Windows Forensic Environment

Several years ago I completed a number of tests to try to establish whether any accidental disk writes occur when using WinFE. The information in this section contains a summary of my findings - for the full document please see here.

The Windows Forensic Environment (a.k.a. WinFE) is a Windows based boot disk that can be used as a platform for computer forensic analysis. Being Windows based it enables users to run a number of Windows programs that they might already be familiar with. It is an alternative or addition to a number of forensically focused Linux distributions.

WinFE is not, as far as I am aware, available as a commercial product from Microsoft. It is however relatively easy to create WinFE for personal use from freely available tools.

Troy Larson, Senior Forensic Examiner of Microsoftİ, is credited with creating the Windows Forensic Environment. A Guide to Basic Computer Forensics is available here and is worth reading for those new to the subject.

WinFE is in essence a Windows Preinstallation Environment (WinPE) with two minor registry edits that are applied to ensure that any hard disks are not automatically mounted during the WinPE/WinFE boot process - minimising the risk of the contamination of data/evidence. WinFE is a lightweight version of Windows that can be used for many tasks - it is a complete, standalone operating system and will work independently of any other operating systems already installed.

For more detailed information about WinFE, please refer to "The (Nearly) Perfect Forensic Boot CD" by Brett Shavers (available here).


Following the experiments I carried out I'd personally recommend using a WinFE based on WinPE 4.0 or 5.0 with the SanPolicy set as 3. Based on my results this appears to provide robust protection from any writes to the disk(s) being carried out. It is however possible with all versions of WinFE to manually override protection so care should be taken. Please note that I have not had the opportunity to repeat my experiments using WinPE 5.1 / 10.x builds - based on initial tests these builds appear to function similarly to WinPE 5.0 based builds, however this needs validating.

If you must use WinFE based on earlier versions of WinPE (2.*/3.*) then I'd personally recommend running a 32-bit version and using the Write Protect Tool to ensure that all internal disks are set as read-only before any further action is carried out - just be aware that a disk signature will be written if one is not already present on the disk.

I would strongly advise against using WinFE 2.*/3.* without the Write Protect Tool as the simple act of browsing a mounted disk appears to perform a write action - as evidenced by the MD5 checks I carried out before and after booting WinFE. It was not possible to use DiskPart to set a disk as READONLY despite documentation elsewhere stating that this command works.

In something as critical as Forensic Examination, WinFE needs validation and testing to ensure that no writes are performed on any evidence disk(s), or to at least be clear in what circumstances writes might be performed. The test that I carried out were limited to 32-bit Windows Forensic Environments - other versions may behave differently.


The tests I performed were limited to a virtual environment and I cannot guarantee that WinFE will function in the same way on actual hardware.

There are a number of variables that need to be taken into consideration before using WinFE - unfortunately I do not have the time or the means to test them all. The WinFE's that I used during testing were modified boot.wim files from Windows Installation Media - they were not created using the Windows Automated Installation Kit (WAIK) or the Windows Assessment and Deployment Kit (ADK). WAIK or ADK builds of WinFE can contain different combinations of optional "Packages" which might affect usage.

There are reports that dynamic disks are automatically mounted and writable with some builds of WinFE (see here and here).

Document date - 27th April 2017