Windows FE is a forensic edition of Windows PE boot CD. It is forensic because it is not supposed to mount anything automatically. This post will not detail how to create a Windows FE disc because this can be found at the MS LE Portal however I want to discuss some elements of why one would use it and also help to get over one or two gremlins.

I have been asked Is it another Helix disc? The answer is - it is similar but it offers some advantages in certain situations. The main advantage is being able to inject drivers into the ISO prior to burning. This allows you to add drivers for the latest SAS raid controller or Dell SATA drive controller for example which is not always possible in Linux (working on the principle that there are generally more Windows drivers than Linux ones).

You can also add your own forensic tools. I have been able to successfully add a full working copy of Encase 6.11 (including Dongle drivers). Strangely I have not been able to get FTK Imager to work (subsequently I have - see newer post). I imaged a 149GB hard disk in an Apple MacBook Pro to a 500gb external usb hdd in 2 hours 6 minutes.

I was thinking about this after I posted this.  One thing that worries me is that Windows is closed source.  It also has way too many parts that are completely undocumented.   How can we ever be certain that some registry value we didn't consider won't allow an evidence drive to be formatted or that scandisk won't automatically kick in.   With Nix, we can at least look at the source code and reasonable say that no, we can't write to the drive if this flag is set.