is is possible to track IO on teh raw disk object throiugh a mini filter?
if one attaches to the RAW file system, would such a filter be able to
track IO made to areas of the disk outside the file system, like the volume
boot record, master boot record, efi partition etc ?
Yes, if IO is issued with a RAW file object representing an “opened” disk object. This mainly constrains this functionality to IO issued from a user mode. A RAW FSD object is mounted on \Device\HarddiskN\DRN which represents the whole drive starting from the sector 0.