WinFE is still relevant in 2023. In some instances, most relevant of any data collection tool because some devices can only be accessed with a bootable OS (even some of these can only be accessed by WinFE!).
The WinFE guide has been updated, at least as much as can be as WinFE hasn’t really changed much since the first edition of the guide.
The free download will be open for about two weeks, thereafter only via Amazon or included in an ondemand training.
Download here: https://t.co/06E708i9np
As a personal side note, the only reason I have a printed version of the PDF online at Amazon is that I order print copies to give out when I have in-person WinFE training.
The Full Monty:
Last month, a WinFE user emailed me a story of him having to testify to his use of WinFE. In short, he properly used WinFE, but had hiccups in testifying about it and describing his choice in using it. He did nothing wrong in its use but could only testify to his knowledge coming from YouTube, not remembering anything about the instructor or channel. This week, I gave a class to his unit on all-things-WinFE.
Everyone who touches WinFE in a case needs to have this training.
The importance of this story is that WinFE’s main objective is to acquire electronic evidence. If you don’t use it appropriately, the weight and validity of the evidence you collect may decrease, or not even be admitted. You have one shot at first collection to grab it (live or deadbox). Everything afterward is analyzing the copy of the original.
For that reason, your collection of evidence is the first target to be attacked to have your work discredited, thereby making the evidence inadmissible or less credible.
With that, I revamped the WinFE guide. Took out some outdated material, updated other material, and added a few new things.
I am having a live training class on July 10, 2023 and this class has already filled up. But, I am giving access to the ondemand of the class, plus all reference materials afterward. Right now, there is an 80% discount on the course through July 7, 2023 ($30 instead of $145).
WinFE in 2023
It’s been 15 years since Troy Larson introduced me to WinFE. Since that time, I’ve used WinFE when appropriate in casework, tested it, beat it up to try to break, guided the development through various build apps, and taught its use to thousands of examiners worldwide.
Fewer systems today compared to 2008 are fit for WinFE’s use, but the systems that WinFE can boot are the very systems that practically nothing else will work. For that reason alone, WinFE should be in your DFIR toolbox.
View the full article