This page contains the following sections -
When Mini-WinFE is booted, either DiskMgr.exe or wprotect.exe will be automatically launched before any other programs. Both of these tools can be used to check the current status of any disks attached to the system, and can also be used to change disk attributes in order to ensure that any evidence disks are set as Read Only and Offline to reduce the risk of evidence contamination.
Screenshot of DiskMgr.exe running in WinFE 10.0.14393 (the program was launched automatically via winpeshl.ini during the boot process) -
Screenshots of wprotect.exe running in WinFE 10.0.14393 (the program was launched automatically via winpeshl.ini during the boot process). Press the OK button on the warning screen to run the program -
After ensuring that disk attributes are set as required, close down DiskMgr.exe / wprotect.exe to use Mini-WinFE
Mini-WinFE uses the BlackBox Lean shell. To select a menu option, right-click anywhere on the desktop or alternatively press the Windows key. This will display a menu similar to the following -
Select the LaunchBar option to start LaunchBar - a dock style menu system.
Screenshot of LaunchBar running in MistyPE -
The majority of the programs and utilities supported in Mini-WinFE are accessible via the FORENSIC TOOLS and Programs menu options -
The BlackBox Lean shell also supports keyboard shortcuts. Mini-WinFE supports the following shortcuts at the time of writing -
WinFE registry settings are automatically applied in Mini-WinFE - the project does allow the SAN Policy settings to be set to either 3 or 4. SAN Policy 4 settings were introduced with the release of Windows 8 (WinFE 4.0).
Please be aware that there are some reports of internal disks not being write protected if SAN Policy 4 settings are used. If using Mini-WinFE there is no reason to set the SAN Policy as 4 as either the DiskMgr.exe or wprotect.exe tools can be used to manually change disk attributes as required - for example setting USB attached storage as Read-Write and Online so that evidence can be captured/saved. SAN Policy 3 has been set in the screenshots below.
WinFE based on earlier (than build 6.2.9200) versions of Windows do not apply the same level of write protection as more recent versions of Windows. The following screenshot shows DiskMgr.exe running in WinFE 3.1 (build 6.1.7601 (Windows 7 SP1 source)). The program was launched automatically via winpeshl.ini during the boot process -
As displayed in the screenshot above, the disk attributes are set as Online and Read-Write. Whilst it is possible to use DiskMgr (or wprotect.exe) to change the attributes of any evidence disks to Offline and Read-Only at this stage, the write protection will obviously not have been applied earlier in the boot process. In tests this resulted in a disk signature being written at offset 0x1B8 on any disks not already containing a disk signature. In the unlikely event of two disks on the same system containing the same disk signature, one would presumably automatically be changed to avoid a collision.
All Windows NT Operating Systems will automatically write a unique disk signature at offset 0x1B8 - this is a well-documented feature of these Operating Systems. If an evidence disk has at some point been attached to a running Windows NT system then it is likely to already contain a disk signature at offset 0x1B8 - the only exception being if the disk signature has since been overwritten. Provided that an evidence disk is set as Offline and Read-Only using either DiskMgr or wprotect.exe before any other actions are performed, write protection will be applied and the only exception might be the writing of a disk signature earlier in the boot process.
In summary, the WinFE registry settings set volume attributes as Offline in builds pre-dating 6.2.9200 and have no effect on disk attributes. Whilst it is possible to manually set disk attributes as Offline and Read-Only using either DiskMgr or wprotect.exe, the registry settings do not apply these settings.
As displayed in the screenshots in the DiskMgr/wprotect Overview section of this page, WinFE 10.0.14393 applies write protection early in the boot process - before any programs are launched via winpeshl.ini. In the tests carried out by the author, all Windows versions since build 6.2.9200 (Windows 8) appear to provide robust write protection. This write protection is applied early enough in the boot process that a disk signature is not written to any disks that do not already have a signature at offset 0x1B8.
Significant effort has been taken to ensure that Mini-WinFE can be safely used as a software write blocker. Please be aware that it may be possible to bypass write protection with some tools - care should therefore be taken.
Please ensure that you validate your Mini-WinFE build and tools.
Document date - 27th April 2017