WinFE Batch File Building Method

And building WinFE is the same as before, no changes there either.  If you use the batch file method, you can write your own or you can download pre-made batch files using the Box.net widget on this site to the right.   Several to choose and modify to suit your preferences.

The location of the batch files on this blog looks like the below screenshot, so if you don’t see it, you may need to have Java enabled in your browser.

All the batch files are in this zip file.

WinFE WinBuilder Building Method

If you are using WinBuilder (www.reboot.pro), there have been a continual update of the WinFE scripts by RoyM.  The reboot.pro site is also the best place for forum support directly with the script writers if you have problems building your WinFE.  RoyM (and others) has taken a great lead in the WinFE WinBuilder development.  My hat is off to all the contributors.

Other Forensic Boot Systems

The “other” forensic boot systems have had a few updates, some major.  I would highly recommend checking out Raptor, CAINE, and DEFT!  A major difference between WinFE and several of the Linux forensic boot systems is that many of the Linux systems are pre-made forensic OS’s, with freeware/open source tools already installed.  WinFE requires you to add the apps you want to use, which may be freeware, open source, or commercial.    A more complete forensic G0-Bag Kit has all of them….just in case….

Sorry for the news on no news, but WinFE still works as it is, you just need to use the command line to toggle drives on/offline.

As simple as it is to use, it has become even easier to build using WinBuilder.  Probably the most significant difference when using WinBuilder rather than building via WAIK and the command line is the numerous options that can be automatically added, particularly in that of supporting more software able to run on WinFE.

Many examiners have already tried to build and use WinFE, but I know there are a few of you out there that just haven’t sat down to give it a whirl.   If you can speak to anyone that uses WinFE, they will each tell you that it is well worth it!

The next coolest thing to be added to WinFE is Colin Ramsden’s GUI currently being finalized.   Say goodbye to the DiskPart command line!

You can’t rely upon someone else’s work, you can’t even rely upon the label of a box of something you buy.  You just have to spend the time to test it personally.

If you’ve not tested a tool that you used and later find that there was a problem with it, how long will you worry about one of those times you relied upon it to come back to haunt you in a past case?

Better that you tested it (“I know it works because I tested it“) rather than rely on someone else to test it (“But the company/website/brochure said it worked...”). 

1) Extract WinBuilder to the root of your C:/ drive

2) Run WinBuilder

3) Click 3 buttons and you are done.

If you want more features, such as additional programs, network support, audio, more drivers, customized wallpaper, create a bootable WinFE flashdrive, etc…, then you just need to push a few more buttons.  Download and read the write up (Users Guide to WinFE) for details on adding features.  It’s just as easy as pushing the 3 buttons.

These screenshots show all that is needed.  Now, after looking at what is needed to create your WinFE, what is the reason you haven’t started yet?…..



With a WinFE “triage system”, the cost can be minimal due to the multitude of freely available software available.  Not to be confused with shareware, pirated software, or other questionable software, there are plenty available at no cost that are effective and easy to use (and did I mention the keyword “free“?).

So, when contemplating purchasing a pre-built system, consider that a customized system can be simply created that fits the needs and budget of your organization or your case.

There are several tools of worthy mention, but plenty more that are just as viable for triage and forensic quality software.

For law enforcement and military, there is the excellent (and free!) search tool “Field Search“.  Field Search is a tool initially developed to run on a live machine to scan for images, internet history, and other items of evidential value.

Field Search can also run under a WinFE booted system, giving it the capability of being “forensic” in that instead of running on the suspect machine and altering the system, it can now be run without altering the system.   Field Search is an extremely quick and easy program to use for First Responders and those in combat zones.  The use of this program in a forensic environment just doubled its potential.

The only limits to the software that will run on WinFE are those that depend upon the dependent files.  As an example, the Microsoft .NET framework is needed to run ChromeAnalysis and FoxAnalysis.   .NET is installed in the WinFE with the check of a box when using WinBuilder to build a WinFE ISO.  With that,  both FoxAnalysis and ChromeAnalysis from www.forensic-software.co.uk run in the WinFE booted system giving more options in triage.  Both of these tools provide an intensive internet history capability in any forensic examination, and can be easily used in a triage/preview situation.  

Other types of forensic software can also be used to target specifically desired information.  RegRipper can be used to run against an entire drive and output specific results to a text file.  RegRipper (freely available!) can be modified in a multitude to ways to target what may be needed in a given scenario, either by using pre-made plugins or writing a unique plugin based on what is needed.

WinFE allows you to customize a triage booting system based on several factors other than just a budget.  As an example, a police department can have a WinFE customized for First Responders with a bare minimal selection of triage tools, Field Search being a prime example.   Investigators could have additional tools (with some additional training) that can go beyond the First Responders’ needs.  With this type of system, by the time a forensic examiner is given evidence to examine, the evidence has been prioritized by the First Responder and case investigator to best determine how resources should be spent.  Compared to literally dumping multiple computers onto an examiner’s desk and asking for “everything”, triage can be conducted for more effective results and quicker turnaround.  This can be applied to non-LE work as well.

Since WinFE can boot virtually any intel based computer, (this also includes Macs and *nix machines), the majority of situations can be handled with it.   Forensic Linux boot discs can be used in the same fashion as WinFE, using Linux software, however, I would hazard a guess to opin that most computer users are using the Windows Operating System.  Giving an unfamiliar operating system to a First Responder may be creating a problem due to mistakes being made by not knowing ‘which buttons to push’ to find the evidence…Those with more experience with Linux should not have that problem.  Given the option to outfit a battalion of combat troops with this capability…I’d probably lean heavily toward a Windows based system…

Fairly soon, if not already in some jurisdictions, the days of giving the forensic examiner dozens of hard drives that have not been previewed or triaged in some fashion by someone, will be over.   A WinFE triage system can be configured to find basic information (user accounts, internet history, graphics, etc…) which can be used to prioritize, or even eliminate, media to be examined.  Some information that can be gleaned onsite during triage could substantially affect the outcome of the situation (combat arena?  searching for victims related to an electronic crime scene? or other scenarios where an extensive examination will yield results that may be useless months later?).

Using a triage system can save more hours than you may initially realize.  If just one computer hard drive is triaged, and determined not to be of importance (as compared to the other 10 in the investigation…), then it need not be imaged (saving hours) and need not be examined (saving days).   It’s very easy to determine the ROI or manhours saved with one hard drive, extrapolate that to dozens or more hard drives.  How’s that for cutting down the workload?

The program’s interface is simple and encompasses quite a bit of the basic forensic processes (searching, indexing, hashing, etc…).  Of particular interest is that some of these standard forensic processes can easily be used in a WinFE booted system for basic triage.

As an example, a scan of images of the suspect computer can be conducted with OSForensics.    This type of triage may certainly help determine which computer systems contain illicit images and need forensic analysis.

Another feature that can benefit cases is that of indexing.  OSForensics allows for indexing of files, including email (pst, mbox.msg,eml, and dbx), for keyword searches.    Searches can also be restricted by date ranges.

Although OSForensics doesn’t appear to be as powerful as a tool such as X-Ways Forensics, I definitely foresee a place where it can used, particularly in a First Responder role.

There are a few spots left and you have to be a CTIN member to view the presentation.  But maybe it is something worthwhile to join anyway as most all the training is free to members.

Just to clear up any questions on whether WinFE can ‘do a Mac’, well…it can.  And Linux too.  And of course it can do Windows as well.   As long as the machine can be booted to a WinFE CD or USB, then you can image the hard drive.  Actually, you can do a whole lot more than just image it…you can triage it, preview it, search it, or just copy files and folders from it.  If the drive is encrypted and you have the key, you can access the drive.  And what about VSS (Volume Shadow Service/Copies)….you can access those too, all through WinFE.

I can promise that as soon as you build a WinFE CD or bootable USB, you will regret not having done it months or years earlier (it’s been around since 2008….).  And if building a forensic boot OS makes you hesitate at all, there is no need because if you use WinBuilder, it is as simple as pointing and clicking to fully customize your Windows FE CD or bootable USB.

Before you put this off any longer, download the WinFE WinBuilder and try out the Windows Forensic Environment.  As to a guide on how to use WinFE, it probably isn’t really needed since WinFE is simply a forensic boot disc.  So, you might not need any help in putting WinFE to good use.  However…there may be a few things you didn’t know you could do with WinFE that could be of interest.   Since that might be the case, here is a quick guide on tips on using WinFE as well as tips for building with WinBuilder.

Users Guide to WinFE

For support on how to use WinBuilder (troubleshooting, advanced features), check out the WinBuilder website at http://reboot.pro.

To reiterate some points about WinFE (and to hopefully prevent ‘hate mail’ coming to me from commercial products…), WinFE is an addition to your forensic toolkit. It doesn’t replace any tools, only supplements what you are using anyway.   Commercial products that do the same thing that WinFE does work too, keep buying those if you want, you don’t have to use WinFE.  And for the Linux lovers out there (Hey, I’m one of you guys too!), there is time and place for everything, sometimes WinFE is best, another time CAINE or DEFT or ???*nix may be best.

As far as anyone making a profit out of WinFE, no need to ask, because no one is;  it is a community project of customizing a Windows PE to fit your needs.

And yes, there are even some more neat things to be added to WinFE in the future…but as of now, you have access to a solid forensic environment.

For additional credits to this project;