Working with WinFE

27. December 2011 by Ric.

This is a continuation from Editing Existing WinFE.

***ENSURE BIOS BOOTS FROM CD/DVD***

1.  Attached a storage device to a target system that will be used to store your forensic image.

2.  I attached a 100GB hard drive to take a 60GB operating system hard drive.

3. Set the bios to boot from cd/dvd.

4. Started winFE. Since we told diskpart_steps.txt to load automatically it should have opened up.

5. Move the windows out of the way so that you can still see the command behind the command prompt.

6. Issue commands listed in the document.  We are locking the target device down to readonly.

diskpart

list disk

list vol

7.  The target volume on my system is Volume 1 & 2.  Volume 1 is the System Reserve partition from Win7. Volume 2 is the OS partition.

8.  Time to make your storage drive active.list disk

sel disk 1

list disk

9. If your storage drive is already formatted than you should see a partition.

det disk

10. Ensure the storage disk is selected. Select the partition. Set it online and assign a drive letter.

sel disk 1

sel part 1

onl vol

assign letter z

11.  Should see your evidence drive.

list vol

12. Minimize the notepad++ window.

13. Select Forensic folder on PStart and start FTK Imager.

14. Should be able to image the device from here if your familiar with FTK Imager.

15. Additional programs to consider installing on winFE.  Its your winFE and justify what you need.  ***THE MORE YOU ADD IN MY EXPERIENCE THE LONGER IT TAKES TO BOOT***Explorer++Portable

WinRAR Portable

IrfanView Portable

VLC Portable

Mozilla Firefox Portable

Filezilla Portable

Putty Portable

OpenOffice Portable

SumatraPDF Portable

GOOD LUCK.

Posted in Imaging | 2 Comments »