After developing the MistyPE project (see here) I was approached by Brett Shavers (author of various digital forensic publications including "The (Nearly) Perfect Forensic Boot CD", "Placing the Suspect Behind the Keyboard" and "X-Ways Forensics Practioners Guide") and asked to create a seperate WinFE project.

Brett's brief for the project was to provide a simplified and user friendly method for creating a Windows Forensic Environment. This build would be aimed primarily at imaging target systems to gather evidence. At Brett's request I have consequently removed a number of applications that are present in MistyPE as they are not required in the Forensic work that Brett envisaged for this particular build. Mini-WinFE was born.

Mini-WinFE is a minimalist 32 or 64-bit Windows Forensic Environment (WinFE) with a GUI shell (BBLean - based on BlackBox for Windows). WinFE was originally developed as a DOS replacement - for system deployment, backup, restore and recovery (see here for an overview).

The Mini-WinFE project can be used to create WinFE (version 2.x/3.x/4.0/5.x/10.x) in a matter of minutes from Windows installation media - a DVD, local folder, network share or mounted disc image. Whilst there is also an option to collect the necessary file dependencies from the host operating system (or an offline operating system) a mounted .iso file is recommended. RTM versions of Windows are also recommended. The Windows Automated Installation Kit (WAIK) or Assessment and Deployment Kit (ADK) is not required, however it is possible to use a WAIK/ADK build if optional components (packages) are required.

This project can be used to build Mini-WinFE from the following 32 and 64-bit installation media -

The above versions of Windows have been tested and confirmed to be working. It may also be possible to use Windows Server 2008\2012 sources.

The build process has been tested on the following operating systems -

There are also reports of the build process working on Windows XP and 2003.

Mini-WinFE has been designed as a modular system. Whilst it is theoretically possible to add any program that runs on a full version of Windows, all file dependencies and registry settings will need to be traced and manually added.

I have done my best to account for any errors that might occur during the build process and have scripted the project to provide information and warnings so that the end user can decide whether or not to continue - or to identify potential errors. I recommend that you use the majority of settings from the download initially (adding SysWoW64 support and changing keyboard/language as required) - providing that a valid source is selected the project should work.

Build times will vary depending on a range of factors including source files, hardware, and whether a cache with Windows files and programs already exists. In a recent test, using 64-bit Windows 10.0.14393 source files and the INJECT build method with an existing Cache, the project build time with all programs and SysWoW64 included in the build was under 3 minutes. 32-bit builds are significantly faster.

Document date - 27th April 2017