![]() ![]() ![]() Using a similar approach I used in this post and an example Brett Shavers provided in class, I used the following steps: 1) Repeating the same process, but booting to CAINE 13, the hex representation of the data on the blank disk does not include a disk signature at offset 0x1B8 to 0x1BB. This is consistent with Misty’s observation for the disk signature check on a “blank/empty disk image with all bytes set as 00.” Using X-Ways Forensics installed with Mini-WinFE, a Windows disk signature is, indeed, observed at offset 0x1B8 to 0x1BB. However, because it is a blank disk (non-Windows) connecting to a Windows OS, I expect a disk signature will be written to the disk. iso (built with PEBakery) as the booting medium, Mini-WinFE will startup with DiskMgr (if selected in PEBakery or WinBuilder) and place the virtual disk Offline, Read-Only. The test I pursued resembles Misty’s Disk 1 disk signature check methodology. I used Misty’s Mini-WinFE to boot to a virtual machine environment with a new, blank, virtual disk created with VMWare Workstation 16 Pro (v. ![]() Connecting a non-Windows drive to a Windows OS, Disk Signature ![]() It will also better inform my observations as I validate that a WinFE build write protects an evidence drive. While DiskMgr or Protect.exe negates the need to use DiskPart exclusively to manage write protection in either Misty’s and Colin Ramsden’s WinFE builds, I wanted to observe these conditions to facilitate a deeper understanding how disk toggling may, or will, write to a drive using DiskPart. Shavers cites a comment by Troy Larson, creator of WinFE, that further explains that this “is well documented behavior of Windows, and, as such, is predicable.” To elaborate when WinFE will or may write to a drive: WinFE willwrite to a drive when placing a VOLUME in READONLY WinFE may write a disk signature when connecting a non-Windows drive. In Windows Forensic Environment and Shavers’ WinFE course, he notes there are well-documented conditions in which disk toggling in WinFE: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |