Everyone is hitting on an initial purpose of this forum topic, in that testing your tools is necessary, no matter which tool you use as well as having tools validated (accepted) in the community. Luckily in this field, you can test in real world environments and virtual environments to get the same results as if you were working on a case (in other words, you can practice forensics on a real hard drive whereas a doctor doesn't have the same luxury of practicing on a living person). And by 'real world', I'm not implying to test tools on real cases, only that you can recreate a real case for tests.
Therefore…I'm running tests on the Windows FE boot CD and hoping others do so as well. At 2GB+ a minute with FTK Imager (and that's through USB, not eSATA), I think it is a worthwhile boot CD to have in the forensic toolbox. I seem to recall a number of posts some time ago regarding a free Linux boot CD, where problems were identified and the CD was improved. I think that is the way it is supposed to work…
As far as being an expert witness, even if you didn't plan on being one, if you've done this job long enough (and doing a good job), more than likely, you'll be qualified an expert on the stand because certainly, you'll have way more knowledge, experience, training, and education in forensics than anyone else in the courtroom (except maybe for the opposing expert).
If you are not familiar with loading local hives on Windows, you may find the following helpful when setting up a WinFE ISO for the first time…
To modify the registry of the WinPE "wim" mounted image that will become your ISO
Run regedit
In the left pane, click on either the HKEY_USERS or HKEY_LOCAL_MACHINE keys
From the File menu, select "Load Hive"
you will see the current hive pointing to c\Windows\System32
you will want to load the hive pointing to c\WinFE\mount\Windows\System32\config\SYSTEM
you will be prompted to for the name of a key under which this hive should be loaded, use WinFE
Make the following two changes
HKEY_LOCAL_MACHINE\WinFE\ControlSet001\services\mountmgr
NoAutoMountDWORD = 1
HKEY_LOCAL_MACHINE\WinFE\ControlSet001\services\partmgr\Parameters
change Sans Policy DWORD value to 3
In the left pane, click on HKEY_LOCAL_MACHINE\WinFE and from the File menu select "Unload Hive"
You will observe that the mounted hive, WinFE, is no longer present.
close regedit
for more details, see
http//
http//
http//
Nice write-up!
Although it is always a bit strange to find a topic chewed over that has already been published for a while I really appreciate that there were some details and hints added.
At least my findings regarding the forensic soundness seem to be confirmed.
best regards
Marc Remmert
Really interested to test this out )
Even with the talk of Windows Forensic Environment (blogs, write ups, etc…), it really hasn't taken off as I think it would have. I admit, I had read instructions on making a WinFE a few years ago and neglected even trying for fear of how much time it would take when I could just download a Linux CD (downloading a Linux CD takes longer than making a WinFE CD…). Now I wish I had tried it earlier as it wasn't difficult at all.
I've gotten several (numerous) emails about WinFE, so in order to compile the questions into a place of answers, I have a simple website at http//winfe.wordpress.com
Access to a detailed batch file, tips of using WinFE for triage/preview, software that runs on WinFE, and such information can be found at the site. I am glad to see that people are starting to use WinFE. The best part…its free.
And it seems to be even more information being generated, such as this webinar (https://
Thanks for all your Help Brett, I am sure you just want to crawl away and hide now that you are being inundated with so many questions..
I appreciate the emails, this is more of a community project anyway. Since this tool set is freely available and personally configurable, its not only a hobby to play around with, but also something that can save you quite a bit of time in the real job.
Thanks kaplan!
I have been sat here trying to load a hive for about 10 minutes, and all I didn't do was click on an entry on the left.
I think I need more coffee! P
There have been some new batch files and information submitted on Windows FE at http//winfe.wordpress.com, available for download. Some additional addons are also being written that will greatly enhance the use of WinFE for not only imaging, but triage and analysis.