Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Mount a USB drive as Read Only in Windows XP

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Mount a USB drive as Read Only in Windows XP

    I have a USB 2.0 3.5” enclosure that’s real easy to swap drives in and out. I’ve been thinking about using it to look ad hard drives for evidence. I was wondering if there is a way in Windows XP to mount the drive as read only as soon as I plug it in. By default, as soon as a USB drive is plugged in it mounts it as Read/Write which is not very good for doing forensics work. Any Ideas?

  2. #2
    I am kind of pulling this out of my ass, but it sounds right in my head.

    Ok the windows Plug and Play option is built into the ME and above kernels, so to change that you would have to change the kernel which would mean you have to do a registry hack. I am assuming if you can find the key for that, you could change it. Then make it read only.

    If you are working on a nix system however, I am positive that when you set up your USB thubmdrive it is auto-setup as readonly.

    Though that was a pain in the ass setting up.

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Yea, you can mount the filesystem on the usb drive in *NIX read only.
    not sure you can in Windows as PnP will automount rw AFAIK...

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    AFAIK there's only 1 signalwire on the IDE interface that tells the drive to read or write. Not sure what the impact can be but you could try to either pull up (+5) or pull down (Ground) that signal. In theory that would make the drive hardware write protected.

    Note: Use a resistor to pull up or down or you might blow a few transistors.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Er, Whizz, a registry hack kinda defeats the point of a forensic investigation.......

    Iron: I fiddled for a short while trying to set a thumb drive up as read only but it doesn't seem to be workable. You have to accept the possibility that the system you plug into may recognize a "hostile" drive and mess with it.

    My best suggestion would be to run an MD5 sig of the drive on a clean system and have a utility on the drive to rerun it at any time. Then, when you connect it to a potentially infected system, leave it for about 2 minutes and then run the MD5 again and compare it. If it doesn't match then you will have to find another way to investigate the box.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    I think he meant to mount the "suspect" harddrive read-only on his own box (via the usb thing)..

    In that case the only possible solution (so far) would be the registry hack..
    Or going for a NIX sollution

    mount /dev/sda1 /mnt/usb -r
    or
    mount /dev/sda1 /mnt/usb -o ro

    (if the device is sda (first (emulated)scsi dirve) and you made the mountpoint /mnt/usb)
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  7. #7
    why don't you get an usbdrive which has a switch at the side to make it readonly? that would solve your problem

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Rechecked my suggestion. There are 2 signals; 1 for read and 1 for write. The important one is DIOW.

    6.3.7 DIOW- (Drive I/O write)
    This is the Write strobe signal. The rising edge of DIOW- clocks data from
    the host data bus, DD0-DD7 or DD0-DD15, into a register or the data port of
    the drive.
    Source: http://www.ele.uri.edu/courses/ele40...d_ide/ide.html


    So if you prevent this signal from reaching the drive it'll never ever write.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by lepricaun
    why don't you get an usbdrive which has a switch at the side to make it readonly? that would solve your problem
    I've never seen one that does that, do you know of a site I can buy one from?

  10. #10
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Is it not more important for the forensic software you use to lock the drive under investigation?

    If you use Encase you can slave the target drive in the normal way. Then apply a write lock befor you pre-view the drive.

    I'm no expert. Just wondering if locking the target in the manner you are looking for is practicle.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •