In 2008, Troy Larson gave me the build instructions for WinFE (Windows Forensic Environment). Troy figured out how to make a Windows winpe boot in a forensically sound manner with registry changes. At the time, the concept of a Windows-based forensic boot environment was groundbreaking—an alternative to Linux-based forensic boot disks that had dominated for years.
Now, you might not see this as that exciting, so I’ll give you a few minutes…
I used WinFE for two years and by 2010, I had started writing about WinFE. From then on, I haven’t stopped bugging Troy about WinFE, writing about it, teaching it, and advocating for such a useful DFIR tool.
I beat up WinFE as much as possible, testing different build methods and software that could run in it without becoming a full-fledged Windows OS (Windows To Go is that which WinFE is not).
Now, 17 years later, with technological advancements, secure boot limitations, and the rise of cloud-based forensic workflows, many might assume that WinFE has lost its relevance. But here’s the thing—it’s still a critical tool in certain investigative situations where nothing else works.
The Evolution (and Limitations) of Forensic Booting
When I first got into forensic booting, we used floppy disks (yes, floppy disks!) before moving to CD/DVDs and eventually USB-based forensic environments. WinFE gave us an incredible advantage—it was a Windows-based forensic boot disk, meaning investigators could work with the same OS environment they were analyzing without modifying the evidence drive.
However, as hardware security evolved, booting into any forensic OS (Windows or Linux) became increasingly difficult. Secure Boot, BitLocker, T2 and M-series chips, and other system-level protections have all made forensic booting more restrictive. Even Windows To Go is limited.
Yet, in some situations, WinFE is still the only way to access a system forensically. A big plus of WinFE is that you can boot ARM devices with WinFE 😊.
The Future
A new WinFE is being improved by Colin Ramsden, which is my preferred and recommended build method. Colin has spent more time on improving WinFE than I can imagine. Then again, I totally can. I’ll get into Colin’s new build later this year after it is released.
Until then: Enter Arsenal Recon
Mark Spencer and his team at Arsenal Recon developed a useful tool, Arsenal Image Mounter (AIM). AIM allows you to launch virtual machines from disk images, which has some cool features you can check out on the AIM page. Some days, like right now, I feel old….I remember booting images the hard way….and by “hard,” I mean that it didn’t always work, always had some issues, and was a pain to do. Now it is “virtually” push button easy.
Mark Spencer and his team at Arsenal Recon developed a useful tool, Arsenal Image Mounter (AIM). AIM allows you to launch virtual machines from disk images, which has some cool features you can check out on the AIM page. Some days, like right now, I feel old….I remember booting images the hard way….and by “hard,” I mean that it didn’t always work, always had some issues, and was a pain to do. Now it is “virtually” push button easy.
Here is what Mark and his team came up with:
1. Boot the evidence computer to WinFE.
1. Boot the evidence computer to WinFE.
2. Remotely connect to that WinFE-booted computer from your forensic workstation.
3. From your workstation, boot the WinFE-booted computer to a virtual machine.
4. Now you can not only access the WinFE-booted machine data, but can see the virtually booted OS on your workstation.
Now, you might not see this as that exciting, so I’ll give you a few minutes…
Arsenal Image Mounter (AIM) now allows investigators to boot a forensically sound machine into a virtualized OS remotely—essentially turning a deadbox into a virtual live system. This is super cool because it combines the strengths of WinFE with remote access flexibility like F-Response. In my opinion, your toolbox is more capable by having both F-Response and WinFE+AIM. You can access both live machines and deadboxes remotely.
Final Thoughts
Seventeen years ago, I didn’t expect to be still talking about WinFE today—but here we are. While its use cases have changed, it still fills an essential gap in forensic investigations. As technology continues to evolve, I suspect we haven’t seen the latest of WinFE’s contributions to forensic workflows. I know this for sure...since the version is coming soon...
After Colin’s next build is tested (I plan on beating it like a drum to help ensure it is solid), I’ll have an updated WinFE training course. Bonus: If you have ever taken a WinFE class from me, email me the cert, and I will waive you into the new class (wait until I get the class posted tho!).