But Linux Live distros can't run the Windows 32-bit software I want to use to forensically examine a Windows computer. Also, although they can usually read NTFS partitions, most can't write to them (e.g., to remove a malware program, to disable a service or autorun entry, etc.), and they don't understand many of Windows extended features (e.g., EFS, Compression, etc.). In many cases, I want to boot quickly to an out-of-band 32-bit Windows shell to do the dirty work.
Microsoft enterprise customers with software reassurance have had a Microsoft's Windows Preinstallation Environment (WinPE) available since XP. Initially intended for fast OS installs, WinPE and its command-line interface became an insider favorite for out-of-band inspection of maliciously infected systems. Windows Vista, with WinPE 2.0, extends the WinPE family with a relatively nice 32-bit Windows GUI environment, supporting most Windows APIs, NTFS reads and writes, network log-ons, device drivers, and is able to run most Windows programs. Unfortunately, it only comes with Windows Vista.
My friend (and tech editor of one of my most recent books) Chris Quirke has been promoting an even better product called BartPE. The BartPE Builder helps you create an entire out-of-band Windows boot image. When installed, it searches your hard drive for the Windows installation files, and once found uses them to build a new boot image. The BartPE Builder can create an ISO image or directly burn the image to a CD or DVD disc.
It's an entire "thin" version of Windows. Although it only comes pre-installed with a handful of investigative programs (called plug-ins), you can add nearly any forensic or malware investigation program you like. Chris's BartPE image has thirteen antivirus products installed, six anti-spyware programs, 20 integrity checkers, both RootkitRevealer and Blacklight rootkit inspection programs, ten data recovery programs, and nearly 100 other programs. When he needs to inspect a system forensically, he boots up his customized BartPE CD and has everything he needs available from one GUI menu. You can make your own customized BartPE image with the tools you find most useful.
However you do it, realize that simple auto-run file inspection is getting less reliable again. Consider using BartPE to make your own ultimate Windows inspection toolkit.