Is WinFE still being used?

Yep!  Not only is WinFE still a viable project, it is being taught in more places, more often, to more people.  For example:

The FAA: FAA78100041, (78100041) Creating a Windows FE DVD

Search at the Child Abuse and Family Summit in Oregon.

HTCIA at a training session in Washington (state).

Another HTCIA here (with instructions to build a WinFE).

And a few conferences too.

This does not include a varied assortment of in-service training on WinFE that I have been asked for help in either reviewing or creating training programs for WinFE from a few US Federal government agencies and about a dozen local/state agencies, just only during the past year.

There’s also more instructions available online for creating a WinFE, like: http://4nzx.blogspot.com/2012/11/creating-winfe-boot-disc.html

http://megadeus.com/?p=91

 

and

https://www.youtube.com/watch?v=Dy27R34MDkE

So is WinFE a viable addition to your forensic toolbox?  Sure is.  Just ask anyone that uses it.  One thing to consider about WinFE is that the development of WinFE isn’t in “new” features or capability.   It is only a boot disc.  The key factor that no other boot disc can compare, is that it boots to Windows…and it boots forensically.  The fact that you (or anyone you train) can use Windows, forensically, to triage or preview potential evidence is something amazing.

Linux is good too.  But when your entire department (or agency or group) works in Windows every day, as they have been for the past decade or longer, you don’t have to teach a new (to them) operating system.  You only have to teach how to boot to a CD/DVD/or USB.

Because of that, virtually anyone can boot a suspect’s machine (even a terrorist’s computer!) and find the low-hanging fruit of evidence in MINUTES without having years of digital forensics training.  Like I’ve said before, Troy Larson’s simple registry modification was ingeniously simple.  Creating an automated process with WinBuilder took it a step further to get it in the hands of more people. And Colin Ramsden’s write protection GUI app made it easy for anyone.  What more could you ask for?

 

 

Starting the last chapter!

Be sure to keep up on the progress of my second book (X-Ways Forensics Practitioner’s Guide) at https://xwaysforensics.wordpress.com/.  Eric Zimmerman and I are on the last chapter!

After the book is done, I have a few new things to test and post about WinFE to update the old, bring in the new.

WinFE and UEFI Secure Boot!

Don’t get excited, there isn’t a solution to Windows RT or Secure Boot and WinFE (yet!).  But for those working on it, here are two links of interest that help explain a few of the technical details.

 http://www.uefi.org/learning_center/

The UEFI secure boot specification is owned by the UEFI consortium, not Microsoft, so the consortium documentation and specification sets out the real rules of the road for working with UEFI.

http://noggin.intel.com/content/the-flow-of-booting-an-intel-architecture-system

This information was sent to me by the Yoda of WinFE.

Placing the Suspect Behind the Keyboard – NEW BOOK!

Gotta plug my book, especially since WinFE is in the book too.  It was nearly a year in research and writing, with my sincere gratitude to those that helped tech edit, review, and help me get the book printed (each have been credited in the book, all have given me kind words and I am humbled by it).

Although the title contains the word “suspect”, it is written to make good cases on anyone behind a keyboard in a criminal, civil, or internal investigation where electronic data is concerned, like computers, smart phones, videos, and the like.

http://store.elsevier.com/product.jsp?isbn=9781597499859&pagename=search

CTIN 2013 Presentation

The WinFE presentation was given to a packed room in Seattle, Washington.  For those that couldn’t make it, here is my PowerPoint.  Great conference, great people, great time!

CTIN 2013 Digital Forensics Conference WinFE Presentation: WinFE CTIN

WinFE Presentation in Seattle

For those in the Seattle area, I will be giving a presentation on Windows FE at the CTIN Digital Forensics Conference, March 13-15, 2013 (http://www.ctinconference.org).  Lots of famous people there, like the guy that came up with WinFE (Troy Larson) who will be presenting on Windows 8 Forensics. 

I’ll be bringing the latest and greatest info on Windows FE, including building with Windows 8.  Hope to see you there.

http://www.ctinconference.org

 

2012 in review

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

4,329 films were submitted to the 2012 Cannes Film Festival. This blog had 41,000 views in 2012. If each view were a film, this blog would power 9 Film Festivals

Click here to see the complete report.