Jump to content



Photo

USB Write Blocker : Makes any USB drive Write protected.

hardware

  • Please log in to reply
51 replies to this topic

#1 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 10 August 2012 - 15:28

Something that has boggled my mind for a while now. In the beginning write protected USB drives were pretty common place (so I've been told). But as the progression of Malware has increased, the number of write protected USB drives has decreased.

To be honest, most people don't even care if they stick their usb drive into an infested computer. Even though autorun, for the most part has been disabled on windows systems (so malware shouldn't technically get activated when sticking the stick into a clean machine) I would still never stick a usb flash drive that wasn't write protected into someone else machine. If I did, I would (and have in the past) format the stick from a BartPE environment on another machine before sticking it back into my own.

I was looking online and came across this neat little product. It's called the USB Write blocker. 1 end plugs into the computer and you plug your usb hard drive or USB memory stick into the other end.

Posted Image

http://www.youtube.com/watch?v=5RdCyIRK1B8

http://www.youtube.com/watch?v=BQYcI3GmSeU

http://www.amazon.co...s/dp/B002DH1P0W



This device obviously isn't for everyone. But those who do repairs where write protection is a serious concern this might be for you. What I like about this idea, is that you would use it when ever you plug in a usb drive into someones computer. This way you KNOW it's write protected. The problem I had with USB memory sticks that had write protection switches, is I always had to check the switch to make sure it was activated, which means it would be possible to forget.

The only thing I wish it did was not to spoof the writes (showing it copied when it didn't) but just through up a write protection error. For this reason I could never temporary used it on an usb sata dock, because if It was behind the computer and if I forgot it was there, and i went to backup someones files, it would show they got backed up but in the end they would not be. But to be used in combination with a USB repair thumb drive or now a USB repair hard drive, would work great.

it's $160 on Amazon, I think I might get one. Lemme know what you think.


#2 +Phouchg

Phouchg

    has stopped responding

  • Tech Issues Solved: 9
  • Joined: 28-March 11

Posted 10 August 2012 - 17:57

The idea itself is excellent. But 160 for that? What's in there - pure magic with unicorn horn salt? :huh:

#3 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 10 August 2012 - 17:57

The idea itself is excellent. But 160 for that? What's in there - pure magic with unicorn horn salt? :huh:


I just bought one. This device is a dream come true. I'll do a review once it arrives.

#4 +Phouchg

Phouchg

    has stopped responding

  • Tech Issues Solved: 9
  • Joined: 28-March 11

Posted 10 August 2012 - 18:17

Ah, well, forensics products, of course - when one sells for government officials and such nosy buggers, appending at least one zero to all prices can be completely justified.
Do review it, yes. If they call it a forensics device, I'd hope it's at least tamper proof and reasonably indestructible.

#5 +Karl L.

Karl L.

    xorangekiller

  • Tech Issues Solved: 15
  • Joined: 24-January 09
  • Location: Virginia, USA
  • OS: Debian Testing

Posted 10 August 2012 - 18:17

That is a really neat idea, but I agree with Phouchg that the price seems somewhat excessive.

While this certainly isn't the ideal solution, I pseudo write protect my flash drives which may be plugged into infected computers using a simple Batch script (or, more often than not, the equivalent BASH script, since I don't spend very much time in Windows anymore). The idea is that if there is no free space left on disk, no files can be infected and no new files can be added without deleting something. When I want to write to disk, I remove my dummy file, modify stuff, and "write protect" it again.

In case anyone is interested, the Batch script is below. There is a bug in the way disk space is calculated (not just in my script, by the way, in Windows itself), and you may need to eject the disk after "write protecting" it and run the script on it a second time. Sometimes it will claim to be 100% full before you eject it, but show 4.00 KiB of free space when you plug it back in. If anyone knows exactly why this happens or how to fix it please let me know.

::Write Protect Drive
::Description: This script will write protect a flash drive by using all the remaining free space.
::Modification: modifications are clearly marked by the <MOD> and </MOD> flags
::Last Synced with Awesome Script Version 1.3.5
::Author: xorangekiller
::Released: 10 December 2009
@echo off
::<MOD> the following code did not exist (it was handled by the awesome script)
:start
  ::set the default errorlevel
  set exitCode=0
  ::change the starting directory (if necessary)
  set firstdir=NULL
  if "%cd%\"=="%~dp0" goto writeprotect
  set firstdir=%cd%
  cd /D "%~dp0"
::</MOD>
:writeprotect
  ::attempt the write protect the drive (presumably a flash drive) by creating a dummy file to use all remaining free space
  ::this prevents viruses and such from attaching themselves to files or copying themselves to your drive
  ::this does NOT, however, prevent files from being deleted and replaced!
  ::<MOD>set current=writeprotect</MOD>
  fsutil 1>nul 2>nul
  if %errorlevel%==1 goto writeprotectNoAdmin
  :writeprotectDialog
  echo.
  echo Write protect the specified drive by using all available free space.
  echo.
  echo To protect the current drive just type "current" at the prompt.
  echo.
  set /p userinp=Which drive would you like to protect?
  ::special cases of the variable
  if "%userinp%"=="" set userinp=%cd%
  if "%userinp%"=="current" set userinp=%cd%
  ::check to make sure that we have a drive path
  if not "%userinp:~1,1%"==":" goto writeprotectPathError
  ::only use the drive letter, colon, and slash regardless of the path entered
  set userinp=%userinp:~0,3%
  if not "%userinp:~2,2%"=="\" if not "%userinp:~2,2%"=="/" set userinp=%userinp%\
  ::this check was implemented because of Cooper... DO NOT TRY TO WRITE PROTECT YOUR C: DRIVE!
  if "%userinp:~0,2%"=="%systemdrive%" ( echo.
	echo Error! You are attempting to write protect your system drive.
::according to my PL (Dave DiCarlo) using rehtorical questions in this manner is something New Yorkers primarily do
echo Are you sure you want to do that? I don't think so!
echo.
echo Press any key to try again . . .
pause >nul
::<MOD> "goto start" is not the proper reference
goto writeprotect )
::</MOD>
  ::create a directory to hold the (potentially large) number of dummy files
  ::set /p userinp=%userinp%IamDummy\
  ::mkdir %userinp%IamDummy
  setlocal ENABLEDELAYEDEXPANSION
  :writeprotectCreateLoop
  set bytesfree=0
  ::capture the bytes free determined by dir and remove the commas (because fsutil doesn't like those)
  for /f "tokens=3-6 delims==, " %%a in ( 'dir "%userinp%" ^| findstr /C:"bytes free"' ) do ( if %%a==bytes goto writeprotectEndLoop
	if %%a GTR 0 set bytesfree=%%a
if %%b==bytes goto writeprotectEndLoop
if %%b GTR 0 set bytesfree=!bytesfree!%%b
if %%c==bytes goto writeprotectEndLoop
if %%c GTR 0 set bytesfree=!bytesfree!%%c
if %%d==bytes goto writeprotectEndLoop
if %%d GTR 0 set bytesfree=!bytesfree!%%d
if %%e==bytes goto writeprotectEndLoop
if %%e GTR 0 set bytesfree=!bytesfree!%%e)
  ::the EndLoop label is a hack to break the loop if necessary
  :writeprotectEndLoop
  ::it is absolutely necessary to check if there is no space left free and break the loop
  ::although there IS such a number as infinity most computers cannot reach it within a reasonable amount of time
  ::so this is a good "workaround"
  if %bytesfree% EQU 0 goto writeprotectComplete
  ::1024 Bytes = 1 Kilobyte; 1048576 Bytes = 1 Megabyte; 1073741824 Bytes = 1 Gigabyte
  ::1 gigabyte in bytes
  set gb=1073741824
  ::determine the dummy file(s) to create
  if %bytesfree% GEQ %gb% set bytesfree=%gb%
	set filenum=0
::check to make sure that the dummy file does not already exist... it causes problems
:writeprotectFileNumCheck
if not exist %userinp%IamDummy%filenum% goto writeprotectCreateDummy
   set /A filenum=%filenum%+1
   goto writeprotectFileNumCheck
  :writeprotectCreateDummy
::create a dummy file
::echo Writing file %userinp%IamDummy%filenum% of size %bytesfree% . . .
fsutil file createnew "%userinp%IamDummy%filenum%" %bytesfree%
::check to see if we need to repeat the procedure with another dummy file (recurse)
::although infinite looping is generally not a good thing batch gives us no choice
::"The time has come for the cobra to come up and reveal himself. You will call me - Commander."
goto writeprotectCreateLoop
  :writeprotectComplete
  endlocal
  ::brag by printing a message informing the user that we did our job successfully (hopefully, bytes free should be ZERO)
  echo.
  dir "%userinp%" | findstr /C:"bytes free"
  echo.
  pause
  ::<MOD> "goto start" is not the proper reference
  goto end
  ::</MOD>
  :writeprotectNoAdmin
	echo.
echo ERROR! You need administrative privileges to run this function!
echo.
pause
::<MOD> "goto start" is not the proper reference
goto end
::</MOD>
  :writeprotectPathError
	echo.
echo ERROR! You must enter a valid drive path!
echo.
echo Example: %cd:~0,3%
echo.
set /p userinp=Continue or Quit (C\Q)?
set userinp=%userinp:~0,1%
::<MOD> "goto start" is not the proper reference
if "%userinp%"=="Q" goto end
if "%userinp%"=="q" goto end
::</MOD>
goto writeprotectDialog
::<MOD> the following code did not exist (it was handled by the awesome script)
:end
  ::revert the current directory (if necessary)
  if not "%firstdir%"=="NULL" cd /D "%firstdir%"
  ::exit the script but not cmd.exe
  exit /B %exitCode%
::</MOD>

The BASH version of this same script is below. It has been tested to work on Debian 6, Debian 7, Ubuntu 10.04, Ubuntu 12.04, and Fedora 17. Presumably it should work on any GUN/Linux distribution, and probably BSD and OS X too.

#!/bin/bash
# Write Protect Drive
# Description: This script will write protect a flash drive by using all the remaining free space.
# Last Synced with Awesomestik Installer 1.0
# Author: xorangekiller
# Released: 21 Feb 2012
writeprotect() {
loop=0
free=$(df $USBDEV | tail -n 1 | awk {'print $4;'})
echo "Free space on ${USBDEV}: ${free}K"
while [ $free -gt 0 ]; do
  # Note that 1048576 is 1 gigabyte in kilobytes.
  if [ $free -gt 1048576 ]; then
   free=1048576
  fi
  # Check that the name of the file we want to write is not already taken.
  while [ -e "${USBMNT}/IamDummy${loop}" ]; do
   let loop=loop+1
  done
  echo "Writing file ${USBMNT}/IamDummy${loop} of size ${free}K . . ."
  dd if=/dev/zero of=${USBMNT}/IamDummy${loop} bs=${free}K count=1
  sleep 5 # Give everything time to settle.
  free=$(df $USBDEV | tail -n 1 | awk {'print $4;'})
done
echo "Free space on ${USBDEV}: ${free}K"
}
# Check that we are root before doing anything particularly useful.
#if [ $(id -u) != 0 ]; then
# echo "You need to be root to run this script"
# exit 1
#fi
if [ -n "$1" ]; then
drivetoprotect="$1"
else
echo "Write protect the specified drive by using all available free space."
echo "To protect the current drive just type current at the prompt."
echo "Which drive would you like to protect?"
read drivetoprotect
fi
if [ "$drivetoprotect" == "current" ]; then
drivetoprotect=`pwd`
fi
if [ ! -d "$drivetoprotect" ]; then
echo "ERROR: $drivetoprotect is not a valid directory."
exit 1
fi
# This check was implemented in the original write protect script because of Cooper and carried over here... DO NOT TRY TO WRITE PROTECT YOUR SYSTEM DRIVE!
if [ "$(df "$drivetoprotect" | awk '{print $6}' | tail -n 1)" == "/" ]; then
echo "ERROR: You are attempting to write protect your system drive."
exit 1
fi
# Use the USBMNT variable to maintain compatability with the writeprotect function from the Awesomestik Installer script.
USBMNT=$drivetoprotect
USBDEV=$(df "$USBMNT" | awk '{print $1}' | tail -n 1)
writeprotect
echo "The drive is now write protected!"
exit 0

Edit: Indentation and line spacing got a little bit messed up when I copy/pasted the scripts into the post editor, so I attached a zipped copy of both scripts to this post as well.

Attached Files



#6 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 10 August 2012 - 18:28

Neat Script. I just don't trust software. I need a physical lock or device.

#7 tiagosilva29

tiagosilva29

    Looking for a job in Lisbon

  • Tech Issues Solved: 1
  • Joined: 08-May 04

Posted 10 August 2012 - 18:38

Something that has boggled my mind for a while now. In the beginning write protected USB drives were pretty common place (so I've been told).

My first USB pen (32 MB?) had a write-protect slider on the leaner side, and that was pretty much the norm.
Then someone or something made a jerk move.

Neat Script.

Yeah, but needs a license, less BASH, and more POSIX.

#8 +Karl L.

Karl L.

    xorangekiller

  • Tech Issues Solved: 15
  • Joined: 24-January 09
  • Location: Virginia, USA
  • OS: Debian Testing

Posted 10 August 2012 - 18:58

Neat Script. I just don't trust software. I need a physical lock or device.


I agree. That's why I said that it only pseudo write protects drives. It can fairly easily be circumvented. However, it seems to be fairly effective against most malware in lieu of a hardware write protected disk, which is clearly superior.

Yeah, but needs a license, less BASH, and more POSIX.


Please explain. I have been using this script for years, but I am open to suggestions. Why does it need a license? What do you mean by "less BASH, and more POSIX"? What should I do to improve it?

#9 metro2012

metro2012

    Neowinian

  • Joined: 13-May 12

Posted 10 August 2012 - 19:06

What do you mean by "less BASH, and more POSIX"?

It should be independent of any dependencies (such as bash)

#10 +Karl L.

Karl L.

    xorangekiller

  • Tech Issues Solved: 15
  • Joined: 24-January 09
  • Location: Virginia, USA
  • OS: Debian Testing

Posted 10 August 2012 - 19:11

It should be independent of any dependencies (such as bash)


Currently I'm using BASH, awk, df, and dd. The requirements are fairly low. Do you think that it should be rewritten in C?

#11 Tha Bloo Monkee

Tha Bloo Monkee

    Da Ba Dee Da Ba Die

  • Joined: 03-July 04
  • Location: Ontario, Canada

Posted 10 August 2012 - 19:16

I'm curious if this will introduce compatibility issues (for example, certain machines not registering your USB key because it's attached to this $160 device).

Couldn't you also use an SD card with a USB adapter as an alternative? (Most) SD cards have lock switches.

#12 ahhell

ahhell

    Neowinian Senior

  • Joined: 30-June 03
  • Location: Winnipeg - coldest place on Earth - yeah

Posted 10 August 2012 - 19:16

I just bought one. This device is a dream come true. I'll do a review once it arrives.

Dream come true?
Why not save $160 and not stick it anywhere unclean? :shifty:

#13 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 10 August 2012 - 19:19

I'm curious if this will introduce compatibility issues (for example, certain machines not registering your USB key because it's attached to this $160 device).

Couldn't you also use an SD card with a USB adapter as an alternative? (Most) SD cards have lock switches.


Maybe. I hope not, but we'll see. I'll let ya know what happens.

Dream come true?
Why not save $160 and not stick it anywhere unclean? :shifty:


Because I work on Malware infected machines almost every day. Even if I have no reason to suspect a machine is infected, I DO NOT put a usb thumb drive that is not write protected into another users PC other than my own.

The only exception is if i just preformed a clean install of windows. Once that known clean machine leaves my office a stick or drive that is not write protected will never be inserted into that machine unless a clean install has just been preformed again or if I'm in a clean PE or Linux environment.

If by chance it does accidentally occur that a stick that was not write protected gets inserted into a customers PC (without a clean install having just been done) the media is then hooked up to a machine that has no hard drive attached and is booted into a PE environment where it is formatted before it is inserted back into any of my workstations.

Those are the rules that I follow.

#14 ahhell

ahhell

    Neowinian Senior

  • Joined: 30-June 03
  • Location: Winnipeg - coldest place on Earth - yeah

Posted 10 August 2012 - 19:28

Maybe. I hope not, but we'll see. I'll let ya know what happens.



Because I work on Malware infected machines almost every day. Even if I have no reason to suspect a machine is infected, I DO NOT put a usb thumb drive that is not write protected into another users PC other than my own.

The only exception is if i just preformed a clean install of windows. Once that known clean machine leaves my office a stick or drive that is not write protected will never be inserted into that machine unless a clean install has just been preformed again or if I'm in a clean PE or Linux environment.

If by chance it does accidentally occur that a stick that was not write protected gets inserted into a customers PC (without a clean install having just been done) the media is then hooked up to a machine that has no hard drive attached and is booted into a PE environment where it is formatted before it is inserted back into any of my workstations.

Those are the rules that I follow.

How about a better idea and NOT use USB drives in infected machines. Burn a CD with whatever utilities that you need. ZERO chance of infection.

#15 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 10 August 2012 - 19:31

That device you've showed there has the same flaw as cheap IDE or SATA drive write blockers, it only catches the most common write codes, so yeah, for the majority of the time you won't be able to write to it.
Got an unusual USB device or one that writes data differently to how that blocker picks it up? Writes will still occur.
Same as if malware uses strage/forged methods to write to a USB device, that thing won't block it at all.

From doing forensics before, if you're worried about malware, you've just wasted your money.