For those that still haven’t tried WinFE….

For anyone that has not downloaded WinBuilder, added Colin’s script, selected the features in WinBuilder, and created an ISO….

…you can download a pre-configured WinBuilder, with Colin’s Write Protect Tool incorporated, all basic selections selected, ready to go.  The heavy lifting is done.  All you need to do is have a source (Windows 7 DVD) and the Windows AIK (free from Microsoft).

The download link:  WinFE.zip

If you still haven’t decided to download it and try it, here is a QuickStart Guide to show only what you need to get going.

View this document on Scribd

WinFE Script Updated

Colin’s Write Protect Script (wp.script) is available, but still considered Beta (and as with any forensic utility, test – test – test).  You can download today’s version here.  wp.script.  To make sure you get the most recent version after today, download from the Boxnet from this website.    Troy Larson’s registry modifications are included in Colin Ramsden’s WinBuilder Script.  That’s all you need.

If anyone would like to formally have their test results posted on this site, feel free to send the results to me.

I would reckon that for anyone that has not taken the time yet to build their own WinFE, there isn’t any excuses left now.   And like everyone else that waited, you’ll wonder why you waited so long.

View this document on Scribd

Colin’s Write Protect Application

Here it is, Colin Ramsden’s WinFE write protect application!

Although long in waiting, it is finally here.   Colin worked diligently on making this work without making Microsoft unhappy.  Documentation is forthcoming on the use of his application, but as you can see, it is really easy to figure out how to manage your disks.

Other little features may be coming in the future, but for now, say so long to DiskPart.

You can download the WinBuilder script from the BoxNet on this site (to your right of the page) and it will also be made available on the www.reboot.pro website.  The file, “wp.script” needs to be placed in the “tweaks” folder in the WinBuilder folder structure.

For support on creating a WinFE ISO using WinBuilder, consult the forums at www.reboot.pro.

Building your WinFE Update

For those that have been using WinFE and wanting to know about recent updates, I have only a little news to mention.    WinFE is still just as good today as when Troy Larson first created it, so not much in the update area there.  WinFE still boots the same computer systems and you can do the same forensic work as before, not much has changed since then.   DiskPart is still the primary (only) method to toggle drives on/offline, which isn’t difficult to do.  Still command line, but easy commands to use.

WinFE Batch File Building Method

And building WinFE is the same as before, no changes there either.  If you use the batch file method, you can write your own or you can download pre-made batch files using the Box.net widget on this site to the right.   Several to choose and modify to suit your preferences.

The location of the batch files on this blog looks like the below screenshot, so if you don’t see it, you may need to have Java enabled in your browser.

All the batch files are in this zip file.

WinFE WinBuilder Building Method

If you are using WinBuilder (www.reboot.pro), there have been a continual update of the WinFE scripts by RoyM.  The reboot.pro site is also the best place for forum support directly with the script writers if you have problems building your WinFE.  RoyM (and others) has taken a great lead in the WinFE WinBuilder development.  My hat is off to all the contributors.

Other Forensic Boot Systems

The “other” forensic boot systems have had a few updates, some major.  I would highly recommend checking out Raptor, CAINE, and DEFT!  A major difference between WinFE and several of the Linux forensic boot systems is that many of the Linux systems are pre-made forensic OS’s, with freeware/open source tools already installed.  WinFE requires you to add the apps you want to use, which may be freeware, open source, or commercial.    A more complete forensic G0-Bag Kit has all of them….just in case….

 

An update to a long awaited project

It’s been awhile, a long while, since there has been anything added to the WinFE project, and the bad news is that nothing is new other than Microsoft not quite accepting of Colin Ramsden’s write protect tool.   As that is not good news, both Troy and Colin are working toward an effort that may meet Microsoft’s needs for an acceptable (to Microsoft…) write protect application other than DiskPart.

Sorry for the news on no news, but WinFE still works as it is, you just need to use the command line to toggle drives on/offline.

Sharing the love with WinFE

There have been numerous presentations showing how to build and use a WinFE boot disc around the world.  Most recently I see that IACIS has given a demo this year along with several HTCIA Chapters and a DOD conference as well.  A write up of Imaging a MacBook by Sean Morrissey shows just how easy WinFE is to use on a MacBook based on one demo at IACIS.

As simple as it is to use, it has become even easier to build using WinBuilder.  Probably the most significant difference when using WinBuilder rather than building via WAIK and the command line is the numerous options that can be automatically added, particularly in that of supporting more software able to run on WinFE.

Many examiners have already tried to build and use WinFE, but I know there are a few of you out there that just haven’t sat down to give it a whirl.   If you can speak to anyone that uses WinFE, they will each tell you that it is well worth it!

The next coolest thing to be added to WinFE is Colin Ramsden’s GUI currently being finalized.   Say goodbye to the DiskPart command line!

Friendly reminders are always nice

Always test your tools (this includes WinFE).  Considering that NIST recently discovered that some Ubuntu based forensic boot discs could make modifications to a booted suspect drive (modifies the $logfile upon booting….),  these sort of news breaks are a friendly reminder to test your tools.  Additionally, when ‘bugs’ are found in forensic tools, it may help to review any cases that may be affected by a past use of a tool.  Even Guidance Software just released a firmware update to a hardware physical write blocker in which writes to the evidence drive were not protected.  How’s that for reassurance with hardware write blockers being known as the absolute write protection tool?

You can’t rely upon someone else’s work, you can’t even rely upon the label of a box of something you buy.  You just have to spend the time to test it personally.

If you’ve not tested a tool that you used and later find that there was a problem with it, how long will you worry about one of those times you relied upon it to come back to haunt you in a past case?

Better that you tested it (“I know it works because I tested it“) rather than rely on someone else to test it (“But the company/website/brochure said it worked...”).