Yep! Not only is WinFE still a viable project, it is being taught in more places, more often, to more people. For example:
The FAA: FAA78100041, (78100041) Creating a Windows FE DVD
Search at the Child Abuse and Family Summit in Oregon.
HTCIA at a training session in Washington (state).
Another HTCIA here (with instructions to build a WinFE).
And a few conferences too.
This does not include a varied assortment of in-service training on WinFE that I have been asked for help in either reviewing or creating training programs for WinFE from a few US Federal government agencies and about a dozen local/state agencies, just only during the past year.
There’s also more instructions available online for creating a WinFE, like: http://4nzx.blogspot.com/2012/11/creating-winfe-boot-disc.html
and
https://www.youtube.com/watch?v=Dy27R34MDkE
So is WinFE a viable addition to your forensic toolbox? Sure is. Just ask anyone that uses it. One thing to consider about WinFE is that the development of WinFE isn’t in “new” features or capability. It is only a boot disc. The key factor that no other boot disc can compare, is that it boots to Windows…and it boots forensically. The fact that you (or anyone you train) can use Windows, forensically, to triage or preview potential evidence is something amazing.
Linux is good too. But when your entire department (or agency or group) works in Windows every day, as they have been for the past decade or longer, you don’t have to teach a new (to them) operating system. You only have to teach how to boot to a CD/DVD/or USB.
Because of that, virtually anyone can boot a suspect’s machine (even a terrorist’s computer!) and find the low-hanging fruit of evidence in MINUTES without having years of digital forensics training. Like I’ve said before, Troy Larson’s simple registry modification was ingeniously simple. Creating an automated process with WinBuilder took it a step further to get it in the hands of more people. And Colin Ramsden’s write protection GUI app made it easy for anyone. What more could you ask for?


http://www.ctinconference.org