Windows Forensic Environment

About


Windows Forensic Environment, also known as WinFE or Windows FE, was originally developed by Troy Larson, Senior Forensic Manager, Microsoft Corporation, by simply adding two registry keys to the Windows Vista Pre-installation Environment 2.0 (WinPE 2.0). These keys prevented the auto-mounting of some of the volumes at boot time, which then allowed the creation of a rudimentary Microsoft Windows based forensic boot CD/DVD or USB Device.

The original WinFE write-protect tool was written in 2012, and soon became the de facto tool that was included in the majority of WinFE builds. However, this tool was written in x86 assembly language (32-bit) and therefore, was not supported on 64-bit builds of WinFE. This also meant that systems that used the UEFI boot mechanism required the user to change the BIOS settings to enable legacy boot.

In 2018, the code was ported from x86 assembly language to C++ (essentially a complete re-write) to allow 32 and 64-bit binaries to be produced. A consequential bonus of this was that Visual Studio 2017 also allowed the building of ARM binaries.

The UI, where possible, has remained unchanged to allow existing users of the 2012 version of the write-protect tool to seamlessly use this new version.

There is no longer any need to dismount prior to changing the read-write status of disks.

Both 32 and 64-bit versions of the complete environment are now encompassed into a single build, the required architecture is user selected at boot time.

The UI of the write protect tool supports several languages, namely, English, French, German and Italian.

It has been tested on multiple versions of Microsoft Windows, Apple MacOS and Linux, and found to perform as expected.

Only one problematic system was encountered, a Dell XPS All-In-One, which utilised a CacheCade style Intel RAID controller. The SSD was not recognised and therefore, appeared to cause some damage that prevented the system subsequently booting. However, the state of the system was not known prior to forensically imaging.

Known bug: Referred to as 'Ghost Disk' - This has been fixed in the 16 Feb 2020 release. This was caused by a buffer not being zeroed when a memory card reader was detected on the target system. Instead of reporting 0 bytes, the size of the previously enumerated disk was reported.

I have now managed to obtain a new code signing certificate from Certum, which will now replace the depricated StartCom certificate. all releases from 16 Feb 2020 onward, will now be signed with this new certificate. Should anyone require a code signing certificate, I would highly recommend Certum.

The build process for this version of WinFE is much more complicated and requires more external dependencies than the previous version, however, detailed steps are provided on the build page.

As set out within the Terms and Conditions, this tool is provided free of charge and therefore, I expect all copies of this tool to also be provided free of charge (including training) within any onward distribution chains. A lot of time and effort has gone into producing this tool, and I make nothing from this, so I don't expect anyone to essentially freeload from my work.

If desired, I am willing to re-brand the write-protect tool to your organisation's logo. See the Contact page for more information.

The Windows Password Removal Tool is also included within the build. This is another tool that I have developed to allow the removal of Microsoft Windows login passwords from Windows 2000 until Windows 10, and also includes server versions. Passwords for local and Microsoft online accounts are supported. This tool is not forensically sound as the disks must be mounted and be write enabled. There is a small charge of £9.99 GBP (free for LE and Government) for each copy of WinFE that you produce, which will go towards the purchase of the code signing certificate and website running costs. This, however, is not a mandatory purchase. Please contact me for more information.

To get started, ensure that you download the correct package from the Download page before moving to the Build phase.


Authorised Paid-For Training Providers

Brett Shavers.

Contol-F (Kevin Mansell).

WinFE Credits

Troy Larson, Microsoft - For the original concept

Brett Shavers - For being the driving force behind WinFE, and pestering me to get this new version released!

Karl Morton - For pushing me, and helping me learn C++

Royal Meier - For assistance with WinBuilder scripting

Peter Schlang - German translation

Andreas Fitzner - Additional German Translations

Pascal Bimas - French Translation

Jacopo Lazzari - Italian Translation

And to anyone else whom has contributed that is not mentioned here