Forensic Operating Systems

Forensic Operating Systems

Everything you need to know about booting a computer system into a forensically sound operating system with a focus on the Windows Forensic Environment.

About this course

The need to forensically boot computers still exists, regardless of how much technology has advanced over the years.  Traditionally, booting a computer to a modified floppy disc for imaging was the most commonly accepted practice.  Today, forensic analysts have options in identifying, collecting, and preserving data from evidence computers.  One of these options is still booting the machine to a forensic operating system.  

In this course:

  • Download and build a Mini-WinFE
  • Compare various operating systems in forensically sound, bootable environments (Windows, Mac, Linux)
  • Learn the many ways to use a forensically sound, external media bootable operating system

This course (updated in 2018) is the first course specific to all aspects of WinFE (good, bad, and indifferent) taught by a main developer of the forensic WinFE tool, used alongside alternative booting systems such as Linux and Mac.  Much of the information taught in the today's training programs about WinFE (such as SEARCH, FLETC, NW3C, and other providers) has originated from the presenter's research and assistance in creating law enforcement-only courses in WinFE, which is the same information you will see in this course.

Total hours: 5

Downloads: Included

Course access: 3 months (24/7)

This course also introduces the latest Mini-WinFE build project. This build is the quickest, easiest, and most error-free building method created to date.

 

Although a heavy focus is on the Windows Forensic Environment (WinFE), both and Linux and Mac operating systems are introduced as solutions to forensic booting problems.  If you have not built a WinFE or Win2Go yet, you will have the information to create your own build before the first half of this course is completed.  If you have used forensic operating systems on external media before this course, and even if you use forensic bootable media regularly, you will learn new methods of use that can be helpful in your work.

Your presenter, Brett Shavers

I have been working in the digital forensics field since 2004 and have been a part of some amazing cases and forensic software developments. Visit my blog for more information about me at brettshavers.cc.  I have been involved in the development of WinFE since before its public release by Troy Larson of Microsoft in 2008.  As an evangelist for WinFE, I have coordinated WinFE's development with the assistance of software developers and experts world-wide, from selecting the builder application, write protection tool development, and beta testing, along with providing guidance in the development of law enforcement training courses that utilize WinFE as a triage tool of choice.  Since the initial release of WinFE to law enforcement and subsequent release to the public, WinFE has made its way into being taught in basic and advanced digital forensics programs such as the Federal Law Enforcement Training Center (FLETC), the International Association of Computer Investigative Specialists (IACIS), the National Consortium for Justice Information and Statistics (SEARCH), and universities world-wide.

Curriculum

  • Introduction to the Course
  • Introduction
  • 1. Forensic Booting of Evidence Computers
  • Write Protection
  • Creative Uses of Booting to a Forensic Operating System
  • Decision-Making Process. Should I boot to external media?
  • Bootable Media
  • Which Forensically-Sound, External Media, Forensic Operating System is the Best?
  • Concerning the potential of WinFE to write to the disk
  • 2. Windows Forensic OS
  • Overview of the Various Versions of WinFE
  • DiskPart Lecture
  • DiskPart Demo
  • WinFE Write Protection Tool
  • 3. Mini-WinFE
  • Prep to Build Mini-WinFE
  • WinBuilder and Mini-WinFE
  • Building Mini-WinFE
  • Mini-WinFE Project Downloads
  • 4. Building the Windows Forensic Environment
  • Basic WinFE notes
  • Building the Basic WinFE
  • 5. WinFE Lite
  • WinFE Lite Build Instructions and Downloads
  • Building WinFE Lite
  • 6. Windows Triage Environment
  • Windows Triage Environment (WTE)
  • 7. Windows To Go
  • Windows To Go (Win2Go)
  • 8. Mac Forensic OS
  • Mac/Apple Distros
  • 9. Linux Forensic OS
  • Linux Forensic OSs
  • Building Your Own Forensic Linux Distro
  • 10. Commercial Forensic OSs
  • Commercial Forensic OSs
  • 11. Methods of Use
  • Unique Devices
  • Bitlocked and Encrypted Drives
  • Make USB Devices Bootable
  • More Innovative Uses of Forensic Operating Systems
  • 12. Validation
  • Validating Bootable Forensic Operating Systems
  • Recommendations on Teaching Forensic Operating Systems
  • Teaching Forensic Operating Systems
  • 13. Wrapping Up
  • Wrapping up
  • 14. Downloads
  • Supporting Links
  • Exam
  • Forensic Operating System

About this course

The need to forensically boot computers still exists, regardless of how much technology has advanced over the years.  Traditionally, booting a computer to a modified floppy disc for imaging was the most commonly accepted practice.  Today, forensic analysts have options in identifying, collecting, and preserving data from evidence computers.  One of these options is still booting the machine to a forensic operating system.  

In this course:

  • Download and build a Mini-WinFE
  • Compare various operating systems in forensically sound, bootable environments (Windows, Mac, Linux)
  • Learn the many ways to use a forensically sound, external media bootable operating system

This course (updated in 2018) is the first course specific to all aspects of WinFE (good, bad, and indifferent) taught by a main developer of the forensic WinFE tool, used alongside alternative booting systems such as Linux and Mac.  Much of the information taught in the today's training programs about WinFE (such as SEARCH, FLETC, NW3C, and other providers) has originated from the presenter's research and assistance in creating law enforcement-only courses in WinFE, which is the same information you will see in this course.

Total hours: 5

Downloads: Included

Course access: 3 months (24/7)

This course also introduces the latest Mini-WinFE build project. This build is the quickest, easiest, and most error-free building method created to date.

 

Although a heavy focus is on the Windows Forensic Environment (WinFE), both and Linux and Mac operating systems are introduced as solutions to forensic booting problems.  If you have not built a WinFE or Win2Go yet, you will have the information to create your own build before the first half of this course is completed.  If you have used forensic operating systems on external media before this course, and even if you use forensic bootable media regularly, you will learn new methods of use that can be helpful in your work.

Your presenter, Brett Shavers

I have been working in the digital forensics field since 2004 and have been a part of some amazing cases and forensic software developments. Visit my blog for more information about me at brettshavers.cc.  I have been involved in the development of WinFE since before its public release by Troy Larson of Microsoft in 2008.  As an evangelist for WinFE, I have coordinated WinFE's development with the assistance of software developers and experts world-wide, from selecting the builder application, write protection tool development, and beta testing, along with providing guidance in the development of law enforcement training courses that utilize WinFE as a triage tool of choice.  Since the initial release of WinFE to law enforcement and subsequent release to the public, WinFE has made its way into being taught in basic and advanced digital forensics programs such as the Federal Law Enforcement Training Center (FLETC), the International Association of Computer Investigative Specialists (IACIS), the National Consortium for Justice Information and Statistics (SEARCH), and universities world-wide.

Curriculum

  • Introduction to the Course
  • Introduction
  • 1. Forensic Booting of Evidence Computers
  • Write Protection
  • Creative Uses of Booting to a Forensic Operating System
  • Decision-Making Process. Should I boot to external media?
  • Bootable Media
  • Which Forensically-Sound, External Media, Forensic Operating System is the Best?
  • Concerning the potential of WinFE to write to the disk
  • 2. Windows Forensic OS
  • Overview of the Various Versions of WinFE
  • DiskPart Lecture
  • DiskPart Demo
  • WinFE Write Protection Tool
  • 3. Mini-WinFE
  • Prep to Build Mini-WinFE
  • WinBuilder and Mini-WinFE
  • Building Mini-WinFE
  • Mini-WinFE Project Downloads
  • 4. Building the Windows Forensic Environment
  • Basic WinFE notes
  • Building the Basic WinFE
  • 5. WinFE Lite
  • WinFE Lite Build Instructions and Downloads
  • Building WinFE Lite
  • 6. Windows Triage Environment
  • Windows Triage Environment (WTE)
  • 7. Windows To Go
  • Windows To Go (Win2Go)
  • 8. Mac Forensic OS
  • Mac/Apple Distros
  • 9. Linux Forensic OS
  • Linux Forensic OSs
  • Building Your Own Forensic Linux Distro
  • 10. Commercial Forensic OSs
  • Commercial Forensic OSs
  • 11. Methods of Use
  • Unique Devices
  • Bitlocked and Encrypted Drives
  • Make USB Devices Bootable
  • More Innovative Uses of Forensic Operating Systems
  • 12. Validation
  • Validating Bootable Forensic Operating Systems
  • Recommendations on Teaching Forensic Operating Systems
  • Teaching Forensic Operating Systems
  • 13. Wrapping Up
  • Wrapping up
  • 14. Downloads
  • Supporting Links
  • Exam
  • Forensic Operating System