-
August 3rd, 2004, 10:29 PM
#1
Mount a USB drive as Read Only in Windows XP
I have a USB 2.0 3.5” enclosure that’s real easy to swap drives in and out. I’ve been thinking about using it to look ad hard drives for evidence. I was wondering if there is a way in Windows XP to mount the drive as read only as soon as I plug it in. By default, as soon as a USB drive is plugged in it mounts it as Read/Write which is not very good for doing forensics work. Any Ideas?
-
August 3rd, 2004, 10:36 PM
#2
I am kind of pulling this out of my ass, but it sounds right in my head.
Ok the windows Plug and Play option is built into the ME and above kernels, so to change that you would have to change the kernel which would mean you have to do a registry hack. I am assuming if you can find the key for that, you could change it. Then make it read only.
If you are working on a nix system however, I am positive that when you set up your USB thubmdrive it is auto-setup as readonly.
Though that was a pain in the ass setting up.
-
August 3rd, 2004, 10:55 PM
#3
Yea, you can mount the filesystem on the usb drive in *NIX read only.
not sure you can in Windows as PnP will automount rw AFAIK...
-
August 4th, 2004, 02:05 PM
#4
AFAIK there's only 1 signalwire on the IDE interface that tells the drive to read or write. Not sure what the impact can be but you could try to either pull up (+5) or pull down (Ground) that signal. In theory that would make the drive hardware write protected.
Note: Use a resistor to pull up or down or you might blow a few transistors.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 4th, 2004, 02:54 PM
#5
Er, Whizz, a registry hack kinda defeats the point of a forensic investigation.......
Iron: I fiddled for a short while trying to set a thumb drive up as read only but it doesn't seem to be workable. You have to accept the possibility that the system you plug into may recognize a "hostile" drive and mess with it.
My best suggestion would be to run an MD5 sig of the drive on a clean system and have a utility on the drive to rerun it at any time. Then, when you connect it to a potentially infected system, leave it for about 2 minutes and then run the MD5 again and compare it. If it doesn't match then you will have to find another way to investigate the box.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 4th, 2004, 03:00 PM
#6
I think he meant to mount the "suspect" harddrive read-only on his own box (via the usb thing)..
In that case the only possible solution (so far) would be the registry hack..
Or going for a NIX sollution
mount /dev/sda1 /mnt/usb -r
or
mount /dev/sda1 /mnt/usb -o ro
(if the device is sda (first (emulated)scsi dirve) and you made the mountpoint /mnt/usb)
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
August 4th, 2004, 03:02 PM
#7
why don't you get an usbdrive which has a switch at the side to make it readonly? that would solve your problem
-
August 4th, 2004, 03:29 PM
#8
Rechecked my suggestion. There are 2 signals; 1 for read and 1 for write. The important one is DIOW.
6.3.7 DIOW- (Drive I/O write)
This is the Write strobe signal. The rising edge of DIOW- clocks data from
the host data bus, DD0-DD7 or DD0-DD15, into a register or the data port of
the drive.
Source: http://www.ele.uri.edu/courses/ele40...d_ide/ide.html
So if you prevent this signal from reaching the drive it'll never ever write.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 4th, 2004, 05:05 PM
#9
Originally posted here by lepricaun
why don't you get an usbdrive which has a switch at the side to make it readonly? that would solve your problem
I've never seen one that does that, do you know of a site I can buy one from?
-
August 4th, 2004, 05:30 PM
#10
Is it not more important for the forensic software you use to lock the drive under investigation?
If you use Encase you can slave the target drive in the normal way. Then apply a write lock befor you pre-view the drive.
I'm no expert. Just wondering if locking the target in the manner you are looking for is practicle.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|