The “Windows Forensic Environment” (aka WinFE or Windows FE) is the creation of Troy Larson (Microsoft), further developed by a few others in the forensic community.  It is an operating system environment based on the Microsoft PE (Preinstalled Environment), modified for forensic use.

WinFE forensically boots computers much like the various Linux forensics disks, however, WinFE is “Windows”, not Linux, thereby allowing the examiner to use Windows based forensic applications to image or examine suspect/custodian machines in a forensically sound environment.

For a detailed history of WinFE and instructions for every build method, check out the Ultimate DFIR Cheats! Windows Forensic Environment: https://www.amazon.com/Ultimate-Cheats-Windows-Forensic-Environment/dp/1790322782

Brett Shavers