Windows Forensic Environment

The Windows Forensic Environment (a.k.a. WinFE) is a Windows based boot disk that can be used as a platform for digital forensic analysis. Being Windows based it enables users to run a number of Windows programs that they might already be familiar with. It is an alternative or addition to a number of forensically focused Linux distributions.

WinFE is a software write blocker used to prevent writes to storage devices. Usage may include gathering evidence on systems where hardware cannot be removed, triage investigations, or as an alternative to potentially expensive hardware write blockers.

Troy Larson, Senior Forensic Examiner of Microsoftİ, is credited with creating the Windows Forensic Environment. WinFE does not appear to be available as a commercial product from Microsoft. It is however relatively easy to create WinFE for personal use from freely available tools. WinFE is in essence a Windows Preinstallation Environment (WinPE - see here) with two minor registry edits that are applied to ensure that any hard disks are not automatically mounted during the WinPE/WinFE boot process - minimising the risk of the contamination of data/evidence. WinFE is a lightweight version of Windows that can be used for many tasks - it is a complete, standalone operating system and will work independently of any other operating systems already installed.

Document date - 18th June 2022