Natural Progression for New Users of WinFE

A new user to WinFE can be a new forensic analyst or a forensic analyst new to WinFE.  Either way, this short post will be helpful to everyone who has not yet taken the time to try WinFE.  To save you frustration, time, and questions, try this natural progression to start using WinFE:

1) Start with Mini-WinFE

2) Move onto bigger builds (WinFE Lite or Winbuilder)  and/or stay with Mini-WinFE.

Here’s some reasons to try this route.

Mini-WinFE only needs about 10 minutes, start to finish and needs zero knowledge of coding.  You get a fully operational, forensically bootable Windows operating system.  It’s fairly minimal, but pretty.  It is also fast and easy to build and use with the lowest chance of having any build errors.   You actually should have zero errors when the app builds WinFE for you.

*  The bigger (full blown WinBuilder) builds take more time and effort.  You will also experience build errors no matter how much effort you put into it.  It just happens and you have to start over each time.  The build process also takes longer.  Basically, these build methods (not so much with WinFE Lite) take longer as you have more options to choose and have the ability to customize just about everything with the build to personalize it, add programs, and add features/options.  You will try this eventually just because it is so cool and practical to have in your Go-bag.

I promise that after building and using Mini-WinFE, you will eventually make a bigger build that can run more forensic apps.

4 thoughts on “Natural Progression for New Users of WinFE

  1. Brett – WinFE is great, but can you post more (or direct us to more) info on this statement: “be able to ship a bootable CD/USB drive with an external drive to a custodian anywhere in the world. The custodian can boot to the forensic OS, plug in the external drive, and automatically be connected to you remotely via any remote desktop app you configure.” The two problems I have faced here are 1) support for various remote control apps such as Teamviewer, LogMeIn, etc.; and 2) support for wired/wireless networking so that a connection can be made once booted into the WinFe environment. The Macbook Air seems particularly difficult since it does not have a wired LAN port native on the device. Not sure whether one plugged in through the Thunderbolt or USB port would work or not, but even if it works, it is not the most desirable thing to have to ship adapters with your encrypted drives. The drives always come back because the clients want you to work on the captured data, but adapters…not so much. They are easy to lose, and call me a cynic, but I think they sometimes look mighty good to custodians who figure no one will miss an adapter. In any event, have you worked on wireless networking support and remote control app support? Thanks – J

    • I wouldn’t necessarily recommend a wireless connection because of the hassles in setting up the connection (logins, passwords, etc…). I also wouldn’t ship to a custodian’s home if the machine is a personally owned computer. There is too many moving parts where local IT staff may be needed as a custodian may not understand how to boot to the CD/USB.

      Taking the example I mentioned, I shipped 23 external hard drives, 26 WinFE CDs, and 15 WinFE USBs to a business (my client’s client), with overnight delivery (morning arrival), on a Saturday. I walked an IT employee on the phone with the process and booted each machine to either a CD or USB, depending on the machine. The IT employee plugged in an external drive to each computer after booting to WinFE. You can configure Teamviewer to automatically connect, or connect with minimal work on the custodian end (basically, provide a password). Start the imaging on the first machine, move the next.

      I also used WinAudit on each machine, took screen captures of what I was doing, and kept the logfiles. The IT employee made a list of the company’s internal tag numbers to match my records.

      I would expect that shipping this to a custodian at home, using wireless, will only cause some serious issues that won’t make you look very good. I’d rather have that computer shipped than ship WinFE, or acquire on site. For the machines, like a Macbook Air, which might not be able to connect remotely, can be shipped with the hard drives. The cost will still be 1/20th of what flying across country and sitting around imaging a floor of machines would cost.

      Of course, being onsite is better, but more expensive and slower. I suggest this method when it is either getting nothing (due to cost of being onsite) or getting everything (because of low cost of working remotely). Lost adapters means a line item on an invoice..

  2. Well, with all due respect, if you physically give someone else (or provide a download for) an already built PE, you are effectively breaking the non-redistribution provision of the MS Eula.
    That is the actual reason why a builder is used in first instance, otherwise it would make much more sense to provide downloads for already built and tested WinFE’s, avoiding the building issue that a newbie may meet.

    jaclaz

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s