20 replies to this topic

[MedEvil]

Is there a PE addon that prevents any writes to the HDDs, when i boot from PE?

[was_jaclaz]

Is there a PE addon that prevents any writes to the HDDs, when i boot from PE?

NO.

Not Freeware and not for PE specifically but:

http://www.cftt.nist...write_block.htm
http://www.forensics.../Write_Blockers

Freeware USB write blockers do exist, cannot say whether they work or can work in a PE :
http://dsionline.biz..._writeblock.htm
http://www.gaijin.at/dlusbwp.php
http://www.m2cfg.com/downloads.htm

jaclaz

[MedEvil]

I have one freeware write blocker. But it's for DOS, the one OS which does not need one, as it does only what the user tells it.

Would have expected a free software solution for NT as NT and upwards are notorious for writing to everything within grasp, without asking.

[MedEvil]

Thinking about it, i do not understand that no free solution for XP+ exists.
Wouldn't a write blocker, be like an overlay driver (ewf /fbwf) with a NUL device for the writes?

[was_jaclaz]

Thinking about it, i do not understand that no free solution for XP+ exists.
Wouldn't a write blocker, be like an overlay driver (ewf /fbwf) with a NUL device for the writes?

Sure , it sounds really easy as you describe it, why don't you write one since you are a programmer?

BTW, while you are at it, you could also write an EWF freeware replacement.

These guys must be really, really smart:
http://www.forensics...log/product.php
to be able to sell (most probably at a very, very dear price ) this kind of app to the forensic community (please read as "people who usually write their own tools, and usually really know how an OS works")

Maybe the "forensic guys" are "scared" by articles like this:
http://www.mykeytech...Blocking2-4.pdf




jaclaz

[MedEvil]

Do i look like i work for a law enforcement agency? Do you think, i need software that's certified for use in the court of law?
I want simply a little something to stop XP littering on all connected drives. For USB a simple change in the registry does it.

BTW, while you are at it, you could also write an EWF freeware replacement.

jaclaz you know my point of view in this regard, so i bet you can guess, what i will do instead.

[was_jaclaz]

I want simply a little something to stop XP littering on all connected drives. For USB a simple change in the registry does it.

Then it sounds even easier, and even less appear the reason why you cannot do it yourself and share the result, since you find it so easy.

The request for a freeware EWF still stands, however.



jaclaz

[sanbarrow]

I tried Safe Block XP on PE - it works but IMHO it makes no sense as you need to reboot to activate the block after assigning it to a special disk.
So it hardly is usable unless you always use the same host

medevil - if you use 2k3 sources you can tell the PE not to mount any local disks at boot - maybe that helps

[MedEvil]

Thanks sanbarrow.

[bshavers]

There are two registry modifications you can make to the PE (SYSTEM) registry that will render the drives unmounted. In a batch file, the following commands will make the changes.

C:\WinFE\mount\Windows\System32\config\SYSTEM
HKLM\ControlSet001\Services\MountMgr /v NoAutoMount /t REG_DWORD /d 1 /f
HKLM\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 3 /f

The drives can be toggled online/offline and readonly/readwrite through DiskPart in a command shell.

Also, removing the bootfix file to prevent the option to boot to CD helps make the disc more forensic friendly. Before I try to learn how to script with WinBuilder (I'm new to WinBuilder), can someone tell me an easy way to modify the registry with these two changes and rto emove the bootfix file during the build?

There is a website, www.winfe.wordpress.com that focuses on the forensic version of a bootable PE, but in a more manual effort (and fewer bells and whistles as compared to WinBuilder).

Brett
bshavers@gmail.com

[Wonko the Sane]

Nice to see that someone takes seriously forensic sound builds.

Though completely UNLIKE readable, the Winbuilder .script are very similar to good ol' batches, and Winbuilder itself, in a previous incarnation, was called "batcher".

You should have no problems in creating a small .script to add those two Registry keys (or add them to an existing .script).

You can get the Winbuilder help:
http://www.paraglide...Links/links.htm
http://www.paraglide...lp/default.html

and also as a file:
http://www.paraglide.../winbuilder.chm

You want to use the regadd command:
http://www.paraglide...pi/Reg_Add.html
or the Reg_import thingy (easier):
http://www.paraglide...Reg_Import.html
or directly using the Reg2WBSprg.exe:
http://www.boot-land...?...=5049&st=21

About bootfix.bin, you have two choices:

• find which "standard" Winbuilder .script uses/needs it and remove the reference from it
• create a "post processing" .script that removes it afterwards

The command you want to use is probably FileDelete:
http://www.paraglide...html#FileDelete

What is missing from your post is the mention of WHICH actual Winbuilder project are you using as "base", I presume LiveXP, but it could be several other ones.

A "post-processing" .script containing both the registry fixes and the deletion of bootfix.bin is more advisable as it could be compatible to several different projects.



Wonko

[bshavers]

Thanks for the response. I'm trying several different builder projects as I configure WinBuilder to add a forensic development to the build. I'll take your tips in hand and get to work! My goal is to take the manual efforts of building a Windows Forensic Environment CD into a more automated effort. Although the 2 registry changes and removal of the bootfix file are minor changes, it makes a dramatic change in the use of using PE as "FE" (forensic environment). This idea is from Troy Larson of Microsoft, to be a forensically sound Windows boot environment, at no cost as compared to commercial versions of the same.

[sanbarrow]

@ bshavers

I am also very interested in PE used for forensic investigations.
If you are interested in a tool that creates a 2k3 based PE and asks this during creation



have a look here : http://sanbarrow.com...opic.php?t=1544

In case you are a forensic investigator I would also like to know if this approach to use a PE and mount disks readonly by taking a snapshot first can be used in any way.

Here is a video that shows what I mean
http://sanbarrow.com...s-if-stunt.html

Ulli

[bshavers]

That is very neat and I see applications for forensic work with it. Here is a question before I start trying it; with the forensic modification of PE (simply called WinFE), the hard drives are set to readonly on boot, and offline. Won't VMware need to see the hard drive online or can it access the physical level of the hard drive rather than just logical? Also, could VirtualBox be used instead of VMware? Vmware is a resource hog whereas Virtualbox seems to run at better speeds, especially since the RAM in some machines may not be that much (as in machines examined in forensic cases).

I'm giving a presentation at SecureWorldExpo next month in Seattle on WinFE/Windows FE and this would be a neat snippet to show as a possibility to work with.

[Wonko the Sane]

I'm giving a presentation at SecureWorldExpo next month in Seattle on WinFE/Windows FE and this would be a neat snippet to show as a possibility to work with.

A word of advice, if I may.

Double check you have actually a forensic MOA for the presentation AND NOT the Wowbagger PE! :
http://www.boot-land...?showtopic=8062

We have already seen Windows related presentations become embarassing for the actual speaker.....




Wonko

[sanbarrow]

Also, could VirtualBox be used instead of VMware? Vmware is a resource hog whereas Virtualbox seems to run at better speeds ...

Yes - you can use both.
I prefer VMware and from PE I think it is faster then VirtualBOX - at least that is my experience after having used both extensively.

Actually with VMware you have better control about the resources used - that is important in LivCD usage as you probably have no pagefile available.

We have already seen Windows related presentations become embarassing for the actual speaker.....

LOL - thats a good way to get booooed off stage - presenting the Wowbagger PE when the audience expects a forensic one

[bshavers]

When I say "snippet" of showing something, it's like a screenshot of a possibility for forensic use. In the forensic realm, everyone has to check, doublecheck, and confirm their own work, not relying upon another person's work. There is a use for booting the (virtual) system in this manner, although probably not common, I do see where it can be a benefit.

[Wonko the Sane]

Maybe someone could test / see what this:
WRITEPROT
http://www.joeware.n...eprot/index.htm
http://www.joeware.n...eprot/usage.htm
does and see if it can be replicated/works in a PE.


Wonko

[MedEvil]

Writeprot works fine in my Win7PESE. Keeps volume also write protected when user is switched.




edit:
Program is not as good as i first thought or better than i thought depending on your definition.
The program does not stop Windows/PE from writing to the volume. It does something to the volume, that keeps Windows /PE from writing to it.

Just write protected the systemdrive C: from PE. Now i can't boot the installed Windows anymore. Need first to undo the write protect.

So i go out on a limb and say, not suitable for forensics.

[MedEvil]

Hmm, one strange write protection this turns out to be.

Appearantly windows can write to the volume at first, but then later decides not to anymore.

The Windows on C: could not boot up anymore and WriteProt showed the drive still write protected, yet somehow the installed windows remembered, that the last boot attempts failed and offered me safe boot options upon start.

[Wonko the Sane]

I don' tseem like having posted ANY "definition" of it.
This may be of help:
http://www.mail-arch...g/msg19282.html
to understand HOW it works WHAT it does.
It must be be some IOCTL in ntdddisk.h
http://www.ioctls.net/


Wonko