Bootable Windows environment for forensics - WinFE
HTML-код
- Опубликовано: 30 июл 2024
- Bootable Windows environment for forensics - WinFE
♥️ SUBSCRIBE for more videos: ruclips.net/user/bluemonkey4n6...
Difficulty Level: Intermediate
Prerequisites: basic understanding of digital forensics concepts.
basic understanding of Windows command line
In this video, we will look at the Windows Forensic Environment, otherwise known as WinFE. WinFE is a Microsoft Windows based forensic boot CD/DVD/USB/HDD. This is another external boot tool for your tool belt in addition to the usual Linux based boot drives.
Video timeline
00:00. intro
01:10 downloading WinFE
02:47 downloading forensic software
04:48 building WinFE platform
05:49 building bootable ISO for Ventoy
06:22 building bootable USB
09:20 boot to WinFE USB
12:27 running WinFE
14:22 imaging with FTK Imager
🔨 Gear mentioned in this video:
To more info on WinFE: www.winfe.net
To download FTKImage: www.accessdata.com/product-do...
See this website to see what the BootMenu key for your computer: www.disk-image.com/faq-bootmen...
Brett Shavers conducts WinFE training (brettshavers.com) and has a book called Ultimate DFIR cheats! Windows Forensic Environment available on Amazon
Icons made by freepik from @flaticon www.flaticon.com/authors/freepik
Icons made by Smashicons from @flaticon www.flaticon.com/authors/smash...
DISCLAIMER: Links in this video description might be affiliate links. If you purchase a product or service using one of these links, I may receive a small commission at no additional cost to you. Thank you!
#DFIR #bootableUSB #bootableWindows 
Наука
Is a well know behavior that WinFE would write a 4 byte signature to any drive that doesn’t already have a 4 byte windows signature. So if you use WinFE on a Linux or Apple system it might write that 4 byte signature on the drive. Again, is a well documented behavior and easy to explain in court.
Outstanding, thank you for chiming in.
Excellent and useful video, congratulations from Chile.
Hello Chile!🇨🇱. Thanks for watching and commenting!
I'm new to this but managed to build this bootable USB with Windows 10 Home 22H2 without any problems, except I had to use ".\MakeWinFEx64-x86" instead. I wonder if I implement OSForensics by installing it and copying it just like we did with FTKImage? Thanks in advance 👌
Thanks for the comment about the WinFE link being broken. its now fixed. I'm not familiar with OSForensics on WinFE, let me know if you got it to work.
@BlueMonkey Is there a way to inject additional drivers into the WinFE build?? Particularly a cab file ? I need it to see Dell drives that use their software Raid option and it requires their RST driver to potentially work
I believe that if you add the cab file much like you would add forensic software before you build the platform, you should be good.
EXCELLENT
Thanks for the positive comment and thanks for watching
Hi, do you know why on mac mouse and keyboard don't work? I created the bootable stick with winfe, it starts but I can't advance because the mouse and keyboard don't work...
oh, that's a very good question. I believe that you will need to install the drivers. See this article here: support.apple.com/guide/bootcamp-assistant/install-windows-newer-mac-boot-camp-bcmp173b3bf2/6.1/mac/14.0
The version of WinFE I downloaded is missing the CAB Files for x86 and it is crashing the script. Any idea where to get these files?
Most likely a Win 11 issues as the ADK does not support x86 anymore
Try checking with the author to see if he’s working on Win11 updates
@@BlueMonkey4n6 I'm currently too busy with work and other projects to do any further work on WinFE.
Bummer, thank you for what you did so far.
The winfe site doesnt seem to be up at least for me. Any other way to download this?
Try github.com/bshavers/Mini-WinFE
@@BlueMonkey4n6Seems to be blank with only a read me file, managed to grab it off waybackmachine. Thanks for the help.
What if I only download one version of FTK imager of 64x , remain steps will be same or i will face an errors ?
FTK Imager should run fine unless i am not understanding your question.
@@BlueMonkey4n6 my question is : in the video , you downloaded two versions of FTK Imager I think 64x and 32x .. and I haven’t found the two version you downloaded, so can I download only the 64x version ?
yes, most computers are 64 bit nowadays (instead of the old 32 bit) so the 64x version of FTK Imager should be fine.
Great video thank you. How do I install other programs on WinFE?
Basically you will need to install that program onto the windows computer that you are building WinFE on. Then drag the program folder within C:\Program Files(x86)\ to where I had the WinFE framework that is being built (Download\WinFE\USB\x86-x64\tools\x86). Then when you build WinFE, those programs will be part of your WinFE build. Refer to the 2:47 time mark of the video to watch this again.
@@BlueMonkey4n6 thank you. I take from the video that I have to uninstall for example WinHex and install it again and then copy it and paste it in the WinFE USB tools folder.