Misty has updated Mini-WinFE. There are a few very neat updates, like UEFI support! It's also possible to create a BIOS or UEFI bootable ISO - or BIOS and UEFI bootable. - Keyboardlayouts * Included FAU in the download. This is redistributed with the permission of the author (GMG Systems Inc) - refer to the project. Mini-WinFE is a minimalist 32 or 64-bit Windows Forensic Environment (WinFE). (or an offline operating system) a mounted.iso file is recommended. RTM versions of Windows are also recommended. The Windows Automated Installation Kit. I recommend that you use the majority of settings from the download initially (adding SysWoW64 support.
Categories
- Advanced Persistent Threat (50)
- apt (24)
- artifact analysis (82)
- Book Reviews (5)
- Browser Forensics (34)
- Call for speakers (4)
- Career (1)
- Case Leads (123)
- Certification and License (9)
- Challenge (9)
- Cloud Forensics (2)
- Community SANS Events (4)
- Computer Forensic Hero (2)
- Computer Forensics (667)
- Computer Forensics and IR Summit (48)
- Cyber Kill Chain (7)
- Cyber Threat Intelligence (24)
- DFIR Scholarship (2)
- DFIR Summit (18)
- DFIR Summit 2019 (2)
- DFIR Summit Vans Contest (1)
- Digital Forensic Law (50)
- Drive Encryption (20)
- eDiscovery (51)
- Email Investigations (19)
- Ethics (9)
- Evidence Acquisition (124)
- Evidence Analysis (202)
- FOR408 course renumbering (1)
- FOR500: Windows Forensics Analysis (3)
- FOR585 Smartphone Forensics course Q&A (1)
- Forensic4Cast Awards (2)
- Getting Started (25)
- HeartBleed (1)
- Incident Response (210)
- Incident Response Survey (1)
- iOS (5)
- Lethal Forensicator Coins (2)
- Linux IR (29)
- Malicious Scripts (3)
- Malware Analysis (120)
- Meltdown & Spectre (1)
- Memory Analysis (68)
- Mobile Device Forensics (64)
- Network Forensics (59)
- Network Forensics (10)
- Registry Analysis (30)
- REMnux (6)
- Reporting (23)
- Reverse Engineering (55)
- SANS Institute (54)
- SANS Survey (1)
- SIFT Workstation (18)
- smartphone (7)
- SOF_ELK (1)
- Specials (23)
- Threat Hunting (23)
- Threat Hunting & Incident Response Summit (12)
- Timeline Analysis (24)
- Training (38)
- USB Device Analysis (15)
- Volatility (3)
- WannaCry Ransomware (1)
- Windows IR (85)
- Windows Memory Forensics (13)
- Write Blockers (13)
Windows Forensics Environment (WinFE) is a bootable operating system environment that can be used for forensic examinations. It provides a live boot environment that allows you to examine a suspect computer in a forensically sound way. Autopsy 3 works out of the box in WinFE Lite, which is a build of WinFE.
Due to some dependencies in Autopsy that aren’t available in the WinFE Lite environment, not all functionality exists. Specifically, you will be unable to view videos or open zip files.
Here are the instructions for installing and running Autopsy 3 in WinFE Lite:
- Install Autopsy 3 onto your forensics machine running Windows.
- Download the WinFE Lite build and put it in it's own folder on your forensics machine. We’ll call this folder {WINFE}
- Copy the Autopsy 3 folder (in C:Program Files (x86)Autopsy by default) from your forensics machine into the '{WINFE}XProgram Files' directory.
- Double click to run “{WINFE}MakeFELite.bat”. An ISO will be created and put in the “{WINFE}ISO” folder.
- Use the ISO to create a bootable disk or USB drive that will run the WinFE Lite environment with Autopsy 3 now included. The WinFE Lite page has information on how to turn the ISO image into a bootable USB device.
- To test, reboot your Windows machine and select the option to boot from USB/CD/DVD instead of your hard drive and normal Windows installation.
- To open Autopsy 3 in WinFE Lite, open task manager from the settings menu in the toolbar.
- Under the applications tab, press the new task button and type “explorer” to open it as a new task.
- Navigate to X:Program Filesautopsybin and double click to run autopsy.exe.
- Autopsy 3 will now run and you can operate as normal by selecting the disk for analysis in the Case Creation Wizard.
- When Autopsy opens, select a non-write protected area to store your cases in. This can be on the USB device you are using to boot from or an additional USB device that you mount read-write.
If you find work arounds to get the video player and ZIP extractor working, please let us know and update this page.
Winfe Lite
Retrieved from 'https://wiki.sleuthkit.org/index.php?title=Autopsy_3_WinFE&oldid=5311'