Tips and Tricks

Booting to USB: When using WinFE on a bootable USB flashdrive, place a WinFE bootable CD in the CD tray as a backup boot device.  Even with ensuring the BIOS is set to boot to the USB drive, in the chance it does not, it may boot to the CD before the hard drive boots.  Just a small safeguard that may save you problems later.  And if you use a bootable WinFE USB, you can fit a whole lot more programs than on a CD.

Command line: WinFE requires the command line to be used.  To save time, create a text file on WinFE with all the commands you could ever use. In this manner, you’ll always have the commands at your fingertips each time you use WinFE.

Live Side: Portable applications (forensic and non-forensic) can be copied onto a WinFE CD/USB and used much like various Linux boot disksFTK Imager, X-Ways Forensics, WinAudit, and other programs can be run on a live (running) machine when the situation calls for it, such as for live imaging or RAM collection.

The WinFE ISO: Rely upon the batch file to create your WinFE ISO.  The commands in AIK are easy, copying files onto the mounted .wim is easy, but it is also easy to make an error by forgetting a tool you need or modifying the registry to ensure a forensic boot ability.  The batch file also makes it easy to update your WinFE by updating your folders containing your software and not changing the batch file.

Work Files

You can also copy templates to forms used in your normal course of forensic work on the WinFE CD (such as evidence control forms, report forms, etc…), which can be saved onto your external drive with the image of that evidence drive. If done, this should be only on the bootable side of WinFE as running unnecessary programs on the live side will unnecessarily alter the evidence drive.