RIP Windows Forensic Environment (WinFE)?

Not only is WinFE not dead or dying, it is being improved.

I won't get into the new features being developed now, as I am a but a mere beta tester for the cool things coming to WinFE. The expected timeline for release is in 2025.

With that, I am closing the current WinFE training and will be updating the program for the new and improved WinFE. As of today, thousands have taken the WinFE training I've provided over the past 10 years or so. That's a lot of WinFE users!

Today (October 31) is the last day to register for the WinFE courses and access all WinFE goodies. The updated WinFE will be near the same, but with a few extra functions. It will still be able to acquire ARM devices (did you not know that?), and boot Intel-based Macs. And still run from an external device. But it will be even easier to build!

I've used WinFE in real cases and seen it used in real cases. I've not seen or heard of any evidence acquired with WinFE being disallowed because of WinFE use. Troy Larson's simple, but ingenious, creation of modifying a winpe has become a solid DFIR tool today.

WinFE can be built with one Powershell script command, from start to finish, in minutes. The new WinFE will be even easier to build.

Since WinFE has no tech support (it will in 2025), is technically free to build and use, and acquires devices that most other tools cannot (like an MS Surface Pro), every DFIR practitioner who acquires evidence should have it. If not WinFE, then keep a Windows To Go or another Windows-based acquisition tool (there are plenty of commercial tools you can buy).

The one thing that free and/or open source tools lack is formal training. I mean training other than a YouTube video. YouTube videos are educational, they can tell you how to do something, but if you want something with weight to put on a CV or testify with, a piece of paper that documented time-in-a-seat being presented instruction, then take a course in additional to self-learning.

So, if you have never taken a WinFE class (and I mean other than a breakout session at a conference), consider taking this class. You'll get access to the updated training next year, included. If you already took a WinFE course from me, I'll grant you access to the new course in 2025, so do not sign up.

If you want training in the Colin Ramsden WinFE build, this is the only authorized and recognized training.

For a few reasons, I'm making it $25 for all of the below (reduced from ~$300). First, it will be months before I update the training with the new WinFE. Two, I'd give it away for free, but in my opinion, "free" usually means one doesn't take it seriously or might not start or finish training because there is no personal investment in learning. But $25 is low enough to eliminate the "that's too expensive" but high enough so that "I better get my money's worth" for the training.

Here's something to consider: I know many practitioners use WinFE and probably mastered it but never had formal, documented training. I have seen a trial where a self-learned witness was embarrassed by the opposing witness because the opposing witness was also self-learned but had documented training to verify the self-learning. This is just a thought, not just for WinFE but for everything DFIR.

You can get this today at $25 or wait until 2025 and pay ~10x more (not a threat, but a reality). I'd rather you get it now AND get 2025's version included free :)

The package: WinFE Cert Course, WinFE Train-the-Trainer Course, WinFE ebook, WinFE Powershell builder script, WinFE QuickStart Guide, WinFE resources and references.

Register here: ALL THINGS WINFE