Build questions

I’ve fielded a few questions via email on building a WinFE over the past few days that I’d like to share on the WinFE blog.

Since Windows FE (Windows Forensic Environment, WinFE) is simply a Windows PE that doesn’t automount hard drives, the build of a WinFE beyond that purpose is purely for customization and specific needs.   Those needs can be adding specific drivers,  programs, supporting files, Bitlocker support, network ability, and even making it pretty with a custom wallpaper.

Building a WinFE can be done in one of several ways;

1)  Command line (or batch files via a command line),

2)  Any GUI interface made to create a WinPE (such as Winbuilder),

3)  Or the method developed by Colin Ramsden.

My notes on each method:

1)   Command line – builds a WinFE the quickest, using only the registry settings created by Troy Larson.   A very minimal build, great for older computers with little RAM.   Pre-made batch files can be downloaded from the “Box” to your right on this page.

2)  GUI interfaces – I’ve tried several different programs and have selected WinBuilder as the easiest.   There are many scripts (additional features/programs) that can be added easily to the build that can practically create a near full-fledged Windows OS on a CD/DVD/USB.  It is also fairly easy to get many programs (FTK Imager, Encase, X-Ways, etc..) running in full mode.

BUT, adding  more features, programs, and scripts that are added results in more RAM needed in the evidence machine, more errors you will have during the build when adding scripts that may not be compatible with other scripts, and more testing to ensure the build works as a forensic application.

3)  Colin Ramsden’s method – The best of both worlds.  A little more manual effort to build, but runs well on older machines and is a solid build.   More details at http://www.ramsdens.org.uk/

About these ads