The following sections of this page will
outline all of the information required to successfully
required components and build your very own custom WinFE Lite forensic
It is worthy of note that it is assumed all installation media and Microsoft Windows Operating Systems used are English versions (EN-XX).
The use of any other language media may produce undesirable results, I will attempt to address this in the future, but for now, it's English only.
2. System Preparation
3. Building WinFE Lite
There are several prerequisites that are required in order for the WinFE Lite boot media to be built; this section will detail these requirements.
The computer that is used to carry out the building of the WinFE Lite boot media must be installed with Microsoft Windows 7, either x86 (32-Bit) or x64 (64-Bit) and have approximately 20 Gigabytes of free disk space, ideally on a seperate internal Hard Disk Drive (HDD). It may also be worthwhile to disable User Account Control (UAC) as enabled UAC may prevent certain build tools from executing.
The Microsoft Windows Automated Installation Kit (WAIK) is probably the most important of these requirements, this toolset can be downloaded from the Microsoft web site, free of charge, the link for this package is below:
It should be noted that the required version is KB3AIK_EN.iso
Windows Authomated Installation Kit
The WAIK is provided by Microsoft in the ISO DVD file format, which can either be burned to a blank DVD or mounted virtually, using a tool such as SlySoft's Virtiual CloneDrive which can be located at the following web site:
Slysoft Virtual CloneDrive
You will also require either CD's/DVD's or ISO's of the following official Microsoft Windows Operating Systems to obtain additional and/or optional binaries from:
Microsoft Windows 7 x86 Ultimate/Enterprise Without Service Pack (Mandatory).
Microsoft Windows XP Professional Edition x86 with intregated Service Pack 3 (Optional).
Whilst it is possible to produce an x64 build of WinFE, it is not recommended as the x64 version will only work on machines with a 64-Bit architecture, the x86 build will work on any Intel x86 computer, including the 2006 and onwards Apple Mac machines.
As the native Windows Pre-Installation Environment is not supplied with the Explorer framework, a third party substitute has to be used; several of these have been evaluated and the best one was found to be Explorer++. This fantastic replacement Explorer shell can be found here:
An archive utility will be required to obtain binaries from the Microsoft Windows Operating Systems that were detailed above; furthermore, this tool can also be used to extract drivers from executable files which can be subsequently injected into the WinFE Lite build. It is recommended that the archive tool that should be used is 7-Zip (Free).
This archive tool can be found at the link that is detailed below:
WinFE Lite is built using an MS-DOS batch file and it is highly likely that this will need to edited to suit your individual needs, therefore, I would recommend downloading and installing the free Programmers Notepad from the following location:
Additionally, if support is required for Apple HFS+ volumes, the following package can be downloaded free from Apple Corporation that contains the HFS+ Boot Camp drivers, 7-Zip can be used to extract the drivers from the package. Full instructions for the deployment of these drivers can be found at the System Preparation section of this page.
2. System Preparation
As stated in the prerequisites section above, the computer that is intended to build the WinFE Lite must be installed with any edition of Microsoft Windows 7, either x86 or x64, the Service Pack or patch level is not important.
If you intend to install the Windows Automated Installation Kit (WAIK) directly from the ISO file, Virtual CloneDrive should be installed first to facilitate this.
The WAIK should be installed to the default location, which is 'C:\Program Files\Windows AIK'.
7-Zip and Programmers Notepad can now be installed as these will be required shortly.
The next few steps involve extracting the Microsoft Windows 7 and XP binaries from the optical media or ISO files.
You will need to create several temporary folders, where the Windows 7 and XP binaries will be deposited, for ease of explanation, I am using my F:\ volume where I have created a folder called 'Repository', within this folder, I have created three further folders which are entitled 'Windows7Files', 'WindowsXPFiles' and 'Drivers'.
Using 7-Zip, navigate to the location where either the Windows 7 x86 DVD or ISO file is located (7-Zip will open an ISO file).
A file structure should be visible from within the 7-Zip interface, open the 'Sources' folder then locate and double click on the 'Install.wim' file. You should now be presented with a screen similar to the one that is located below:
Select the folder that has the largest unpacked data size, in my example, 5 (Ultimate), then click the 'Extract' button in 7-Zip, when prompted, choose the folder location that will accept the exported Windows 7 files (8.5 Gigabytes required). The extraction process may take several minutes to complete.
If required, the optional components can be exported from within the Microsoft Windows XP Professional CD or ISO file.
Using 7-Zip, navigate to the location where either the Windows XP Professional CD or ISO file is located.
A file structure should be visible from within the 7-Zip interface similar to the one depicted below:
Open the 'I386' folder then locate and double click each one of the following files:
The above listed files are compressed cabinet files, and therefore, 7-Zip will inflate the cabinet file when double clicked, exposing the true file, these inflated files should then be extracted to the Windows XP repository location.
Finally, the optional Apple HFS+ drivers will now be extracted from the deployment package that was downloaded earlier.
Once again, using 7-Zip, navigate to the 'Apple BootCamp_3.3.exe' installation package, and this time, right click on the item and select the 'Open Inside' option as detailed on the image below:
7-Zip should now recourse through to the next section of the installer package.
Repeat the right click, open inside method for the following items:
7-Zip should now be at a position where the two required driver files can be identified and extracted, as depicted below:
Extract the two files detailed below, to the 'Drivers' folder that was created earlier.
Each of the components required to start producing the basic WinFE Lite boot media have now been prepared.
3. Building WinFE Lite
In order to initially build WinFE Lite, the latest version of the complete package should be obtained from the Download page of this web site.
The complete package is supplied within a zip file, this can be extracted to any location that you desire, provided that there is sufficient Hard Disk Drive (HDD) space available (1 Gigabyte should be sufficient, this is not in addition to the 20 Gigabytes defined within the Prerequisites section above).
There are also several pre-created folders contained within the package, these folders should not be renamed or deleted as they are required by the batch file during the building process.
The folders and their purposes are detailed here:
ISO - This is the location where the built WinFE Lite boot media will be outputted to.
Root - Any files or folders, such as a driver repository, should be placed within this folder that are required to be present on the CD, but not contained within the RAM disk.
Temp - WIM files will be mounted to this folder, therefore, do not enter this folder during the build process as dismounting the WIM file will fail.
Tools - Any tools required to build WinFE Lite will be automatically copied to this location.
X - User added files can be placed into this folder and its sub-directories, the structure of this folder actually mimics the RAM disk (X:\) which WinFE Lite is executed from during its use.
The WinFE Lite batch file, entitled 'MakeFELite.bat' should also reside along with these folders.
The following files are required to be copied into the WinFE Lite folder structure at \X\Windows\System32:
ExplorerFrame.dll (From \Repository\Windows7Files\5\Windows\System32)
calc.exe (From \Repository\WindowsXPFiles)
mag_hook.dll (From \Repository\WindowsXPFiles)
magnify.exe (From \Repository\WindowsXPFiles)
mspaint.exe (From \Repository\WindowsXPFiles)
msswch.dll (From \Repository\WindowsXPFiles)
mstsc.exe (From \Repository\WindowsXPFiles)
mstscax.dll (From \Repository\WindowsXPFiles)
osk.exe (From \Repository\WindowsXPFiles)
Explorer.exe (Renamed from Explorer++ which was downloaded earlier)
Any subsequent updates released for either WProtect.exe or WinFELite.exe should also be placed within this folder.
It is worth mentioning that the desktop background can be customised within WinFE Lite, however, the image file should be entitled 'winpe.bmp' and it should be also placed in the above folder.
Furthermore, the two Apple HFS+ driver files, if required, should be placed in the following location of the WinFE Lite folder structure:
If the Apple HFS+ drivers are not being used, the references to them within the batch file should be removed or commented out using either 'REM' or '::'.
The basic WinFE Lite boot media can now be built by simply double clicking on the 'MakeFELite.bat' batch file.
Note: During testing, the 'MakeFELite.bat' batch file would fail if WinBuilder had been previously used without rebooting the computer, I don't know why, but I can only assume WinBuilder is not terminating something correctly.
The resulting ISO file can be written to CD/DVD by right clicking on the ISO file and selecting Burn disc image (Windows 7).
A guide is available within the Download page of this web site that provides instructions on how to make a bootable USB flash drive containing WinFE Lite.
To add extra functionality and applications to WinFE Lite, such as C++ Runtime Libraries, EnCase, FTK Imager or FieldSearch, please refer to the documentation which can be located in the Download section of this web site.
I would recommend, rather than adding large programs to the build, such as EnCase or FTK Imager, place tham on your harvest drive and execute them from that location, as anything placed within the /X/ structure, will be loaded into the RAM disk at boot time which may cause problems on systems with a small amount of RAM. I have tested this build in systems with 512MB of RAM and it seems to function OK.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL COLIN RAMSDEN OR ANY OTHER CONTRIBUTOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.