Brett's Ramblings
"Based upon the test results it is possible to run all versions of WinPE on a system with only 128 MB of system RAM"
Take a gander at Misty's latest tests of WinFE/PE regarding RAM requirements and imaging speed...very nicely done with some impressive numbers.
http://mistype.reboot.pro/documents/WinPE.RAM/winpe.ram.usage.htm
On a different topic, some discussion on distribution licenses of WinFE has been going on at forensicfocus.com. One of the takeaway points of the discussion is that you shouldn't be giving away or selling WinFE (or PE) ISO files....that will violate the Microsoft EULA. Since WinFE is most typically used in legal cases, using a tool that you violated the EULA could cause serious issues with the evidence you collected. So if you didn't build it, don't use it. That is the very bad news.
The very good news is that you can make your own WinFE, free, in just a few minutes, without violating the EULA.
http://www.forensicfocus.com/Forums/viewtopic/t=11704/
I assume that one of the reasons Microsoft has such a restrictive EULA prohibiting distribution is so that the core files of WinPE (and FE) remain solid. Downloading or using any 3rd party tool or something "a friend" sends you could contain anything hidden inside, like malware. By using Microsoft's files, the odds are much lower that this will happen, meaning that when you build a WinFE, it is most malware free that can be expected.
After that discussion on forensicfocus slowed down, I had emails about WinFE regarding how to build it. Not that I created the thing...but I will make a fairly detailed and easy to follow video on building a WinFE and everything you should know about it. After all, if ever asked about your data collection tool, it's better to look like you know what you doing rather than say, "I downloaded this ISO file, booted the system and imaged with it, and don't really know much else about it." Perhaps better to say, "I personally built and tested the imaging environment using industry best practices. I used core files from the Microsoft company as allowed by its licensing agreement."
When the tutorial video is finished, I'll post the link.
About the author
Comments 2
A few things came up...but getting it finalized now. It's actually more than a video. I'm putting together an entire course with multiple narrated videos of different build methods, how to use WinFE in different situations, customizing the build, testing and validating, and a about a half dozen other subjects. Basically, it will be everything you will ever need to know about WinFE, from inception to courtroom.
By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
© 2023 Brett Shavers