WinFE

From Forensics Wiki
Revision as of 00:08, 30 July 2010 by Bshavers (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Windows Forensic Environment is a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.


Windows Forensic Environment ("WinFE")


WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft. WinFE is based off the Windows Pre-installation Environment with changes of media being Read Only by default, similar to Linux forensic CDs that are configured not to mount media upon booting. However, unlike Linux boot CDs, Windows based software, to include various forensic software and general portable utilities, can be run from a booted WinFE disk. WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.

WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK). Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include; X-Ways Forensics, FTK Imager, Encase, ProDiscover, and RegRipper.

Resources: WIndows Forensic Environment blog: [1] WinPE Technical Reference: [2]spx Windows Automated Installation Kit: [3] X-Ways Forensics: [4] Encase: [5] FTK Imager: [6] ProDiscover: [7] RegRipper: [8]t