The recent release of USB malware, in which any USB device is suspect of being infected after plugging into an unknown-if-clean machine, makes a problem for bootable USB devices in forensic collection. Some of the very scary claims to the USB malware are (http://news.discovery.com/tech/gear-and-gadgets/warning-usb-malware-code-unleashed-141006.htm):
That is bad stuff for a forensic bootable USB device. I've seen a few suggested solutions to the USB infection issue, but the fastest solution with WinFE is to burn to a CD/DVD instead of making a USB bootable. Problem solved.
Building a WinFE is still very very very very easy. Using the Mini-WinFE build, I just timed creating a WinFE DVD is less than 6 minutes. That was a few minutes with Winbuilder and a few minutes burning the ISO to DVD, while taking my time in the short process. If you haven't yet built a WinFE, the process is almost completely automated. Just point Winbuilder to your Windows 7/8 source and press go. Less than 5 minutes later, you have a forensically sound, bootable ISO/CD/DVD/or USB.
Granted, creating a WinFE CD/DVD in less than 10 minutes is not going to save you time compared to imaging a removed hard drive using a hardware imaging device. But...if you have LOTS of machines to image, booting the machines to be seized to WinFE most likely will be faster than removing hard drives and sharing hardware imaging devices. And for those pesky drives that won't come out, WinFE may be a good solution than fighting with an ultralight, can't-find-the-screws-to-remove-the-darn-hard-drive machines.
By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
© 2021 Brett Shavers