Brett's Ramblings
Colin's Write Protect Application
Here it is, Colin Ramsden's WinFE write protect application!
Although long in waiting, it is finally here. Colin worked diligently on making this work without making Microsoft unhappy. Documentation is forthcoming on the use of his application, but as you can see, it is really easy to figure out how to manage your disks.
Other little features may be coming in the future, but for now, say so long to DiskPart.
You can download the WinBuilder script from the BoxNet on this site (to your right of the page) and it will also be made available on the www.reboot.pro website. The file, "wp.script" needs to be placed in the "tweaks" folder in the WinBuilder folder structure.
For support on creating a WinFE ISO using WinBuilder, consult the forums at www.reboot.pro.
About the author
Comments 12
Guys, Time to apply your safety catches before someone has a negligent discharge!
This version of the script is 1.0.0.141 and should be considered a public Beta.
I still have some error checking code to add and the detail disk code will be improved. Also, you do not need to add any other WinFE script, including Troy’s as the registry settings that Troy made are included within the ‘wp.script’ file.
I imagine someone; somewhere will find a bug so I will be happy to hear from anyone who discovers one. In a nut shell, this version should be kept well away from any evidential items until we are all happy that it is working as expected.
Here is brief synopsis of how the tool works and how it should be used.
1 – During the boot process my program is executed with a command line of –i, which should set every disk connected to the computer to dismounted and read-only, this is really only a safety net as Troy’s registry settings actually do this beforehand. The command line switch ‘-i’ is executed as part of my ‘wp.script’.
2 – Once you are happy all of the disks are in the expected state, the application should be closed to allow Windows to complete loading (Drivers can also be loaded at this stage should they be required).
3 – Once Windows has loaded, my application is available to be used from the Desktop shortcut.
4 – Mounting a disk, which is not actually true, will mount all of the volumes that reside on the selected disk, at the moment software RAID’s and spanned volumes are not supported, they can, however, still be imaged and reconstructed with EnCase, WinHex or FTK.
5 – There is no need to mount evidential disks unless you wish to conduct triage with tools that require a file system to be present, such as FieldSearch.
6 – Changing a disk from R/O (read-only) to read-write, will do exactly that! So don’t use this option on evidential disks! – It should only be used on your tools/harvest hard drive. Obviously, if you are changing a disk to read-write, you will need to mount it to access the file system.
It is worth mentioning that the in-built explorer does not automatically refresh in WinFE, therefore, if volumes are mounted, you will need to either close and reopen the explorer window or press F5 to refresh.
Just one last point, should anyone need to mount Apple HFS+ or EXT2/3/4 partitions, drop me an email, I do have scripts for this too!
Sorry about the formatting of this text, it’s a quick copy and paste from Word.
Enjoy.
Good job with this!
I assembled a 32 Bit Win7 WinFE build using the WinFE script and the write protect GUI (I know the WinFE script is no longer need because it is built into the write protect script .. I was just being cautious). I'm happy to report that it works well. I'm happier to report that with the GUI no writes were made to the disk.
#1: Booted the computer (HP Laptop, WinXP) using RAPTOR and hashed the entire physical HDD. Shut down.
#2: Booted the computer with WinFE on a USB thumbdrive.
When the write protect GUI loaded the thumbdrive was mounted and not write protected, the laptop HDD was not mounted and was write protected. I closed the GUI and WinFE finished booting.
#3 I launched FTK Imager, loaded the physical drive as an evidence item and then rooted around in the file structure.
#4 I launched the write protect GUI and mounted the physical HDD (highlight the drive and click "Mount"). The drive was then assigned a drive letter.
#5 Launched a couple of tools and ran them agains the HDD and/or the volumes.
#6 Launched explorer and tried to write files to and delete files from the HDD. I was unsuccessful. I was able to copy files.
#7 Launched irfanview portable and viewed a few pictures on the HDD.
#8 Unmounted the HDD.
#9 Shut down WinFE.
#10 Booted the computer with RAPTOR and hashed the entire physical HDD.
THE HASHES IN STEP #1 AND STEP #10 MATCH.
Prior to the GUI, using diskpart, making the drive/volume read-only caused a write to the HDD. It would appear that this problem is solved because the write protect GUI does it's thing before WinFE finishes booting.
Please Note that Winbuilder tweaks are mostly Level 3, you've marked yours at Level 4. This causes WinBuilder to make two folders called Tweaks. ( Annoying )
Since your script is required to be run last, I strongly advise you change it to Level 6 or even 7 and perhaps give it another folder and called it 'Last Scripts' or even in the 'Finals' directory which is level 8.
Just my two cents.
By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/
Posts List
Tag Cloud
Search Blog
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!
© 2020 Brett Shavers