A new user to WinFE can be a new forensic analyst or a forensic analyst new to WinFE. Either way, this short post will be helpful to everyone who has not yet taken the time to try WinFE. To save you frustration, time, and questions, try this natural progression to start using WinFE:
1) Start with Mini-WinFE
Here’s some reasons to try this route.
* Mini-WinFE only needs about 10 minutes, start to finish and needs zero knowledge of coding. You get a fully operational, forensically bootable Windows operating system. It’s fairly minimal, but pretty. It is also fast and easy to build and use with the lowest chance of having any build errors. You actually should have zero errors when the app builds WinFE for you.
* The bigger (full blown WinBuilder) builds take more time and effort. You will also experience build errors no matter how much effort you put into it. It just happens and you have to start over each time. The build process also takes longer. Basically, these build methods (not so much with WinFE Lite) take longer as you have more options to choose and have the ability to customize just about everything with the build to personalize it, add programs, and add features/options. You will try this eventually just because it is so cool and practical to have in your Go-bag.
I promise that after building and using Mini-WinFE, you will eventually make a bigger build that can run more forensic apps. The bigger builds can allow you do really neat things like;
-Collect responsive data in electronic discovery case matters in the most forensically sound manner without having to remove hard drives
-be able to ship a bootable CD/USB drive with an external drive to a custodian anywhere in the world. The custodian can boot to the forensic OS, plug in the external drive, and automatically be connected to you remotely via any remote desktop app you configure. You can then (from your office) image the entire system or collect specific data (with a log file creation!) onto the external drive to be shipped right back to you. The images can be encrypted locally on the external drives. I have personally imaged almost two dozen machines in one day on one site with this method. The images were shipped back to me over night.
So…what are you waiting for?
View the full article