Tuesday, July 25, 2023

WinFE Course Review

Yesterday, I completed the WinFE course I mentioned in my last post. I wanted to do a review of the course because I found a lot of value in it.

First, what is the Windows Forensic Environment (WinFE)? In short, it is a slightly modified portable Windows distribution with software based write-blocking capability for the acquisition of digital media.It is based on the Windows Pre-Installation Environment and was initially created by Troy Larson at Microsoft. It can be made by anyone free of charge for personal use. It is not a commercial product and there is no support. You are your own technical support, so it's absolutely necessary to understand what you're working with and how it works (to some degree).

The WinFE course is available on the DFIR.Training site. The course, as well as the site are the product of Brett Shavers, a well known instructor/practitioner/author in the digital forensics field. He is the author of the X-Ways Forensics Practitioner's Guide/2E and several other publications including WinFE: Windows

WinFE Book

Forensic Environment
. Brett has been instrumental in the continued development of Windows FE and has offered training on it in the past.

The course is divided into 18 lessons, followed by a pre-test, test and then a resources section. The lessons start out by covering some basics, such as what WinFE is (and what it isn't), as well as the topic of write-blocking.

Brett talks a lot in the course about when WinFE might be a good choice and when it isn't. I appreciated that he didn't sell this as the "all you need" solution to all your forensic problems. He discusses keeping it simple (my words, not his) as far as what you include in a WinFE build. WinFE is not meant to be a full forensic suite and indeed it is not. While you can add various tools (X-Ways Forensics, FTK Imager, etc) to your build, you need to decide what you really need and what is just extra stuff that doesn't need to be there, such as an office suite, zip file extractor and so on.

Once you get to the point of actually building your own WinFE, two different methods are taught for doing so. One is the "Mini WinFE" built with tools you can obtain from https://github.com/MistyFromReboot/Mini-WinFE . The second method requires a few more steps to get started, but it isn't terribly difficult to get ready. In fact, both methods are pretty easy to do. Once you have the initial steps done, you can build your own WinFE from either method in just a short time.

Brett also covers topics like dealing with Bitlocker, troubleshooting and hashing. He provides casework  examples as well. One of my favorite parts of the class however is the lesson on testing and validation. The need to test and validate WinFE (and all your software tools) is explained and I was very happy about that. It's easy to make a WinFE boot disk and use it to acquire a drive, but do you know that everything worked right? Do you know if any changes were accidentally introduced to the subject media? I'm so glad this topic was covered because it's just so easy to skip testing and assume all is well.

Something else I really appreciated was the lesson on report writing and testifying. I enjoy writing reports (I'm weird like that) because it present the opportunity to tell a story. I've testified in court related to forensic cases I've worked as well. With both of those things, I'm always happy to hear tips on doing them better, even though I'm not in a position where I'm likely to be testifying in court these days.

Possibly the best part of the course is that you actually have to show your work. You can't just blow through the videos, take a little test and get a certificate. You actually have to build both versions of WinFE to get past the pre-test before you can take the final.

The pre-test consists of answering a few questions followed by providing photographic evidence that you did the WinFE builds (photo of screen booted to each version). You also have to submit a PDF of your validation documentation for either one of the two versions you made. I love that these things were required before the student is allowed to take the final test. I think it lends a lot of credibility to the course certificate you earn when you can say that you actually did something other than watch a few videos to get it. Kudos to Brett for making this part of the course.

After completing the pre-test requirements, you are eligible to take the final test. The 17 question final covered various aspects of the training material. A score of 90% is required to pass. I passed and received my certificate. My next goal is to take the WinFE Instructor training course.

As you can tell, I was very pleased with this class. The instruction from Brett was top-notch. He provided the information based on his own developing and usage experience. He does an outstanding job covering each topic. I didn't come away from any of the lessons feeling like he left anything out. If you have the interest, I highly encourage you to take this course.


  1. Thank you. Your words mean a lot and I am glad that you enjoyed it.

  2. How do I take this course? Which URL should I visit?

    1. Hi Joseph. You can purchase the course at https://courses.dfir.training/offers/zF2Cgb4B/checkout