Topic: Phantom drives appearing when booting as WinFE(Forensic)  (Read 1036 times)

0 Members and 1 Guest are viewing this topic.

Phantom drives appearing when booting as WinFE(Forensic)
« on: September 13, 2017, 06:48:53 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
I keep getting four phantom drives appearing when I make a build using the WP.SCRIPT (Write Protect) that makes the build forensically sound. The phantom drives are always V, W, Y, and Z.(X is the normal build drive) The drives match the size of my boot USB thumb drive, but have question marks next to them until I mount the boot USB thumb drive. Then they all mirror the actual USB thumb drive contents. Any thoughts or suggestions?

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #1 on: September 13, 2017, 09:08:54 AM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
I'm just one of your peers here to learn but 2 heads are better than one.. Which shell are you using? Which build of Win10? Did this work on a previous PE for you?(If so I assume same settings used?) Are you using the CD Drive X: Y:.script? Love to help you figure this out if possible but need more input =) Which -other- scripts are you using?
« Last Edit: September 13, 2017, 09:11:22 AM by bob.omb »

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #2 on: September 13, 2017, 11:39:27 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
Everything works fine with W8.1 builds. Using all same settings in 10. Using latest W10 Pro ISO.

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #3 on: September 13, 2017, 01:20:53 PM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
What does it say in the registry when you see the phantom drives at the below location?

HKLM\SYSTEM\MountedDevices

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #4 on: September 14, 2017, 02:37:15 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
It just lists the X: drive as \DosDevices\X:

Like I said, phantoms!  :smile:

Even after I mount the internal drive and the boot USB drive, the registry only list the actual drives, not the phantom drives.

However in Explorer all of the Phantom drives mirror the boot USB drive, in contents, name, size, and status(RO or RW). If I copy a file to the boot USB drive (G: in my case), all of the phantom drives update at the same time with the same data. Same thing happens when I copy or delete a file from a phantom drive, the boot USB (G:) and all phantom drives match the action.

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #5 on: September 15, 2017, 05:56:54 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
Update more testing:

- I created a W10PE USB thumb drive and booted my test system. As expected, everything normal, no phantom drives.
- I applied the two registry edits manually:
--Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr\Parameters\SanPolicy\0x00000003
--Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mountmgr\NoAutoMount\0x00000001
- I unmounted both the internal HD and the USB Boot W10PE drive.
- When I opened Explorer, the phantom drives appeared.
- When I remounted the W10PE USB Thumb drive, the phantom drives mirrored the USB drive again!

This is definitely a wp.script issue that is far above my abilities to decode. Anyhelp would be greatly appreciated!

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #6 on: September 16, 2017, 03:40:15 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7371
This is definitely a wp.script issue that is far above my abilities to decode. Anyhelp would be greatly appreciated!
There is no wp.script plugin on our servers or project.

We do not have a project with name W10PE or WinFE


**
On Win10PESE and all other SE projects

Finals\'Optimization' plugin have option with name:

"Don't mount local harddrives"

-->
nothing "forensic", you simply do not mount local harddrives to avoid possibility of windows write harddisk,
 and inspect harddisk with related tools,
  It is one of reason using PE since BartPE.


You can test this option and report things if you like.

:turtle:
« Last Edit: September 16, 2017, 03:47:03 AM by Lancelot »

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #7 on: September 16, 2017, 05:17:50 AM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
I would still like to try can you attach the wp.script?
« Last Edit: September 16, 2017, 05:19:39 AM by bob.omb »

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #8 on: September 18, 2017, 05:02:09 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
I have tried the option you suggest, but I still get the phantom drives.

I have worked with ChrisR on this issue back under W7 and W8. I've attached the wp.script for your review.

The WP Scripts.7z file contains two versions, the original version is wp.script. The version that was modified by ChrisR is WP2.script

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #9 on: September 19, 2017, 05:16:42 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
On Win10PESE and all other SE projects

Finals\'Optimization' plugin have option with name:

"Don't mount local harddrives"


I looked at the script text and that option is using the same two registry mods that the WP.SCRIPT uses. Explains why I'm getting the same results.

I need to use the script as it puts a WP Tool on the desktop that allows the unmounted drives to be mounted as read only. That way the drive can be triaged without altering the contents.
« Last Edit: September 19, 2017, 05:18:15 AM by chatdean »

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #10 on: September 19, 2017, 08:57:31 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7371
On Win10PESE and all other SE projects

Finals\'Optimization' plugin have option with name:

"Don't mount local harddrives"


I looked at the script text and that option is using the same two registry mods that the WP.SCRIPT uses. Explains why I'm getting the same results.

I need to use the script as it puts a WP Tool on the desktop that allows the unmounted drives to be mounted as read only. That way the drive can be triaged without altering the contents.

Create a plugin with
Utils\PC Packed
using WProtect.exe attached to wp old scripts.

This will give you option to put shortcut to desktop.
and side by side with
Finals\'Optimization'  "Don't mount local harddrives"
you may get the thing you are after.


***
Or you can check internet for tools to mount drives as read only on internet.

Still same road:
Utils\PC Packed
and
Finals\'Optimization'  "Don't mount local harddrives"


***
Or
with
Finals\'Optimization'  "Don't mount local harddrives"
use diskpart to mount drives as read only
(check google - diskpart mount drive as read only  )

:turtle:

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #11 on: September 20, 2017, 04:21:11 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
Both the script and the "don't mount" option still result in the phantom drives, which is the original reason for my post. I've been searching for a cause and have found others with the Phantom drive problems in regular W10 installs. I've also been looking for a Windows utility that will unmount any drive that is not currently attached.

It's odd that Explorer displays these Phantom drives but device manager, the registry,  and disk management do not. Could this be an Explorer bug?


UPDATE:
I created a new build with the wp.script and included Explorer++, Total Commander, and Explorer_Q-Dir. All of the apps displayed the phantom drives with ? marks as usual. Registry, Device Manager, and Disk Management did not list the phantom drives.

BTW, the phantom drives start with U:, V:, W:, Y: and Z:, for a total of 5 phantom drives.
« Last Edit: September 20, 2017, 05:03:18 AM by chatdean »

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #12 on: September 21, 2017, 12:49:11 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7371
I've been searching for a cause and have found others with the Phantom drive problems in regular W10 installs.
Good to know.
So issue is not about Win10PESE but Windows

Only phantom drive I know is "fake floppy drive" from old days.  :wink:

I've also been looking for a Windows utility that will unmount any drive that is not currently attached.
see command line utility:
mountvol
available on all projects via
Components\"CMD Adds" plugin
Related:
Downloads\ComponentsY\Tweaks\"Remove Floppy ALL Mount Point 'BL MountVol'"

It's odd that Explorer displays these Phantom drives but device manager, the registry,  and disk management do not. Could this be an Explorer bug?
probably.


***
Main reason behind using
Finals\"Optmizations" plugin "Don't mount local hard drives" is to inspect disks with relevant disk utilities.

From your posts I guess main trouble comes with "USB connected" drive where you boot Win10PESE
 which produce "phantom drives" following reverse drive letter order for whatever reason ????

  --> other than cosmectic this does not effect your inspecting local hard drives with whatever disk utility you use.


Just an idea:
Use:
Win10PESE\Build\"CdDrive - X: - Y:" --> "Disable plugin and Reset to Default settings"
than create your bootable "Win10PESE" usb flash, and test again.
does phantom drives appear again ????
« Last Edit: September 21, 2017, 12:50:26 AM by Lancelot »

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #13 on: September 23, 2017, 11:35:25 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
Tried your suggestion:  Win10PESE\Build\"CdDrive - X: - Y:" --> "Disable plugin and Reset to Default settings"

No change, Phantom drives still present.

BTW, the Floppy drive script returns an error as file not found when it attempts to download the script.

I'm going to start the validation process and see if it will pass. I'll let you know.

And Thank you all very much for your suggestions!
« Last Edit: September 23, 2017, 11:35:57 AM by chatdean »

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #14 on: September 24, 2017, 02:07:54 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7371
Related:
Downloads\ComponentsY\Tweaks\"Remove Floppy ALL Mount Point 'BL MountVol'"

returns an error as file not found when it attempts to download

Plugin downloads fine here.
See Tutorial:
Adding 3rd party plugins: \Downloads\ - MyPlugins_Direct - Yomi
http://theoven.org/index.php?topic=1236.0
« Last Edit: September 24, 2017, 02:08:31 AM by Lancelot »

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #15 on: October 02, 2017, 04:12:11 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18

As promised, I've completed the validation process for WinFE10 and it does validate. WinFE10 is a forensically sound platform even though the fantom drives are present.

I am having problems with one tool used by law enforcement for triage purposes that will not run in WinFE10, but works fine in WinFE8? More research required.

Thanks again for all of your help and suggestions, not to mention such an outstanding utility!

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #16 on: October 02, 2017, 11:00:53 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7371
As promised, I've completed the validation process for WinFE10 and it does validate.
who vaildate what ?

WinFE10 is a forensically sound platform even though the fantom drives are present.
We do not know anything about WinFE10

I am having problems with one tool used by law enforcement for triage purposes that will not run in WinFE10, but works fine in WinFE8? More research required.
We have no idea what WinFE8 or WinFE10

Thanks again for all of your help and suggestions, not to mention such an outstanding utility!
which utility !?

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #17 on: October 02, 2017, 12:16:15 PM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
If your using Windows installation media as a source. (i.e. what you have to use for these products to work) you cannot sell your product to law enforcement or anyone else, it is a violation of Microsoft's EULA.  You cannot sell PE products.  The irony. You need to be using RE and make sure you read the the EULA about distribution.. You can use their license if it VL, you will have to use their installation media, just an FYI hopefully you've already sorted this part out before doing all this work.
« Last Edit: October 02, 2017, 12:21:48 PM by bob.omb »

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #18 on: October 10, 2017, 05:55:48 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
To answer your and Lancelot questions and comments.

WinFE is the term Microsoft came up with back when Troy Larsen first came up with the registry mods that do not mount internal drives. WinFE is a normal WinSE/PE build with the write protect script added to make it not mount internal drives, plus adds the Writeprotect tool written by Colin Ramsden, which allows you to mount internal drives as read only after booting.

The validation process I was talking about is a documented series of tests that verify that the WinFE USB will boot the system without mounting drives and once the internal drives are mounted as read only, they are still protected from alteration by the OS and a variety of forensic utilities commonly used from a WinFE drive.

As to your comment about commercial use, not part of my work. I train law enforcement for free teaching them how to build their own WinFE using their own licensed copy of the OS and forensic utilities. My courses are specific to investigations involving children, including abuse, exploitation, and abduction.

In a way, your assistance has an impact in saving many children from dangerous abusing situations, all over the world. I thank you for your assistance.

Re: Phantom drives appearing when booting as WinFE(Forensic)
« Reply #19 on: October 10, 2017, 05:57:12 AM »

chatdean

  • Jr. Chef
  • **
  • Date Registered: Mar 2014
  • Posts: 18
The utility I am referring to is WinBuilder.

 

Powered by EzPortal