Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
1 minute reading time (131 words)

Colin's Write Protect Application

Digital Forensics
Brett Shavers
Monday, 19 March 2012
3223 Hits
12 Comments

Here it is, Colin Ramsden's WinFE write protect application!




Although long in waiting, it is finally here.   Colin worked diligently on making this work without making Microsoft unhappy.  Documentation is forthcoming on the use of his application, but as you can see, it is really easy to figure out how to manage your disks.

Other little features may be coming in the future, but for now, say so long to DiskPart.

You can download the WinBuilder script from the BoxNet on this site (to your right of the page) and it will also be made available on the www.reboot.pro website.  The file, "wp.script" needs to be placed in the "tweaks" folder in the WinBuilder folder structure.

For support on creating a WinFE ISO using WinBuilder, consult the forums at www.reboot.pro.
Tweet
Share on Pinterest
0
WinFE Script Updated
Building your WinFE Update

About the author

Brett Shavers

Brett Shavers

 

Comments 12

Guest
Guest - cramsden on Monday, 19 March 2012 19:33

Guys, Time to apply your safety catches before someone has a negligent discharge!
This version of the script is 1.0.0.141 and should be considered a public Beta.
I still have some error checking code to add and the detail disk code will be improved. Also, you do not need to add any other WinFE script, including Troy’s as the registry settings that Troy made are included within the ‘wp.script’ file.
I imagine someone; somewhere will find a bug so I will be happy to hear from anyone who discovers one. In a nut shell, this version should be kept well away from any evidential items until we are all happy that it is working as expected.
Here is brief synopsis of how the tool works and how it should be used.
1 – During the boot process my program is executed with a command line of –i, which should set every disk connected to the computer to dismounted and read-only, this is really only a safety net as Troy’s registry settings actually do this beforehand. The command line switch ‘-i’ is executed as part of my ‘wp.script’.
2 – Once you are happy all of the disks are in the expected state, the application should be closed to allow Windows to complete loading (Drivers can also be loaded at this stage should they be required).
3 – Once Windows has loaded, my application is available to be used from the Desktop shortcut.
4 – Mounting a disk, which is not actually true, will mount all of the volumes that reside on the selected disk, at the moment software RAID’s and spanned volumes are not supported, they can, however, still be imaged and reconstructed with EnCase, WinHex or FTK.
5 – There is no need to mount evidential disks unless you wish to conduct triage with tools that require a file system to be present, such as FieldSearch.
6 – Changing a disk from R/O (read-only) to read-write, will do exactly that! So don’t use this option on evidential disks! – It should only be used on your tools/harvest hard drive. Obviously, if you are changing a disk to read-write, you will need to mount it to access the file system.
It is worth mentioning that the in-built explorer does not automatically refresh in WinFE, therefore, if volumes are mounted, you will need to either close and reopen the explorer window or press F5 to refresh.
Just one last point, should anyone need to mount Apple HFS+ or EXT2/3/4 partitions, drop me an email, I do have scripts for this too!
Sorry about the formatting of this text, it’s a quick copy and paste from Word.
Enjoy.

0 Cancel Reply
Guys, Time to apply your safety catches before someone has a negligent discharge! This version of the script is 1.0.0.141 and should be considered a public Beta. I still have some error checking code to add and the detail disk code will be improved. Also, you do not need to add any other WinFE script, including Troy’s as the registry settings that Troy made are included within the ‘wp.script’ file. I imagine someone; somewhere will find a bug so I will be happy to hear from anyone who discovers one. In a nut shell, this version should be kept well away from any evidential items until we are all happy that it is working as expected. Here is brief synopsis of how the tool works and how it should be used. 1 – During the boot process my program is executed with a command line of –i, which should set every disk connected to the computer to dismounted and read-only, this is really only a safety net as Troy’s registry settings actually do this beforehand. The command line switch ‘-i’ is executed as part of my ‘wp.script’. 2 – Once you are happy all of the disks are in the expected state, the application should be closed to allow Windows to complete loading (Drivers can also be loaded at this stage should they be required). 3 – Once Windows has loaded, my application is available to be used from the Desktop shortcut. 4 – Mounting a disk, which is not actually true, will mount all of the volumes that reside on the selected disk, at the moment software RAID’s and spanned volumes are not supported, they can, however, still be imaged and reconstructed with EnCase, WinHex or FTK. 5 – There is no need to mount evidential disks unless you wish to conduct triage with tools that require a file system to be present, such as FieldSearch. 6 – Changing a disk from R/O (read-only) to read-write, will do exactly that! So don’t use this option on evidential disks! – It should only be used on your tools/harvest hard drive. Obviously, if you are changing a disk to read-write, you will need to mount it to access the file system. It is worth mentioning that the in-built explorer does not automatically refresh in WinFE, therefore, if volumes are mounted, you will need to either close and reopen the explorer window or press F5 to refresh. Just one last point, should anyone need to mount Apple HFS+ or EXT2/3/4 partitions, drop me an email, I do have scripts for this too! Sorry about the formatting of this text, it’s a quick copy and paste from Word. Enjoy.
Cancel Update Comment
Guest
Guest - cramsden on Monday, 19 March 2012 19:48

Well, I've found a bug already! I'll have a new build put together, which will be sent to Brett today!

0 Cancel Reply
Well, I've found a bug already! I'll have a new build put together, which will be sent to Brett today!
Cancel Update Comment
Guest
Guest - cramsdenColinR on Tuesday, 20 March 2012 08:22

1.0.0.149 is now released, this should address the bug discovered in the post above, as well as a better disk information dialog.

0 Cancel Reply
1.0.0.149 is now released, this should address the bug discovered in the post above, as well as a better disk information dialog.
Cancel Update Comment
Guest
Guest - Brett Shavers on Tuesday, 20 March 2012 08:26

It's uploaded and available in the Boxnet file.

0 Cancel Reply
It's uploaded and available in the Boxnet file.
Cancel Update Comment
Guest
Guest - Jeff Ellis on Friday, 30 March 2012 08:35

Good job with this!

I assembled a 32 Bit Win7 WinFE build using the WinFE script and the write protect GUI (I know the WinFE script is no longer need because it is built into the write protect script .. I was just being cautious). I'm happy to report that it works well. I'm happier to report that with the GUI no writes were made to the disk.

#1: Booted the computer (HP Laptop, WinXP) using RAPTOR and hashed the entire physical HDD. Shut down.

#2: Booted the computer with WinFE on a USB thumbdrive.

When the write protect GUI loaded the thumbdrive was mounted and not write protected, the laptop HDD was not mounted and was write protected. I closed the GUI and WinFE finished booting.

#3 I launched FTK Imager, loaded the physical drive as an evidence item and then rooted around in the file structure.

#4 I launched the write protect GUI and mounted the physical HDD (highlight the drive and click "Mount"). The drive was then assigned a drive letter.

#5 Launched a couple of tools and ran them agains the HDD and/or the volumes.

#6 Launched explorer and tried to write files to and delete files from the HDD. I was unsuccessful. I was able to copy files.

#7 Launched irfanview portable and viewed a few pictures on the HDD.

#8 Unmounted the HDD.

#9 Shut down WinFE.

#10 Booted the computer with RAPTOR and hashed the entire physical HDD.

THE HASHES IN STEP #1 AND STEP #10 MATCH.

Prior to the GUI, using diskpart, making the drive/volume read-only caused a write to the HDD. It would appear that this problem is solved because the write protect GUI does it's thing before WinFE finishes booting.

0 Cancel Reply
Good job with this! I assembled a 32 Bit Win7 WinFE build using the WinFE script and the write protect GUI (I know the WinFE script is no longer need because it is built into the write protect script .. I was just being cautious). I'm happy to report that it works well. I'm happier to report that with the GUI no writes were made to the disk. #1: Booted the computer (HP Laptop, WinXP) using RAPTOR and hashed the entire physical HDD. Shut down. #2: Booted the computer with WinFE on a USB thumbdrive. When the write protect GUI loaded the thumbdrive was mounted and not write protected, the laptop HDD was not mounted and was write protected. I closed the GUI and WinFE finished booting. #3 I launched FTK Imager, loaded the physical drive as an evidence item and then rooted around in the file structure. #4 I launched the write protect GUI and mounted the physical HDD (highlight the drive and click "Mount"). The drive was then assigned a drive letter. #5 Launched a couple of tools and ran them agains the HDD and/or the volumes. #6 Launched explorer and tried to write files to and delete files from the HDD. I was unsuccessful. I was able to copy files. #7 Launched irfanview portable and viewed a few pictures on the HDD. #8 Unmounted the HDD. #9 Shut down WinFE. #10 Booted the computer with RAPTOR and hashed the entire physical HDD. THE HASHES IN STEP #1 AND STEP #10 MATCH. Prior to the GUI, using diskpart, making the drive/volume read-only caused a write to the HDD. It would appear that this problem is solved because the write protect GUI does it's thing before WinFE finishes booting.
Cancel Update Comment
Guest
Guest - EM on Thursday, 07 June 2012 20:17

Please Note that Winbuilder tweaks are mostly Level 3, you've marked yours at Level 4. This causes WinBuilder to make two folders called Tweaks. ( Annoying )

Since your script is required to be run last, I strongly advise you change it to Level 6 or even 7 and perhaps give it another folder and called it 'Last Scripts' or even in the 'Finals' directory which is level 8.

Just my two cents.

0 Cancel Reply
Please Note that Winbuilder tweaks are mostly Level 3, you've marked yours at Level 4. This causes WinBuilder to make two folders called Tweaks. ( Annoying ) Since your script is required to be run last, I strongly advise you change it to Level 6 or even 7 and perhaps give it another folder and called it 'Last Scripts' or even in the 'Finals' directory which is level 8. Just my two cents.
Cancel Update Comment
Guest
Guest - cramsden on Thursday, 07 June 2012 20:27

Will, do it might take a few days for me to get around to it though, in the mean time, the script is easily user editable.

0 Cancel Reply
Will, do it might take a few days for me to get around to it though, in the mean time, the script is easily user editable.
Cancel Update Comment
Guest
Guest - EM on Saturday, 09 June 2012 11:14

Cheers!! No hurry.

Another suggestion? Please move the buttons further apart? I almost hit Read/Write by accident. Sometimes the mouse is fast in WinPE and I need to make mine muppet proof.

I might make some layout suggestions that I can email you?

0 Cancel Reply
Cheers!! No hurry. Another suggestion? Please move the buttons further apart? I almost hit Read/Write by accident. Sometimes the mouse is fast in WinPE and I need to make mine muppet proof. I might make some layout suggestions that I can email you?
Cancel Update Comment
Guest
Guest - cramsden on Saturday, 09 June 2012 21:16

Feel free, my email address can be found on the app. Colin.

0 Cancel Reply
Feel free, my email address can be found on the app. Colin.
Cancel Update Comment
Guest
Guest - EM on Monday, 11 June 2012 20:11

Nup, can't find it in the version I have.

Noticed something with the program, is that you need to close it twice. Not sure if it's happening to anyone else or not?

0 Cancel Reply
Nup, can't find it in the version I have. Noticed something with the program, is that you need to close it twice. Not sure if it's happening to anyone else or not?
Cancel Update Comment
Guest
Guest - EM on Monday, 11 June 2012 20:12

Doh!! Found it.

0 Cancel Reply
Doh!! Found it.
Cancel Update Comment
Guest
Guest - EM on Tuesday, 12 June 2012 09:53

Don't worry about the 'twice' issue. I had the script ran twice. Silly error on my behalf.

0 Cancel Reply
Don't worry about the 'twice' issue. I had the script ran twice. Silly error on my behalf.
Cancel Update Comment
Guest
Sunday, 14 August 2022

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.

Brett's blog

© 2022 Brett Shavers