Having fun while learning about and pivoting into the world of DFIR.
by ogmini
Currently taking the WinFE from Brett Shavers. Today (5/14/2025) is the last day to take advantage of his great offer for free training! https://winfe.wordpress.com/2025/05/12/holy-smokes-free-winfe-training/. I haven’t completed the training yet; but I wanted to post some quick thoughts.
I really like the emphasis placed on testing, testimony, and decision making. The ability to create the WinFE tool can be distilled down to clicking buttons. Answering questions in court is the key and one that requires confidence and understanding. The course dives into this constantly.
I’m going to be dating myself with this next section. WinFE is WinPE with some changes to prevent disk writes. WinPE has a long history having existed since 2002 and you can find more information about it at https://en.wikipedia.org/wiki/Windows_Preinstallation_Environment. Initially, WinPE was NOT free and only available to large OEMs and corporations. I believe it was made available to public at large with version 2.0.
I remember using a tool called BartPE/PE Builder back in 2003 to build a free alternative version of WinPE. In those years, I was using BartPE/PE Builder to make bootable CDs to troubleshoot computers at college as a ResNet IT technician. It became a very popular tool as most of our calls revolved around virus/trojan remediation and helping students connect their computers to the network. BartPE allowed us to verify that their hardware and network cards worked and could connect to the network. We would do a courtesy virus scan using tools such as McAfee Stinger and others I can no longer recall. Anything beyond that required them to visit the computer store for more assistance. It saved so much time because their operating systems were often so riddled and would run so slowly that any troubleshooting was impossible.
One funny anecdote, Brett mentions the temptation to add EVERYTHING to WinFE once you get comfortable. I did the same thing with BartPE! Adding full on instant messengers, file transfer programs, media players, etc. It was fun but added nothing to the actual utility of the tool for the job that it needed to do. Listen to Brett, only add what you need!
I wonder if, in an alternate universe where Microsoft hadn’t made WinPE free, we’d be using something like BartFE instead.
Hopefully, I can finish the rest of the lessons tomorrow and take the test.
http://outwardtruth.com/tools/bartpe.htm - Some history about BartPE
https://en.wikipedia.org/wiki/BartPE - Wikipedia Page on BartPE
https://web.archive.org/web/20030806112028/http://www.nu2.nu/pebuilder/ - Internet Archive of the old BartPE page