  Don't forget, WinFE has been around since works even better now than back then.


850 Hits

Updates to X-tension and Hash File Manipultator

Hashbrown program 64 bit version only updated October 10 2014

-New Version that handles many duplicates and many unsorted more efficiently posted.







Continue reading
536 Hits

Image a Surface Pro using bootable UEFI WinFE

surfaceproCool WInFE work done by Jeffrey A. Cunningham, Sr Digital Forensic Examiner, US Army (ChiefCham), on imaging a Surface Pro using a bootable UEFI WinFE.  It is certainly neat to see this type of testing and research done on ANY forensic tool where the results can be shared with everyone.

Thanks ChiefCham!

Image a Surface Pro using bootable UEFI WINFE

2350 Hits

Workarounds to Workarounds (and some hints & reminders)

Every now and then, I get email from readers who have difficulties, and some areas come up more often.  I also learn a few things as time goes by, and I gain some valuable pointers from colleagues who share my interests.  Therefore, I want to update or amend a few procedures as well as review some of the more basic steps that folks may overlook.

1. Building and booting EUFI/GPT systems and remembering the registry edit 

A little while back, I posted on building VMs from UEFI/GPT systems, found most often in Windows 8.  Since then, I’ve seen more of these outfits arrive in my shop, as the use of Windows 8 and large disk grows.  If you document your target system before an exam, which requires accessing the setup in most cases, you’re sure to recognize that the setup doesn’t resemble the BIOS of old.  There’s a sample screenshot in the above post.  Even if you dive straight away into your exam, you’ll find a clue when you study the partitioning of your target image file:

GPT Disk

X-Ways Forensics users will receive the answer to the clue without having to guess.  The GPT partitioning style with the four partitions, including the MS reserved partition, mean that you have a UEFI system.  The FAT32 partition likely holds your EFI boot data:


Continue reading
138 Hits

USB Malware and WinFE

The recent release of USB malware, in which any USB device is suspect of being infected after plugging into an unknown-if-clean machine, makes a problem for bootable USB devices in forensic collection.  Some of the very scary claims to the USB malware are (

  • Alter files from thumb drives

  • Redirect Internet traffic

  • Tap and spy on USB-enabled smartphones

  • Hijack keyboards to type commands

  • Potentially inject malicious elements as files are being transferred

  • badusb


That is bad stuff for a forensic bootable USB device.   I've seen a few suggested solutions to the USB infection issue, but the fastest solution with WinFE is to burn to a CD/DVD instead of making a USB bootable.  Problem solved.

Building a WinFE is still very very very very easy.  Using the Mini-WinFE build, I just timed creating a WinFE DVD is less than 6 minutes.  That was a few minutes with Winbuilder and a few minutes burning the ISO to DVD, while taking my time in the short process.  If you haven't yet built a WinFE, the process is almost completely automated.  Just point Winbuilder to your Windows 7/8 source and press go.  Less than 5 minutes later, you have a forensically sound, bootable ISO/CD/DVD/or USB.

Granted, creating a WinFE CD/DVD in less than 10 minutes is not going to save you time compared to imaging a removed hard drive using a hardware imaging device.  But...if you have LOTS of machines to image, booting the machines to be seized to WinFE most likely will be faster than removing hard drives and sharing hardware imaging devices.  And for those pesky drives that won't come out, WinFE may be a good solution than fighting with an ultralight, can't-find-the-screws-to-remove-the-darn-hard-drive machines.

1201 Hits

New version of X-Tension

New version of X-Tension
-adds the functionality to create a picture/video library.
-adds the ability to extract pictures or movies that are type status of 'not confirmed'
(this was added as there are so many variations of avi formats, that even some valid working movies were not 'confirmed')
If the user does not want these files, they can be filtered out and the X-Tension run excluding filtered or excluded files

582 Hits

XWF II and III...

...are a little late coming out due to an emergency...but will be published soon.  sorry for the delay.

703 Hits

Forensic Training with WinFE. Cool.


Although, the WinFE module is like, last in the course...But, it's there!


494 Hits