Guys, Time to apply your safety catches before someone has a negligent discharge!
This version of the script is 1.0.0.141 and should be considered a public Beta.
I still have some error checking code to add and the detail disk code will be improved. Also, you do not need to add any other WinFE script, including Troy’s as the registry settings that Troy made are included within the ‘wp.script’ file.
I imagine someone; somewhere will find a bug so I will be happy to hear from anyone who discovers one. In a nut shell, this version should be kept well away from any evidential items until we are all happy that it is working as expected.
Here is brief synopsis of how the tool works and how it should be used.
1 – During the boot process my program is executed with a command line of –i, which should set every disk connected to the computer to dismounted and read-only, this is really only a safety net as Troy’s registry settings actually do this beforehand. The command line switch ‘-i’ is executed as part of my ‘wp.script’.
2 – Once you are happy all of the disks are in the expected state, the application should be closed to allow Windows to complete loading (Drivers can also be loaded at this stage should they be required).
3 – Once Windows has loaded, my application is available to be used from the Desktop shortcut.
4 – Mounting a disk, which is not actually true, will mount all of the volumes that reside on the selected disk, at the moment software RAID’s and spanned volumes are not supported, they can, however, still be imaged and reconstructed with EnCase, WinHex or FTK.
5 – There is no need to mount evidential disks unless you wish to conduct triage with tools that require a file system to be present, such as FieldSearch.
6 – Changing a disk from R/O (read-only) to read-write, will do exactly that! So don’t use this option on evidential disks! – It should only be used on your tools/harvest hard drive. Obviously, if you are changing a disk to read-write, you will need to mount it to access the file system.
It is worth mentioning that the in-built explorer does not automatically refresh in WinFE, therefore, if volumes are mounted, you will need to either close and reopen the explorer window or press F5 to refresh.
Just one last point, should anyone need to mount Apple HFS+ or EXT2/3/4 partitions, drop me an email, I do have scripts for this too!
Sorry about the formatting of this text, it’s a quick copy and paste from Word.
Enjoy.
Well, I've found a bug already! I'll have a new build put together, which will be sent to Brett today!
1.0.0.149 is now released, this should address the bug discovered in the post above, as well as a better disk information dialog.
Good job with this!
I assembled a 32 Bit Win7 WinFE build using the WinFE script and the write protect GUI (I know the WinFE script is no longer need because it is built into the write protect script .. I was just being cautious). I'm happy to report that it works well. I'm happier to report that with the GUI no writes were made to the disk.
#1: Booted the computer (HP Laptop, WinXP) using RAPTOR and hashed the entire physical HDD. Shut down.
#2: Booted the computer with WinFE on a USB thumbdrive.
When the write protect GUI loaded the thumbdrive was mounted and not write protected, the laptop HDD was not mounted and was write protected. I closed the GUI and WinFE finished booting.
#3 I launched FTK Imager, loaded the physical drive as an evidence item and then rooted around in the file structure.
#4 I launched the write protect GUI and mounted the physical HDD (highlight the drive and click "Mount"). The drive was then assigned a drive letter.
#5 Launched a couple of tools and ran them agains the HDD and/or the volumes.
#6 Launched explorer and tried to write files to and delete files from the HDD. I was unsuccessful. I was able to copy files.
#7 Launched irfanview portable and viewed a few pictures on the HDD.
#8 Unmounted the HDD.
#9 Shut down WinFE.
#10 Booted the computer with RAPTOR and hashed the entire physical HDD.
THE HASHES IN STEP #1 AND STEP #10 MATCH.
Prior to the GUI, using diskpart, making the drive/volume read-only caused a write to the HDD. It would appear that this problem is solved because the write protect GUI does it's thing before WinFE finishes booting.
Please Note that Winbuilder tweaks are mostly Level 3, you've marked yours at Level 4. This causes WinBuilder to make two folders called Tweaks. ( Annoying )
Since your script is required to be run last, I strongly advise you change it to Level 6 or even 7 and perhaps give it another folder and called it 'Last Scripts' or even in the 'Finals' directory which is level 8.
Just my two cents.
Will, do it might take a few days for me to get around to it though, in the mean time, the script is easily user editable.
Cheers!! No hurry.
Another suggestion? Please move the buttons further apart? I almost hit Read/Write by accident. Sometimes the mouse is fast in WinPE and I need to make mine muppet proof.
I might make some layout suggestions that I can email you?
Nup, can't find it in the version I have.
Noticed something with the program, is that you need to close it twice. Not sure if it's happening to anyone else or not?
Don't worry about the 'twice' issue. I had the script ran twice. Silly error on my behalf.
By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
© 2022 Brett Shavers