I will try again to disambiguate (or at least find a common dictionary
, I will readily agree to disagree on *anything*
, as long as the thing on which we disagree is clearly identified).
You are seemingly confusing "volatile" (in the sense of "volatile environment" with "read only").
A "repair tool" may (or may not) be "volatile" but CANNOT be "read only".
A "forensic sterile tool" may (or may not) be "volatile" but MUST be "read only".
A repair tool even if "volatile" may well leave behind "traces", or change *something* on the "internal" PC's hard disk as you reported for ERD / DaRT and the link I provided about the WinPE 4.x that jtalbot35
There is nothing "good" nor "bad" about it, it is simply the way a given tool behaves (by design or otherwise), someone using that tool should be aware of what is changed on the target system.
A "forensic sterile tool" by definition, and no matter if "volatile" or not, needs to change NOTHING on the target.
A "forensic sterile tool" is used for forensics.
A "repair tool" is used for repairs.
You can - generally speaking - use a "forensics" tool for "repairs" (by disabling the settings/filters/whatever that make it originally "sterile").
You can - generally speaking - use "repair" tool for "forensics" (by enabling the settings/filters/whatever in order to make it "sterile").
A windows based PE is ALWAYS (by definition) "volatile", it can be tweaked towards "forensics" (and thus made READ ONLY and "sterile"), or tweaked towards "repair" (and thus forfaiting the "sterile" and READ ONLY).
A Linux Live is also (by definition) "volatile".
Both a Windows PE and a Linux Live distro can be booted from CD/DVD (and the CD/DVD is NOT changed in any way="volatile") whether they will "leave traces" on the hard disk is another matter, which is very relevant for "forensics" but of little or no importance for "repairs".
BTW you can have a "volatile" environment also with a "full" XP:http://reboot.pro/to...project-etboot/
which you can use for "repairs" but that you CANNOT for "forensics" (as it is evidently NOT "sterile").
ERD or MSDart are intended for "repairs" and they are "volatile" and they may well leave traces on the PC's hard disk.
Your reply to joakim
May not be entirely true. Certain PE implementations like the earlier System Internals ERD and the later DaRT leave something, at least a folder and possibly some registry entry. I never did do a formal test of this so I am just guessing that it is a date/time/stamp tattoo. A proper audit should be done to see what if anything persists. A perfectly sterile forensic PE tool should leave nothing on the target system without prompting.
In any case, settings and configurations like those written to registry, are not kept over a reboot when in WinPE. It is only kept in memory.
seemed to imply that anything in the original thread or specifically in joakim
's reply was related to "a perfectly sterile forensic tool" or that you considered ERD or MSDart a "perfectly sterile forensic PE tool" (which they are not).
Hence the idea that you were mixing together different things.
Consider this carpenter's example
joakim: When you paint your walls, no traces are left once you have removed the bucket of paint, the ladder, the brushes and the paper you used to protect the floor.
CTH: Hah, but last time I spray painted my room I found tiny drops of paint on the windows. A perfect sanitization of a hospital room should leave no traces.
jaclaz: CTH, joakim was talking of painting the walls, and of painting them with brushes, not about spray painting them and not about hospital rooms.