Suggestions for a WinFE Imaging Tool Based on Clonedisk?

An imaging tool (CloneDisk) development project for WinFE...very cool...keep up with the thread and give your suggestions at


579 Hits discussion | DMDE - Basic Disk Imaging Test (and results)

If you are interested in some behind-the-scenes efforts of developing WinFE, take a look at the forum threads.  And if you want to give input on what you would like WinFE to do...the forum would be a good place to submit a suggestion or lend a hand in development.

If for nothing but curiosity, you can follow along in watching the developers of the WinFE discuss how they are working toward making the lightest, fastest, full-featured, minimal builds, multi-boot, easy-to-use,  and cool forensic tool around.

I'll continue to post the latest links and download information on this blog, because I know that time is usually non-existent, deadlines are always minutes away, your laptop (while at the airport or onsite) has eight programs running while you are replying to ten emails, and you just need to know where to download that latest WinFE building information.  So, that will be here.  But for when you have time at the side of the pool, browse to watch these guys improve WinFE as it happens.

500 Hits

Mini-WinFE Updated

"Misty" has updated Mini-WinFE, the quick and easy build of the Windows Forensic Environment.  There are some pretty neat updates to the build (listed below).  So far, the best documentation I have seen on WinFE, specifically Mini-WinFE is here: This is the kind of stuff you want to read in order to really know as much about WinFE as possible.  Another really good source of info on mistype is at

Before I get any complaints about "WinFE is not perfect" or "WinFE can't do everything", let me that yes that is correct. It is not perfect and cannot do everything.  In the world of forensically booting evidence machines, some Linux bootable environments work very well too.  Some machines can't be booted forensically, that is true as well.  But for the marjority of systems that can be booted forensically, WinFE has its place.  For the average and above-average examiner needing to boot the evidence machine, there are few options available that make it super-easy to add drivers on the fly or use your Windows based apps from the office rather than Linux based you hardly (if ever) use.

If you haven't checked out WinFE, you should.  Everyone else is already on board :)

Some tidbits in the Mini-WinFE include:

  • DMDE (included)

  • Forensic Acquisition Utilities (downloaded automatically)

  • FTK Imager (copied from local install)

  • HWiNFO (included)

  • LinuxReader (downloaded automatically)

  • MW Snap (included)

  • NT Password Edit (included)

  • Opera (included)

  • Sumatra PDF Reader (included)

  • X-Ways Forensics (copied from local install)

  • Write Protect Tool (included)


[caption id="attachment_1177" align="aligncenter" width="806"]WINFE You gotta download the new version and check it out. It's plain cool.





* Added a number of additional options in the core script - 

  these are all enabled by default. The new options will 

  remove a number of unsupported options from the right-click 

  context menu. Thanks to forum member farda for

  these suggestions.

* Added "Open with" workaround for WinPE 4.0/5.0. See -

* WinFE settings are now separate to the Shell script - but are 

  still mandatory. They have been moved to a new script 


* Option to use either SANPolicy 3 or 4 (in new WinFE script) -

  SANPolicy 3 is automatically used with WinPE 2.*/3.* sources as

  SANPolicy 4 is only supported in WinPE 4.0/5.0.

* File dependencies (to be extracted from install.wim or

  copied from the host Operating System) are handled in one

  (hidden) script -  Core\required.files.script. This will 

  make it simpler to implement any future file dependencies. 

* Added a script to copy files and folders from a local 

  directory - allowing the easy addition of third party files. 

  A menu entry will open the directory these files were copied 


* Added Tools\Create USB script - it's now possible to 

  create a MistyPE bootable UFD during the build process.

  Use with caution - see documentation for more details. 

  Tested with Windows 7 (SP1) and Windows 8.1.

* Added ADK For Win 8 (and 8.1) scripts. Refer to documents.

  NOTE - this has only been tested using Windows 7 (SP1) 

  and Windows 8.1.

* Wallpaper support (.jpg) added for all builds - this 

  feature was not previously working with WinPE 4/5. See

  Programs\Wallpaper script.

* Wimlib-ImageX updated to version 1.6.2

* Added build 6.3.9600 (Windows 8.1 - Final) to the list  

  of tested/working sources.

* Added the following scripts -

	- WinHex


	- Opera - 64-bit support added.

	- Keyboardlayouts

* Included FAU in the download. This is redistributed

  with the permission of the author (GMG Systems Inc) -

  refer to the project documentation.

* Program scripts now contain menu entries - this should

  make it easier to add new program scripts. Previously 

  all menu entries were contained in the shell script - 

  resulting in multiple script edits for any new programs 


* Various tweaks in core script 

	- "FileDelete,"%Cache%\temp\*.*" has been added to

	  to ensure that cached batch files and .ini files 

	  are deleted earlier in the build process. Without  

	  this fix there are errors in some very limited 


	- Added verification check from registry files  

	  extracted from boot.wim - only used if the 

	  wimlib-imagex checks fail.

* Script structure has been changed for all Program scripts. 

  Hopefully results in better error checking for any missing 


* Browse for folder support is added by individual program 

  scripts even if this option is not selected in the Core 

  script. Resulting in a more modular approach (see 


  for the philosophy behind this approach).

* Documentation updated - added section on using the ADK 

  For Win 8.1. 


912 Hits

WinFE Success Story

I get a few stories of how WinFE saved the day and a few of these heroes let me retell their story. This is one of them. The ‘detective’ wishes to be unnamed, but for sake of argument, I know who he is…


 A detective from a California law enforcement agency that had attended the SEARCH “Network Investigation and Digital Triage” course contacted the instructors with assistance in building a WinFE based on Windows 8.1. The detective was given guidance and links to the various resources needed to create the WinFE8.1SE. The detective was further given assistance in adding in the utilities he would need and finally validating the build to insure that it was forensically sound.

 In a follow up call, the detective indicated that the he had obtained the duplicate images he needed, with one minor modification. He found that one of the target drives was mounted through an add-in card and was not initially recognized by WinFE8.1SE. Noting that Colin Ramsden’s write protect utility allowed for adding drivers to the system, the detective located the add-in card drivers and added them to the system. WinFE8.1SE and Colin’s WP utility then recognized the additional drive and allowed mounting it read only. The detective then successfully obtained duplicate images of both target drives.






As a side note, consider that WinFE started with Troy Larson typing out a 2-page Microsoft Word document on changing registry values in a winPe to get a winFe. That little idea is now taught at local, state, and federal agencies as well as public/private education and training courses. Basically, it’s is use by many.   This success story is neat because it shows how easy it is to add a driver on-the-fly. You don’t need much technical experience to use Colin’s app to add drivers or toggle hard drives. We beat it up pretty good to get it right; Colin is one of those extremely competent software writers and I am glad he helped out the WinFE project.

Got a success story? Send it to me and I’ll share the word.


413 Hits

WinFE (and of course, XWF)

Taking WinFE to even another level on a multiboot thumbdrive.  Very cool, but I spread this word to you because there are few things in life neater than a forensically bootable CD/USB with X-Ways Forensics.

From Hacking Exposed: Adding the WinFE Image to the Multiboot Thumbdrive Image (Video)

459 Hits

X-Ways Forensics and WinFE

winfeA faster WinFE build is available on that includes a script to add XWF to the build.  Of course, you have to have a license for XWF for the script to add it to the build.  As of now, it includes FTK Imager and dd tools, with more on the way to add.   The build method is a beta only because more apps are being added that need to be tested.  Other than that, it works great with FTK Imager, XWF, and a few other small apps.  The goal is to put several imaging options on it for user preference.

Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD. Have 10 minutes to spare? Then you can build a WinFE bootable USB or CD with XWF installed on it.

There is no difference between the write protection in this faster build as it uses Colin Ramsden's write protection application, but the main difference is that you can build a WinFE ISO file in less than 5 minutes, start to finish.  You can burn it to a CD or make a bootable USB within 5 more minutes, giving you a WinFE in about 10 minutes time, starting from pushing the button and having a WinFE CD/DVD/USB in your hand.

Although this is meant to be the fastest method to build an acquisition boot OS, with X-Ways, you can still do a heck of a lot more than just imaging with WinFE.  And just because it only takes 10 minutes doesn't mean WinFE is a minor forensic tool.  With XWF, WinFE is way more than just something you can throw together to image.  It's really neat.

886 Hits

Triage Notes and WinFE

One of the biggest benefits (besides imaging storage media) of WinFE is the ability to create a customized triage system at virtually no cost.  Purchasing a pre-made system may not be an issue when only one or a few systems are needed, but when outfitting an entire unit or perhaps an entire police department, bulk purchases of software to be issued individually most likely may not happen.  Completing disregarding the ability to triage due to cost does not benefit the community or country.  Finding solutions does.

With a WinFE "triage system", the cost can be minimal due to the multitude of freely available software available.  Not to be confused with shareware, pirated software, or other questionable software, there are plenty available at no cost that are effective and easy to use (and did I mention the keyword "free"?).

So, when contemplating purchasing a pre-built system, consider that a customized system can be simply created that fits the needs and budget of your organization or your case.

There are several tools of worthy mention, but plenty more that are just as viable for triage and forensic quality software.

For law enforcement and military, there is the excellent (and free!) search tool "Field Search".  Field Search is a tool initially developed to run on a live machine to scan for images, internet history, and other items of evidential value.

Field Search can also run under a WinFE booted system, giving it the capability of being "forensic" in that instead of running on the suspect machine and altering the system, it can now be run without altering the system.   Field Search is an extremely quick and easy program to use for First Responders and those in combat zones.  The use of this program in a forensic environment just doubled its potential.

The only limits to the software that will run on WinFE are those that depend upon the dependent files.  As an example, the Microsoft .NET framework is needed to run ChromeAnalysis and FoxAnalysis.   .NET is installed in the WinFE with the check of a box when using WinBuilder to build a WinFE ISO.  With that,  both FoxAnalysis and ChromeAnalysis from run in the WinFE booted system giving more options in triage.  Both of these tools provide an intensive internet history capability in any forensic examination, and can be easily used in a triage/preview situation.  

Other types of forensic software can also be used to target specifically desired information.  RegRipper can be used to run against an entire drive and output specific results to a text file.  RegRipper (freely available!) can be modified in a multitude to ways to target what may be needed in a given scenario, either by using pre-made plugins or writing a unique plugin based on what is needed.


WinFE allows you to customize a triage booting system based on several factors other than just a budget.  As an example, a police department can have a WinFE customized for First Responders with a bare minimal selection of triage tools, Field Search being a prime example.   Investigators could have additional tools (with some additional training) that can go beyond the First Responders' needs.  With this type of system, by the time a forensic examiner is given evidence to examine, the evidence has been prioritized by the First Responder and case investigator to best determine how resources should be spent.  Compared to literally dumping multiple computers onto an examiner's desk and asking for "everything", triage can be conducted for more effective results and quicker turnaround.  This can be applied to non-LE work as well.



Since WinFE can boot virtually any intel based computer, (this also includes Macs and *nix machines), the majority of situations can be handled with it.   Forensic Linux boot discs can be used in the same fashion as WinFE, using Linux software, however, I would hazard a guess to opin that most computer users are using the Windows Operating System.  Giving an unfamiliar operating system to a First Responder may be creating a problem due to mistakes being made by not knowing 'which buttons to push' to find the evidence...Those with more experience with Linux should not have that problem.  Given the option to outfit a battalion of combat troops with this capability...I'd probably lean heavily toward a Windows based system...

Fairly soon, if not already in some jurisdictions, the days of giving the forensic examiner dozens of hard drives that have not been previewed or triaged in some fashion by someone, will be over.   A WinFE triage system can be configured to find basic information (user accounts, internet history, graphics, etc...) which can be used to prioritize, or even eliminate, media to be examined.  Some information that can be gleaned onsite during triage could substantially affect the outcome of the situation (combat arena?  searching for victims related to an electronic crime scene? or other scenarios where an extensive examination will yield results that may be useless months later?).

Using a triage system can save more hours than you may initially realize.  If just one computer hard drive is triaged, and determined not to be of importance (as compared to the other 10 in the investigation...), then it need not be imaged (saving hours) and need not be examined (saving days).   It's very easy to determine the ROI or manhours saved with one hard drive, extrapolate that to dozens or more hard drives.  How's that for cutting down the workload?


493 Hits

WinFE Demo Online

I'll be giving a demo of WinFE to on March 10 (online).  I'll be showing some neat developments in the work as well as discuss solving build problems.

There are a few spots left and you have to be a CTIN member to view the presentation.  But maybe it is something worthwhile to join anyway as most all the training is free to members.

405 Hits

But does it do Mac?

Just to clear up any questions on whether WinFE can 'do a Mac', can.  And Linux too.  And of course it can do Windows as well.   As long as the machine can be booted to a WinFE CD or USB, then you can image the hard drive.  Actually, you can do a whole lot more than just image can triage it, preview it, search it, or just copy files and folders from it.  If the drive is encrypted and you have the key, you can access the drive.  And what about VSS (Volume Shadow Service/Copies) can access those too, all through WinFE.

I can promise that as soon as you build a WinFE CD or bootable USB, you will regret not having done it months or years earlier (it's been around since 2008....).  And if building a forensic boot OS makes you hesitate at all, there is no need because if you use WinBuilder, it is as simple as pointing and clicking to fully customize your Windows FE CD or bootable USB.
512 Hits

It's time to build your WinFE!

You can now download the WinFE WinBuilder.  Thanks to everyone that helped support this effort, it was well worth it.

As to a guide on how to use WinFE, it probably isn't really needed since WinFE is simply a forensic boot disc.  So, you might not need any help in putting WinFE to good use.  However...there may be a few things you didn't know you could do with WinFE that could be of interest.   Since that might be the case, here is a quick guide on tips on using WinFE as well as tips for building with WinBuilder.

Users Guide to WinFE

For support on how to use WinBuilder (troubleshooting, advanced features), check out the WinBuilder website at

To reiterate some points about WinFE (and to hopefully prevent 'hate mail' coming to me from commercial products...), WinFE is an addition to your forensic toolkit. It doesn't replace any tools, only supplements what you are using anyway.   Commercial products that do the same thing that WinFE does work too, keep buying those if you want, you don't have to use WinFE.  And for the Linux lovers out there (Hey, I'm one of you guys too!), there is time and place for everything, sometimes WinFE is best, another time CAINE or DEFT or ???*nix may be best.

As far as anyone making a profit out of WinFE, no need to ask, because no one is;  it is a community project of customizing a Windows PE to fit your needs.

And yes, there are even some more neat things to be added to WinFE in the future...but as of now, you have access to a solid forensic environment.

For additional credits to this project;

This project uses the project Win7PE_SE as Base building, thank's to ChrisR for his great work ( Win7PE_SE  Also, thanks to theYahoouk , JFX, Altorian, Lancelot, and RuiPaz with the Win7PE project on which this WinFE WinBuilder is based.
2087 Hits

Portable Internet Evidence Finder and WinFE

Jad Saliba (of has released an update to his Internet Evidence Finder/IEF in a portable version.  Now this sounds really good to have the ability to plug in a USB drive into a running machine to gather the information that IEF does.   But, to take it a step further, I tried IEF within a booted WinFE system.   And the works perfectly!

To make sure you can get the full grasp of how neat this is, you can boot to WinFE and run IEF across the physical drive, without making any changes to the evidence.  This could be of real importance in an investigation such as a missing person case where internet/chat/webmail may be of immediate intelligence value.  Rather than imaging the hard drive to search for this data from the image, or booting the machine to its operating system and potentially overwriting pertinent data, you can boot to WinFE and run IEF on the write protected drive.   Of course, in a missing person case where chat is involved, it may also be most important to capture the volatile data FIRST before turning off the computer.

In civil case matters, this can be a fairly quick method of obtaining data relevant to the case matter onsite if imaging the hard drive is not allowed.

Although IEF doesn't run on Mac or Linux....if you boot a Mac or Linux machine with WinFE, IEF will run against that Mac or Linux hard drive ;)

463 Hits

Updated video and other things

If you haven't seen Marc Remmert's video on creating a WinFE ISO, here is his video.  Although the WinBuilder method greatly simplifies what Marc shows in his video, it certainly recommended to see what is actually happening to a Win"P"E to make it into a Win"F"E, no matter the process used, at least understand the changes being made, the reason for the changes, and the validation of the changes.  And for those that insist that WinFE is not WinFE and that it is WinPE...well, you are sorta correct.  WinFE is the 'forensic' modification of a WinPE, so it really is something different.


On the WinBuilder topic, a great group of beta testers have started to put WinBuilder through its paces.  Again, although the end result is that you will be able to create a WinFE ISO with a few clicks, it is best to know what is happening behind the scenes and Marc's video gives you that insight.

394 Hits

Do you wanna be a beta tester for WinFE?

Just before the latest WinBuilder WinFE gets released, would you like to take it on a test run first before the rest of the world gets it?  There are some neat features (Bitlocker support, DiskPart batch file, plus others), but the main concern is testing to see if anything needs to be fixed, corrected, added, or taken away from the build.

If you have the time to make a build or two and run it against your computer, send me an email and I'll send you the build (not the ISO, you have to build that, but you get the Winbuilder app to build it).  I'd appreciate any comments, good-bad-or indifferent.   I'll cut off the number of beta testers as soon as a decent number can reply to this request by email to; This email address is being protected from spambots. You need JavaScript enabled to view it..  So give me your email to get your beta!

496 Hits

WinBuilder Revisited

A big thanks to Royal Meier for providing  a script to modify the registry with a WinBuilder Win7PE build.   What I thought would be a difficult task of using WinBuilder to build a WinFE ISO, is turning out to be quite simple, at least for Royal Meier (he makes it look simple anyway).

I am planning that "the" WinFE WinBuilder will be available before Christmas, for Christmas.  So far, it works wonderfully, but there are a few tweaks to be added to make it really able to create the Super WinFE ISO without having to spend any time running batch files or typing in commands in a DOS shell.

There are a few other things to be added after the New Year, like Colin Ramsden's work, but that is coming up as well.  So, if you have procrastinated all this time to build a WinFE CD/USB, the wait is nearly over.

How cool is it to build your own custom forensically sound boot CD (in a Windows OS...) with a few clicks?  It is just plain cool.   This is quick and easy, quite super actually.
392 Hits


Here is a neat and FREE app to test your Live CDs.  Not sure how I missed this one, but instead of creating an entire virtual machine to boot a ISO for testing, you can just run the ISO with MobaLiveCD (  QEMU opens a virtual machine window that much faster on your screen.

This may just cut down the number of cup mats I usually make when burning CDs...

411 Hits

WinFE and Triage

On the subject of triage, I have some thoughts which some companies may not like to hear (at least companies selling triage software or 'triage computer systems'...).

Here are some problems I see with several triage systems available;

-Any triage tool that is marketed that anyone can plug it in and capture all responsive data and even create a forensic image, without having any knowledge of computers is a tool I would keep at a safe distance from custodians of data...Plug n' Play to capture evidence or triage a system?  How many problems? Let me count the ways...

-Any triage tool that is restricted to run on a specific computer is one that has just limited itself out of the market.  Since when do you want a tool that can only run on a specific computer you must buy?  Sorta useless if something happens to that computer.

-Any triage tool that professes to magically find all relevant data, even in the hands of untrained    Are you sure its finding what you need?

Why not triage a computer like everyone did in the old days.  Boot to a forensic OS (pick your flavor of OS) and use a tool you always use to find what you need to find.  Every case is different, so every triage is bound to be different.   On one computer, you may need to see the registry, whereas on another, you need to see the images.

And untrained persons triaging machines?  Good luck.  Emergency rooms don't use non-medical staff to triage patients, why would anyone use non-computer trained persons to triage computers?

As for a pretty good system for triage, build a WinFE disc (it's free, you don't need to buy anything other than a CD) and put your favorite forensic tools on it, the ones you use all the time.  Now you have a triage system.   No, more than that, you have a complete Windows Forensic Environment to look for exactly the things you need to look for.   Done right the first time.

So the next time you see a "Triage System" that is plug n'play simple, that decides what data you need to be collected, and that you just sit back and let it work, think about it a little more.  As for me, I want to push the buttons and triage based on what I need and what I see when I am looking at the data.

437 Hits

What makes WinFE better/different than other forensic boot discs?

I've been asked on occasion, "What makes WinFE better or different than any other boot disc?".

WinFE is Windows based, not Linux.  For someone not experienced in Linux, the Windows environment may be easier to use due to familiarity with Windows.

Additionally, WinFE allows you to use your Windows based forensic applications in a forensically booted environment.  Rather than using a Linux CD and image with Linen, you can use a Windows CD and image with the full version of Encase or FTK Imager or X-Ways Forensics or other Windows based tool.

If your lab is Linux based, then WinFE may not be as comfortable as using a Linux based tool, but still may be an option to keep on hand (the opposite still remains true, if you focus on using Windows based tools, have some Linux options on hand as well).

Lastly, WinFE is updated by YOU, when YOU need it updated.  There is no need to wait for a distro to be upgraded every 6 months or longer before you can download it.  Current Linux ISO's available online still may have older versions of software that are outdated.  With WinFE, if any tool is updated/upgraded, you can do it immediately and always have the latest apps.

Other than that, its just user preference.
751 Hits

FTK Imager 3.0 in the Windows Forensic Environment

By now, most everyone involved with forensics knows about the latest release of FTK Imager 3.0.   In my opinion, this is perhaps the best release ever of FTK Imager and probably one of the top releases of software this  year because of one of the newest features and the price (FREE and MOUNTS IMAGES!).  Given other expensive software, or free software  that doesn't work as expected, or difficult to manage manual procedures to mount images, to now have FTK Imager 3.0 quickly and neatly mount an image is a nice addition to my Start Menu.

So the bigger deal with FTK Imager runs in WinFE.  With FTK Imager 3.0, you can mount images in WinFE and conduct analysis in the Windows Forensic Environment with any other tool that runs in WinFE, such as X-Ways Forensics, ProDiscover, or Encase.

Now I know what you are probably thinking.  FTK Imager "Lite" 2.9 will run in WinFE and that version doesn't support image mounting.  FTK Imager 3.0 needs to be installed, which is problematic in WinFE.  Well, right and wrong. FTK Imager 3.0 only needs to be installed on any system, then copy the program folder onto WinFE  to run as if it were installed.  Voila!  No need for the Lite version when you can have the full meal deal.

Now how's that for having a completely self-contained Windows Forensic Environment, running minimal processes on just about any system...technically, this is called, "Niiiccceee...."

738 Hits

WinFE as a Student Training Aid

And yet another use for WinFE.

This year, at the University of Washington's Digital Forensics Certificate Program, I am having each student create their own Windows Forensic Environment with as many forensic applications as we can fit on a USB drive.   This fulfills several objectives that any school or training program can incorporate at virtually no cost.

Students in forensic programs can learn to create a forensically sound bootable media and validate it through testing (how's that for a takehome assignment?).  Since WinFE can be used as a forensic platform on almost any computer (for those students without a 'forensic machine' at home), this bootable media may be more than enough to practice and do homework assignments on their home computer (...they can image...they can run forensic tools against an image or hard drive...they can do quite a bit).  Forensic software developers...consider making your applications run in a portable mode and VOILA, you just reached a second use (and market) for your application/s.  Anything that runs on WinFE is a tool I want and so far, only X-Ways Forensics fits that bill as a full fledged, portable forensic suite.

And yes, a Linux forensic environment can do many of these things as well, so why not do both?  The cost of a Linux CD...same as WinFE :)

441 Hits

WinBuilder-What a neat way to make a WinFE CD

I came across WinBuilder today (, which provides downloads to a GUI based, Windows Live CD builder.  I'm willing to try anything, so I gave it a whirl and was happy I did.

With WinBuilder, many of the functions of Windows that are not in the basic WinFE builds are included.   This includes the Windows"Start" button, computer management tools, and even network access.

Running WinBuilder is not complicated and scriptable.  The one thing it does not do (at this time) is make your CD forensically safe with the 2 registry changes.  However, this is easy enough to do manually or by writing a script to be used during the build.

I'm not sure how I missed this before, but I may have now found my primary method of making a WinFE disc, using WinBuilder instead of a batch file.  Oh yeah, you don't need WAIK either.

684 Hits