Skip to content

Universal Windows Forensic Environment (WinFE) with Intel RAID & VMD support for modern Intel systems (8th–15th Gen), enabling forensic-safe detection of NVMe and RAID storage.

Notifications You must be signed in to change notification settings

AbdurRahman-cybersec/WinFE-Universal-Intel-RAID-VMD

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 

Repository files navigation

Static Badge Static Badge

Repository Name

WinFE-Universal-Intel-RAID-VMD

Objective

Build a fully functional Windows Forensic Environment (WinFE) USB capable of detecting internal NVMe and RAID volumes on modern Intel-based systems (8th–15th Gen) while preserving forensic integrity.

This WinFE build ensures:

  • No automatic disk mounting
  • No write operations to target drives
  • Reliable detection of RAID/VMD-managed storage

Device & Platform Compatibility

Supported Systems

  • Intel-based systems from 8th to 15th Generation
  • Intel Rapid Storage Technology (RST)
  • Intel Volume Management Device (VMD)
  • Storage modes: AHCI, RAID, VMD (NVMe)

Typical Hardware Profiles

  • Intel Core i5 / i7 / i9 (8th–15th Gen)
  • NVMe SSDs under RAID or VMD
  • Intel chipsets:
    • 300-series → 800-series
    • Examples: Z390, Z490, Z590, Z690, Z790

Requirements

1️⃣ Windows ADK + WinPE Add-on

  • Install the Windows Assessment and Deployment Kit (ADK)
  • Install the WinPE Add-on matching the ADK version

2️⃣ Intel WinFE Toolkit

  • Extracted locally, for example:
    C:\IntelWinFE
    

3️⃣ Intel Rapid Storage Technology (RST) Drivers

4️⃣ Administrator Access

  • All commands must be run from an elevated Command Prompt

Step 1: Build the WinFE Base

  1. Open Command Prompt as Administrator
  2. Navigate to the Intel WinFE directory:
    cd C:\IntelWinFE
  3. Run the build script:
    MakeWinFEx64-x86.bat
  4. Wait for completion

📁 Output file:

USB\x86-x64\x64\sources\boot.wim

Step 2: Extract Intel RAID / VMD Drivers

  1. Extract the Intel RST drivers:

    SetupRST.exe -extractdrivers "C:\RST_VMD"
  2. Verify driver directory:

    C:\RST_VMD\production\Windows10-x64\19041\Drivers\VMD
    
  3. Confirm required files:

  • iaStorVD.inf
  • iaStorVD.sys
  • iaStorVD.cat

Step 3: Inject Intel VMD Driver into WinFE

Mount the WinFE Image

mkdir C:\WinFE_Mount
Dism /Mount-Wim /WimFile:"D:\sources\boot.wim" /Index:1 /MountDir:"C:\WinFE_Mount"

Replace D: with your actual WinFE USB drive letter

Inject the Driver

Dism /Image:"C:\WinFE_Mount" /Add-Driver /Driver:"C:\RST_VMD\production\Windows10-x64\19041\Drivers\VMD" /Recurse

Commit and Unmount

Dism /Unmount-Wim /MountDir:"C:\WinFE_Mount" /Commit

Step 4: Verify Driver Injection

  1. Mount image for verification:
mkdir C:\CheckMount
Dism /Mount-Wim /WimFile:"D:\sources\boot.wim" /Index:1 /MountDir:"C:\CheckMount"
  1. Confirm driver presence:
Dism /Get-Drivers /Image:"C:\CheckMount" | find "iaStorVD"
  1. Unmount without saving:
Dism /Unmount-Wim /MountDir:"C:\CheckMount" /Discard

Expected output:

iaStorVD.inf

Step 5: Test on Target System

  1. Boot the target system from the WinFE USB with RAID/VMD enabled in BIOS
  2. Open Command Prompt:
diskpart
list disk

Expected Result

  • Disk 0 → Internal NVMe / RAID volume
  • Disk 1 → WinFE USB
  1. Verify driver loaded:
driverquery | find "iaStor"

Expected:

iaStorVD.sys

Step 6 (Optional): Add Universal NVMe Drivers

To maximize compatibility, integrate vendor NVMe drivers:

Supported Vendors

  • Samsung NVMe
  • Western Digital / SanDisk
  • Micron / Crucial

Inject drivers using:

Dism /Image:"C:\WinFE_Mount" /Add-Driver /Driver:"<NVMe_Driver_Folder>" /Recurse

🏁 Outcome

Your WinFE USB now:

  • Boots on modern Intel systems (8th–15th Gen)
  • Detects RAID, VMD, and NVMe storage
  • Preserves forensic integrity
  • Supports extensible driver integration

Next Recommendation

Place forensic tools in:

X:\Tools

Recommended tools:

  • Autopsy
  • FTK Imager
  • Magnet Acquire (portable)

📜 License & Disclaimer

This project is intended for authorized forensic and DFIR use only. Ensure proper legal authority before examining any system.

About

Universal Windows Forensic Environment (WinFE) with Intel RAID & VMD support for modern Intel systems (8th–15th Gen), enabling forensic-safe detection of NVMe and RAID storage.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published