Next week, the WinFE course will start, first with a live course (which is full), followed up by an ondemand version of the live course.
At first, this training was meant to be a refresher and a brief introduction to WinFE, but with a ton of emails, turned into a full-fledged-everything-you-need-to-know about WinFE course.
For anyone who thinks the usefulness of WinFE has waned, let me be the first to confirm that you are correct. In the beginning years of WinFE, it booted just about anything you encountered. Then, as expected, technology changed (and continues to change).
The number of machines that it can boot has decreased substantially. Live acquisitions are more common than ever before. Targeted collections (not full disk images) are also more common than before.
BUT! There are some machines that can only be accessed with a WinFE. There are also some situations where WinFE is a better choice than anything else.
If you are good at what you do or want to be better, you keep plenty of tools in your DFIR toolbox just in case you need them. Some, you may never need. Some you always use. But when you come across something where you could have had a tool but didn’t, and you can’t do your job, that is when you will have regrets.
WinFE is such a small-use tool that it makes 100% sense to have it available and zero sense to not have it. You don’t need a subscription, annual license, or extensive knowledge in how to use it. With all of that, if you don’t have a WinFE and you needed it, you will regret it and your case could suffer.
The one thing lacking about most free/open source forensic tools is training that you can bring to the stand if ever needed. Training saves you days of figuring out for yourself how to use a tool. Training also prevents you from self-learning the wrong way because you might think you figured out the right way.
Ergo, this course.
And the follow-up course of WinFE Instructor-Trainer is a good follow-up with several personal and professional benefits. For one, being able to teach WinFE is near absolute proof that you know it well enough to use it effectively. Second, you can help others use WinFE effectively. This helps the community as the improper use of any tool can result in bad case decisions that affect all of us.
A piece of paper
If you complete every lesson (including building WinFE), and pass every exam (there is more than one..), you will have earned a certificate of completion. Do the same with the Instructor-Trainer course and you get an additional certificate of completion to teach this course.
WinFE is simple but it wasn’t easy
Troy Larson’s ingenious modification of winpe into a winFe cannot be understated. A simple modification, but substantial in the idea and usefulness!
From Troy’s creation came hundreds of hours of further development in finding developers and examiners, coordinating various build methods, testing and validation, and improving WinFE to a point where knowing how to use WinFE is not only resume cred, but job posting preferences.
Free WinFE guide
Tomorrow is the last day to download the WinFE guide for free. As of today, there have been 2,653 downloads!
From next week, the guide will be available on Amazon if you want a hard copy of the PDF. I am sure that the PDF will be on the Internet somewhere, but be careful ‘where’ you get it.
If you haven’t registered for the WinFE course ($145), here is your chance:
If you register by tomorrow, the Instructor-Trainer course is an added (FREE instead of $125!) bonus course.
View the full article