jess LAND
        Sponsored by:       
One eSecurity
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JISK > Forensics > Areas > Disks and Filesystems > USB Drives Forensics Section Map

USB Drives

Mounting USB Drives read-only on Windows

  • Sources:
    • Jim Murray (SANS giac-alumni mailing list)
  • In Windows XP-SP2 there is a registry entry that you can set which will tell windows to write-protect USB Block Storage Devices (which include most of your thumb drives and external drives unless someone has specifically enumerated them as non-block storage devices)
    • Go to HKLM\System\CurrentControlSet\Control
    • Look for a Key called StorageDevicePolicies if it is not there you can create it
    • In that key create a DWORD Value and name it WriteProtect and give it a value of 1
    • Once this is done, when you insert a USB Key or external drive and try to write to it you will get a write-protect error.
    • Since this is a Windows specific write-protect, your linux VM is not affected by it.
  • There are a couple of caveats to this hack.
    • 1. It does not work for Firewire (1394) attached drives
    • 2. It does not work for USB non-block storage devices such as printers and cd-rom drives
    • 3. This does not prevent Windows from mounting the drive, it just mounts it as read-only which prevents windows from writing its normal stuff to the drive like the recycle bin, etc.
    • 4. This is a global setting for all USB ports on the system. In order to enable write you need to change the value back to 0. For my forensics purposes this is not an issue as when I am in my Linux VM, I can mount my source drive as read only and my usb external hard drive (target) as read/write.

Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.