26 replies to this topic

[bshavers]

Colin’s Write Protect Script (wp.script) is available, but still considered Beta (and as with any forensic utility, test – test – test). You can download today’s version here. wp.script. To make sure you get the most recent version after today, download from the Boxnet from this website. Troy Larson’s registry modifications are included in Colin Ramsden’s WinBuilder Script. That’s all you need.

If anyone would like to formally have their test results posted on this site, feel free to send the results to me.

I would reckon that for anyone that has not taken the time yet to build their own WinFE, there isn’t any excuses left now. And like everyone else that waited, you’ll wonder why you waited so long.

View this document on Scribd

View the full article

[TheHive]

[cramsden]

The current version is 1.0.0.149, which is available from the winfe site at http://winfe.wordpress.com/.

It should still be considered a Beta, I understand from Brett that it has been downloaded several hundred times already, however, I am yet to hear any feedback.

I would appreciate feedback even if it's just to say, yes it works, rather than waiting until a bug arises.

At the moment, the script has to be placed in the Tweaks folder within the WinBuilder structure, however, I may change this to the apps folder.

Thanks, Colin.

Edited by cramsden, 21 March 2012 - 09:05 PM.

[RoyM]

"Very nice" gentlemen.

Congrats and thanks to Colin for his fine addition and hard work on wp.script

P.S. It took me a minute or two to realize who this new guy cramsden was !.
Anyway, welcome to the forums. Hope all is going well.

Good Job
RoyM

[cramsden]

Thanks Roy,

All is well, hope you are too!

Just pleased that this project is almost complete and released for testing!

[balzanto]

Colin -

Very nice. I haven't tested everything yet but what I have run through (standard HDD and WD 1TB USB HDD) worked very well. This is exactly what WinFE needed to put it in more hands. I'll update more as I run it through its paces.

Tony Balzanto

[joakim]

Will there be any explanation of what the tool actual does, or how it achieves what it does? I mean how it works from a low level/technical point of view..

Thanks.

[cramsden]

@joakim

Yes, the tools uses DeviceIOControl codes to set disk attributes to read-only/read-write and online/offline, pretty much what a filter driver would do, although this is done at a higher level as I don't know how to write drivers!

The DeviceIOControl codes are used in conjunction with The WinFE registry settings (MountMgr and SanPolicy). These registry settings are used to place the disks into the initial dismounted/read-only modes

I have discovered that the same error exists that is mentioned in another thread (pre my tool) where dynamic disks are somehow touched, I am working on a fix for this, but I have family commitments at the moment, so it will not be completed for a couple of weeks yet.

Colin

[cramsden]

Just a quick follow up to my previous post, I have a lite version of WinFE which uses my tool, but it is created from the Windows AIK and NOT WinBuilder, in this version, dynamic disks are not touched, it appears to be totally forensically sound, therefore, this error is something to do with how WinBuilder works or a subsequent script that is executed.

That makes solving the problem somewhat easier.

Colin.

[joakim]

OK, that made it a little more clear. So I then understand it is an application that is to be run after finished booting, to prevent writes to disk initiated from usermode. And the prevention of writes before complete boot is handled by those registry entries.

Edit: Am I correct in that the writing of a new disk signature (4 bytes) under certain circumstances is still not preventable?

[Wonko the Sane]

Edit: Am I correct in that the writing of a new disk signature (4 bytes) under certain circumstances is still not preventable?

Well, no , as the "Registry Trick" should prevent that:
http://www.911cd.net...showtopic=24551

The issues were with Dynamic disks:
http://reboot.pro/15883/


Wonko

[joakim]

Well, no , as the "Registry Trick" should prevent that:
http://www.911cd.net...showtopic=24551

The issues were with Dynamic disks:
http://reboot.pro/15883/


Wonko

I am not convinced that a registry entry can prevent the writing of a new disk signature if it's missing. Will look at it.

[cramsden]

OK, that made it a little more clear. So I then understand it is an application that is to be run after finished booting, to prevent writes to disk initiated from usermode. And the prevention of writes before complete boot is handled by those registry entries.

That is pretty much correct.

As for the disk signature, I have never seen Windows write one, but there again, I've never looked. However, I have tested WinFE against Raptor with Linux and Apple disks, and on these occasions, nothing has changed.

It would be appreciated if someone could zero out the signatures of several disks and let's see if WinFE writes a new signature. Just do not use dynamic disks at the moment as they will change anyway!

Colin.

[joakim]

That is pretty much correct.

As for the disk signature, I have never seen Windows write one, but there again, I've never looked. However, I have tested WinFE against Raptor with Linux and Apple disks, and on these occasions, nothing has changed.

It would be appreciated if someone could zero out the signatures of several disks and let's see if WinFE writes a new signature. Just do not use dynamic disks at the moment as they will change anyway!

Colin.

I did some testing yesterday (not with WinFE, but with the 2 special registry entries), and it seems difficult to prevent Windows from writing this 4 byte signature when it's missing. I was tracing it into the kernel and suspect the relevant code is somewhere within IoCreateDisk (look for references to DeviceObject), but was unable to prevent the writing. But since the circumstancec under which this becomes a problem is closer to never, I don't think it is important to solve. After all, who (working in the forensics field) would boot WinFE with a hacked kernel? Probably none.

[Wonko the Sane]

As for the disk signature, I have never seen Windows write one, but there again, I've never looked.

Rest assured that as soon as a Windows NT EITHER:

• finds the 4 bytes of the disk signature set as 00 00 00 00
  OR:
• finds two disks with the SAME disk signature

the disk signature will be written at mount time.


Wonko

[joakim]

Rest assured that as soon as a Windows NT EITHER:

• finds the 4 bytes of the disk signature set as 00 00 00 00
  OR:
• finds two disks with the SAME disk signature

the disk signature will be written at mount time.


Wonko

Just a small correction. The disk-signature-writing-process is unrelated to any mounting, and will happen regardless of whether any volume on that physical disk is mounted. In the kernel it is referenced to as "UniqueDeviceObjectNumber".

Edit: FYI, registry entries under MountedDevices overrides the magic 2 (SanPolicy and NoAutoMount), so that only new disks to the system are not mounted. But that's fine for WinFE as any WinPE usually don't have writable registry...

[Wonko the Sane]

Just a small correction. The disk-signature-writing-process is unrelated to any mounting, and will happen regardless of whether any volume on that physical disk is mounted. In the kernel it is referenced to as "UniqueDeviceObjectNumber".

Yes, my bad , the "at mount time" is partially deceiving .
From what I can get, it is when either partmgr or diskmgr (or *whatever* subsystem ) "connects" to the disk. (You remember the "issues" with mbrbatch/mkimg that uses VDK that does not "connect" at "low enough" level and thus Windows does not write automatically a Disk Signature?):
http://diddy.boot-la...s/signature.htm


Wonko

[balzanto]

@joakim

Yes, the tools uses DeviceIOControl codes to set disk attributes to read-only/read-write and online/offline, pretty much what a filter driver would do, although this is done at a higher level as I don't know how to write drivers!

The DeviceIOControl codes are used in conjunction with The WinFE registry settings (MountMgr and SanPolicy). These registry settings are used to place the disks into the initial dismounted/read-only modes

I have discovered that the same error exists that is mentioned in another thread (pre my tool) where dynamic disks are somehow touched, I am working on a fix for this, but I have family commitments at the moment, so it will not be completed for a couple of weeks yet.

Colin

Colin -

Have you made any updates to your application to address this issue? If so, where can it be downloaded?

Thanks,
Tony

[cramsden]

I've updated my site, www.ramsdens.org.uk with a new version of the WinBuilder script, it does not prevent the mounting happening, just adds a spash screen during boot to warn users not to mess about with certain applications.

I'm going attempt to work on a filter driver which should be the best solution available, however, it's a complicated subject andI'm rather busy writing a thesis at the moment so it's on the back burner at the moment.

Colin.

[cramsden]

I’ve just released WProtect version 1.0.0.154 (available on www.ramsdens.org.uk), which as far as I am concerned is no longer a Release Candidate, but the final version (less any new bug fixes or code optimisations).

I actually think that WinFE is the best free Forensic Boot CD that is available, I used it in anger (V1.0.0.151) for the first time today, the Ubuntu based Raptor disk would not work on a particular Acer machine where the drive appeared to be somehow locked to the machine (did not even register with the Tableau T35i when removed). WinFE along with FTK Imager Lite imaged the drive in the host machine flawlessly.

The latest update includes some suggestions from forum member ‘EM’ (a.k.a Boot_Monkey) which include a slightly longer forced delay between disk actions, a text change to the ‘close’ button (now ‘continue’) during the initial run and ‘greyed out’ buttons when the application is busy dealing with disks.

It’s been a long and sometimes hard project, which has involved loads of code being written and binaries that have had to be reverse engineered (over 2 years since inception), there have been many hurdles that have been encountered and overcome along the journey, the main of which, was the initial patching of the VDS.EXE binary which did not prove too popular with Microsoft that pretty much left WinFE dead in the water until some new API calls were exposed.

Anyway, we got here in the end. I would like to take this opportunity to thank the following individuals for their support, both past and present:

Troy Larson (Microsoft) for his assistance with the initial registry settings, which are still used for the initial write protection, without these, the disks would be touched before my tool got the chance to execute.

Brett Shavers for being the driving force behind WinFE, Brett has taken time out of his very busy schedule and strived to promote WinFE and keep it in the public eye through his presentations, user guides, testing and the WinFE web site on WordPress.

Karl Morton, a very good friend of mine who is an exceptionally talented individual, in fact he was one of the lead programmers on the Team17 game ‘Worms’. Karl was responsible for writing the initial backend code in the form of a DLL which was his own rendition of Diskpart, a brilliant tool, however, this was eventually defunct due to the VDS.EXE patch issue, nevertheless, Karl has still been a great contributor by helping me with converting undocumented C++ code to assembly language. Karl is also responsible for attempting to write the filter driver which I hope will eventually replace my WProtect tool, I will still code the front end though.

There has been other help along the way, by people such as Royal Mayer and Nuno Brito who initially helped me with adding my application binaries to the WinBuilder script language.

So all that I have left to say is hats off to the guys that I have mentioned and anyone else that has contributed along the way.

Thanks,

Colin.

Edited by cramsden, 24 July 2012 - 10:40 PM.

[RoyM]

Great Work Colin.
Thanks for the praises.

Glad it has all come to fruition for you with some hard work and dedication.
It sounds like it might be time for a well deserved vacation.
I am honored to have been involved with this project.

Does the new version of WProtect version 1.0.0.154 also address the
Dynamic disk issue or was that issue squashed by using WinFE Lite.

Any insight that you can provide as to why the WinFE Lite version
and the Winbuilder version differ in that area and if it may
be fixed for the Winbuilder version would be much appreciated.

Thanks RoyM

[cramsden]

Hi Roy,

Yes the Dynamic disk issue is resolved as far as I am aware!

Thanks,

Colin.

[tango6]

Just to be clear, when building WinFE, with this site's WinBuilder, and using cramsden’s script, it will produce a WinFE that will no longer do a write to the drives, if I mount them for other programs to see. I ask because building using WAIK can be... challenging and I'm not sure it will support .NET which I need on WinFE.

Edited by tango6, 12 August 2012 - 03:28 PM.

[cramsden]

Just to be clear, when building WinFE, with this site's WinBuilder, and using cramsden’s script, it will produce a WinFE that will no longer do a write to the drives, if I mount them for other programs to see. I ask because building using WAIK can be... challenging and I'm not sure it will support .NET which I need on WinFE.

WinFE will NOT write to any disks (You should test and validate this!).

Mounting a drive in READ-ONLY mode will prevent normal applications from writing to the disks, however, if you use system tools such as Disk Manager or low level sector editing tools, you MAY change data.

Edited by cramsden, 13 August 2012 - 08:05 AM.