At times, forensic imaging may not be necessary or allowed, and only certain files or folders are to be collected. On a live system, the data collection risks the files being altered as they are collected. Additionally, the suspect/custodian machine system files will be altered and you may have other unknown issues using the OS of your evidence machine.
However, booting to the WinFE environment allows you access to the files for collection in several format choices, using a forensically sound OS (WinFE). These file collections can be logical collections (Encase or FTK), native collections (any copying tool such as Robocopy or PinPointLabs tools), or compressed collections (WinRAR). Files can be chosen based on location using specific folders or even by file type across an entire drive.
On a computer that can be booted to WinFE, there really isn’t a reason to copy files from a running computer. Even with a Bitlocked computer, given the key, having forensic access to the files will always be the best collection of data as the files will be unaltered as compared to collecting files from a running machine.
