iTranslated by AI
How to Build a WinFE Environment for Digital Forensics
Overview
What is WinFE (Windows Forensic Environment)?
It is a Windows-based environment for forensic data acquisition.
When performing data acquisition, many people use a forensic-focused Linux distribution like C.A.IN.E. to boot from a USB and capture the disk. However, WinFE is useful when you want to collect evidence using Windows-based software such as FTK Imager.
It was originally conceived by Troy Larson, a senior forensic manager at Microsoft.
Environment
Windows 10 Pro x64, build version 1803 or later
Procedure
Basically, follow the steps outlined below:
You can create it using almost the same method for both x86 and x64, but this article focuses on x64.
Also, considering future ease of use, I will proceed with creating an ISO file.
0. Preparing the Drive
It is recommended to create it directly under the root of a volume.
I created a VHDX using "Disk Management" and mounted it as the F drive. You should be able to proceed by simply following the wizard.
1. Copying Required Files
Download the files for WinFE from the x86/x64 USB/CD Framework. Since it is compressed in 7z format, you will need 7zip.
Copy the extracted files under F:\IntelWinFE, and it will have a structure like the one below.
Additionally, you can change the wallpaper of the final environment by placing an image file in F:\IntelWinFE\x64\wallpaper.jpg.
2. Installing Windows ADK
WinFE is based on WinPE (Windows Preinstallation Environment).
Therefore, let's prepare the ADK (Assessment and Deployment Kit) required to install it.
Access the page below and search for "ADK for Windows 10, version 1803".
Run the downloaded file to install it. This will take some time.
3. Installing Tools
Install FTK Imager version 4.7.1.
Since FTK Imager is designed to be self-contained in a single folder, you just need to copy the entire folder after installing it to an appropriate location.
Copy the folder to F:\IntelWinFE\USB\x86-x64\tools\x64, and it should look like this.
4. Creating the ISO
Open the Command Prompt as an administrator and execute the following commands:
> F:
> cd IntelWinFE
> MakeWinFEx64-x86.bat
Although the files themselves are created at this point, you then need to run the command to build the ISO.
> Makex64-x86-CD.bat
Once the execution finishes, the ISO will be created at the following path:
F:\IntelWinFE\ISO\WINFE_10x86-x64.iso
Verification of Boot
Let's try booting the ISO in VMware. You can choose between 32-bit and 64-bit during startup.
Once it boots, a tool for mounting disks and selecting Read/Write options will launch.
Perform any necessary mounting or R/W switching, then select Continue.
After booting, select Other Tools > File Explorer from the toolbar at the top to open the file explorer.
Since it is mounted as a DVD drive, navigate to and launch the FTK Imager that we copied when creating the ISO.
It launched successfully. You can now proceed with evidence acquisition as usual.
Conclusion
When using this environment, there are several legal and rights-related aspects to consider.
Regarding the limitations of Windows PE, which serves as the base, please note that it is not a general-purpose OS but is provided specifically for deployment and recovery purposes. For details, please refer to the official Microsoft documentation.
WinFE is provided free of charge, but a significant amount of time and effort has been invested in creating these tools.
If you use the included Windows Password Removal Tool, you are required to purchase a license for £9.99 for each copy of WinFE.
Additionally, as the usage of WinFE is not officially endorsed or guaranteed, Microsoft's policies may change in the future.
Use it at your own risk.
End
Discussion