52 posts in this topic

Posted

Something that has boggled my mind for a while now. In the beginning write protected USB drives were pretty common place (so I've been told). But as the progression of Malware has increased, the number of write protected USB drives has decreased.

To be honest, most people don't even care if they stick their usb drive into an infested computer. Even though autorun, for the most part has been disabled on windows systems (so malware shouldn't technically get activated when sticking the stick into a clean machine) I would still never stick a usb flash drive that wasn't write protected into someone else machine. If I did, I would (and have in the past) format the stick from a BartPE environment on another machine before sticking it back into my own.

I was looking online and came across this neat little product. It's called the USB Write blocker. 1 end plugs into the computer and you plug your usb hard drive or USB memory stick into the other end.

41MsNWtLhbL.jpg

This device obviously isn't for everyone. But those who do repairs where write protection is a serious concern this might be for you. What I like about this idea, is that you would use it when ever you plug in a usb drive into someones computer. This way you KNOW it's write protected. The problem I had with USB memory sticks that had write protection switches, is I always had to check the switch to make sure it was activated, which means it would be possible to forget.

The only thing I wish it did was not to spoof the writes (showing it copied when it didn't) but just through up a write protection error. For this reason I could never temporary used it on an usb sata dock, because if It was behind the computer and if I forgot it was there, and i went to backup someones files, it would show they got backed up but in the end they would not be. But to be used in combination with a USB repair thumb drive or now a USB repair hard drive, would work great.

it's $160 on Amazon, I think I might get one. Lemme know what you think.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

The idea itself is excellent. But 160 for that? What's in there - pure magic with unicorn horn salt? :huh:

5 people like this

Share this post


Link to post
Share on other sites

Posted

The idea itself is excellent. But 160 for that? What's in there - pure magic with unicorn horn salt? :huh:

I just bought one. This device is a dream come true. I'll do a review once it arrives.

Share this post


Link to post
Share on other sites

Posted

Ah, well, forensics products, of course - when one sells for government officials and such nosy buggers, appending at least one zero to all prices can be completely justified.

Do review it, yes. If they call it a forensics device, I'd hope it's at least tamper proof and reasonably indestructible.

Share this post


Link to post
Share on other sites

Posted

That is a really neat idea, but I agree with Phouchg that the price seems somewhat excessive.

While this certainly isn't the ideal solution, I pseudo write protect my flash drives which may be plugged into infected computers using a simple Batch script (or, more often than not, the equivalent BASH script, since I don't spend very much time in Windows anymore). The idea is that if there is no free space left on disk, no files can be infected and no new files can be added without deleting something. When I want to write to disk, I remove my dummy file, modify stuff, and "write protect" it again.

In case anyone is interested, the Batch script is below. There is a bug in the way disk space is calculated (not just in my script, by the way, in Windows itself), and you may need to eject the disk after "write protecting" it and run the script on it a second time. Sometimes it will claim to be 100% full before you eject it, but show 4.00 KiB of free space when you plug it back in. If anyone knows exactly why this happens or how to fix it please let me know.


::Write Protect Drive

::Description: This script will write protect a flash drive by using all the remaining free space.

::Modification: modifications are clearly marked by the <MOD> and </MOD> flags

::Last Synced with Awesome Script Version 1.3.5

::Author: xorangekiller

::Released: 10 December 2009

@echo off

::<MOD> the following code did not exist (it was handled by the awesome script)

:start

  ::set the default errorlevel

  set exitCode=0

  ::change the starting directory (if necessary)

  set firstdir=NULL

  if "%cd%\"=="%~dp0" goto writeprotect

  set firstdir=%cd%

  cd /D "%~dp0"

::</MOD>

:writeprotect

  ::attempt the write protect the drive (presumably a flash drive) by creating a dummy file to use all remaining free space

  ::this prevents viruses and such from attaching themselves to files or copying themselves to your drive

  ::this does NOT, however, prevent files from being deleted and replaced!

  ::<MOD>set current=writeprotect</MOD>

  fsutil 1>nul 2>nul

  if %errorlevel%==1 goto writeprotectNoAdmin

  :writeprotectDialog

  echo.

  echo Write protect the specified drive by using all available free space.

  echo.

  echo To protect the current drive just type "current" at the prompt.

  echo.

  set /p userinp=Which drive would you like to protect?

  ::special cases of the variable

  if "%userinp%"=="" set userinp=%cd%

  if "%userinp%"=="current" set userinp=%cd%

  ::check to make sure that we have a drive path

  if not "%userinp:~1,1%"==":" goto writeprotectPathError

  ::only use the drive letter, colon, and slash regardless of the path entered

  set userinp=%userinp:~0,3%

  if not "%userinp:~2,2%"=="\" if not "%userinp:~2,2%"=="/" set userinp=%userinp%\

  ::this check was implemented because of Cooper... DO NOT TRY TO WRITE PROTECT YOUR C: DRIVE!

  if "%userinp:~0,2%"=="%systemdrive%" ( echo.

	echo Error! You are attempting to write protect your system drive.

::according to my PL (Dave DiCarlo) using rehtorical questions in this manner is something New Yorkers primarily do

echo Are you sure you want to do that? I don't think so!

echo.

echo Press any key to try again . . .

pause >nul

::<MOD> "goto start" is not the proper reference

goto writeprotect )

::</MOD>

  ::create a directory to hold the (potentially large) number of dummy files

  ::set /p userinp=%userinp%IamDummy\

  ::mkdir %userinp%IamDummy

  setlocal ENABLEDELAYEDEXPANSION

  :writeprotectCreateLoop

  set bytesfree=0

  ::capture the bytes free determined by dir and remove the commas (because fsutil doesn't like those)

  for /f "tokens=3-6 delims==, " %%a in ( 'dir "%userinp%" ^| findstr /C:"bytes free"' ) do ( if %%a==bytes goto writeprotectEndLoop

	if %%a GTR 0 set bytesfree=%%a

if %%b==bytes goto writeprotectEndLoop

if %%b GTR 0 set bytesfree=!bytesfree!%%b

if %%c==bytes goto writeprotectEndLoop

if %%c GTR 0 set bytesfree=!bytesfree!%%c

if %%d==bytes goto writeprotectEndLoop

if %%d GTR 0 set bytesfree=!bytesfree!%%d

if %%e==bytes goto writeprotectEndLoop

if %%e GTR 0 set bytesfree=!bytesfree!%%e)

  ::the EndLoop label is a hack to break the loop if necessary

  :writeprotectEndLoop

  ::it is absolutely necessary to check if there is no space left free and break the loop

  ::although there IS such a number as infinity most computers cannot reach it within a reasonable amount of time

  ::so this is a good "workaround"

  if %bytesfree% EQU 0 goto writeprotectComplete

  ::1024 Bytes = 1 Kilobyte; 1048576 Bytes = 1 Megabyte; 1073741824 Bytes = 1 Gigabyte

  ::1 gigabyte in bytes

  set gb=1073741824

  ::determine the dummy file(s) to create

  if %bytesfree% GEQ %gb% set bytesfree=%gb%

	set filenum=0

::check to make sure that the dummy file does not already exist... it causes problems

:writeprotectFileNumCheck

if not exist %userinp%IamDummy%filenum% goto writeprotectCreateDummy

   set /A filenum=%filenum%+1

   goto writeprotectFileNumCheck

  :writeprotectCreateDummy

::create a dummy file

::echo Writing file %userinp%IamDummy%filenum% of size %bytesfree% . . .

fsutil file createnew "%userinp%IamDummy%filenum%" %bytesfree%

::check to see if we need to repeat the procedure with another dummy file (recurse)

::although infinite looping is generally not a good thing batch gives us no choice

::"The time has come for the cobra to come up and reveal himself. You will call me - Commander."

goto writeprotectCreateLoop

  :writeprotectComplete

  endlocal

  ::brag by printing a message informing the user that we did our job successfully (hopefully, bytes free should be ZERO)

  echo.

  dir "%userinp%" | findstr /C:"bytes free"

  echo.

  pause

  ::<MOD> "goto start" is not the proper reference

  goto end

  ::</MOD>

  :writeprotectNoAdmin

	echo.

echo ERROR! You need administrative privileges to run this function!

echo.

pause

::<MOD> "goto start" is not the proper reference

goto end

::</MOD>

  :writeprotectPathError

	echo.

echo ERROR! You must enter a valid drive path!

echo.

echo Example: %cd:~0,3%

echo.

set /p userinp=Continue or Quit (C\Q)?

set userinp=%userinp:~0,1%

::<MOD> "goto start" is not the proper reference

if "%userinp%"=="Q" goto end

if "%userinp%"=="q" goto end

::</MOD>

goto writeprotectDialog

::<MOD> the following code did not exist (it was handled by the awesome script)

:end

  ::revert the current directory (if necessary)

  if not "%firstdir%"=="NULL" cd /D "%firstdir%"

  ::exit the script but not cmd.exe

  exit /B %exitCode%

::</MOD>

The BASH version of this same script is below. It has been tested to work on Debian 6, Debian 7, Ubuntu 10.04, Ubuntu 12.04, and Fedora 17. Presumably it should work on any GUN/Linux distribution, and probably BSD and OS X too.

#!/bin/bash

# Write Protect Drive

# Description: This script will write protect a flash drive by using all the remaining free space.

# Last Synced with Awesomestik Installer 1.0

# Author: xorangekiller

# Released: 21 Feb 2012

writeprotect() {

loop=0

free=$(df $USBDEV | tail -n 1 | awk {'print $4;'})

echo "Free space on ${USBDEV}: ${free}K"

while [ $free -gt 0 ]; do

  # Note that 1048576 is 1 gigabyte in kilobytes.

  if [ $free -gt 1048576 ]; then

   free=1048576

  fi

  # Check that the name of the file we want to write is not already taken.

  while [ -e "${USBMNT}/IamDummy${loop}" ]; do

   let loop=loop+1

  done

  echo "Writing file ${USBMNT}/IamDummy${loop} of size ${free}K . . ."

  dd if=/dev/zero of=${USBMNT}/IamDummy${loop} bs=${free}K count=1

  sleep 5 # Give everything time to settle.

  free=$(df $USBDEV | tail -n 1 | awk {'print $4;'})

done

echo "Free space on ${USBDEV}: ${free}K"

}

# Check that we are root before doing anything particularly useful.

#if [ $(id -u) != 0 ]; then

# echo "You need to be root to run this script"

# exit 1

#fi

if [ -n "$1" ]; then

drivetoprotect="$1"

else

echo "Write protect the specified drive by using all available free space."

echo "To protect the current drive just type current at the prompt."

echo "Which drive would you like to protect?"

read drivetoprotect

fi

if [ "$drivetoprotect" == "current" ]; then

drivetoprotect=`pwd`

fi

if [ ! -d "$drivetoprotect" ]; then

echo "ERROR: $drivetoprotect is not a valid directory."

exit 1

fi

# This check was implemented in the original write protect script because of Cooper and carried over here... DO NOT TRY TO WRITE PROTECT YOUR SYSTEM DRIVE!

if [ "$(df "$drivetoprotect" | awk '{print $6}' | tail -n 1)" == "/" ]; then

echo "ERROR: You are attempting to write protect your system drive."

exit 1

fi

# Use the USBMNT variable to maintain compatability with the writeprotect function from the Awesomestik Installer script.

USBMNT=$drivetoprotect

USBDEV=$(df "$USBMNT" | awk '{print $1}' | tail -n 1)

writeprotect

echo "The drive is now write protected!"

exit 0

Edit: Indentation and line spacing got a little bit messed up when I copy/pasted the scripts into the post editor, so I attached a zipped copy of both scripts to this post as well.

WriteProtect.zip

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Neat Script. I just don't trust software. I need a physical lock or device.

2 people like this

Share this post


Link to post
Share on other sites

Posted

Something that has boggled my mind for a while now. In the beginning write protected USB drives were pretty common place (so I've been told).
My first USB pen (32 MB?) had a write-protect slider on the leaner side, and that was pretty much the norm.

Then someone or something made a jerk move.

Neat Script.
Yeah, but needs a license, less BASH, and more POSIX.

Share this post


Link to post
Share on other sites

Posted

Neat Script. I just don't trust software. I need a physical lock or device.

I agree. That's why I said that it only pseudo write protects drives. It can fairly easily be circumvented. However, it seems to be fairly effective against most malware in lieu of a hardware write protected disk, which is clearly superior.

Yeah, but needs a license, less BASH, and more POSIX.

Please explain. I have been using this script for years, but I am open to suggestions. Why does it need a license? What do you mean by "less BASH, and more POSIX"? What should I do to improve it?

Share this post


Link to post
Share on other sites

Posted

What do you mean by "less BASH, and more POSIX"?

It should be independent of any dependencies (such as bash)

Share this post


Link to post
Share on other sites

Posted

It should be independent of any dependencies (such as bash)

Currently I'm using BASH, awk, df, and dd. The requirements are fairly low. Do you think that it should be rewritten in C?

Share this post


Link to post
Share on other sites

Posted

I'm curious if this will introduce compatibility issues (for example, certain machines not registering your USB key because it's attached to this $160 device).

Couldn't you also use an SD card with a USB adapter as an alternative? (Most) SD cards have lock switches.

Share this post


Link to post
Share on other sites

Posted

I just bought one. This device is a dream come true. I'll do a review once it arrives.

Dream come true?

Why not save $160 and not stick it anywhere unclean? :shifty:

Share this post


Link to post
Share on other sites

Posted

I'm curious if this will introduce compatibility issues (for example, certain machines not registering your USB key because it's attached to this $160 device).

Couldn't you also use an SD card with a USB adapter as an alternative? (Most) SD cards have lock switches.

Maybe. I hope not, but we'll see. I'll let ya know what happens.

Dream come true?

Why not save $160 and not stick it anywhere unclean? :shifty:

Because I work on Malware infected machines almost every day. Even if I have no reason to suspect a machine is infected, I DO NOT put a usb thumb drive that is not write protected into another users PC other than my own.

The only exception is if i just preformed a clean install of windows. Once that known clean machine leaves my office a stick or drive that is not write protected will never be inserted into that machine unless a clean install has just been preformed again or if I'm in a clean PE or Linux environment.

If by chance it does accidentally occur that a stick that was not write protected gets inserted into a customers PC (without a clean install having just been done) the media is then hooked up to a machine that has no hard drive attached and is booted into a PE environment where it is formatted before it is inserted back into any of my workstations.

Those are the rules that I follow.

Share this post


Link to post
Share on other sites

Posted

Maybe. I hope not, but we'll see. I'll let ya know what happens.

Because I work on Malware infected machines almost every day. Even if I have no reason to suspect a machine is infected, I DO NOT put a usb thumb drive that is not write protected into another users PC other than my own.

The only exception is if i just preformed a clean install of windows. Once that known clean machine leaves my office a stick or drive that is not write protected will never be inserted into that machine unless a clean install has just been preformed again or if I'm in a clean PE or Linux environment.

If by chance it does accidentally occur that a stick that was not write protected gets inserted into a customers PC (without a clean install having just been done) the media is then hooked up to a machine that has no hard drive attached and is booted into a PE environment where it is formatted before it is inserted back into any of my workstations.

Those are the rules that I follow.

How about a better idea and NOT use USB drives in infected machines. Burn a CD with whatever utilities that you need. ZERO chance of infection.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

That device you've showed there has the same flaw as cheap IDE or SATA drive write blockers, it only catches the most common write codes, so yeah, for the majority of the time you won't be able to write to it.

Got an unusual USB device or one that writes data differently to how that blocker picks it up? Writes will still occur.

Same as if malware uses strage/forged methods to write to a USB device, that thing won't block it at all.

From doing forensics before, if you're worried about malware, you've just wasted your money.

2 people like this

Share this post


Link to post
Share on other sites

Posted

How about a better idea and NOT use USB drives in infected machines. Burn a CD with whatever utilities that you need. ZERO chance of infection.

lolwut... optical drives? it hurts my brain just thinking about it.

slow burn time... no/slow rewrite... not to mention that many machines now have no optical drives.

Share this post


Link to post
Share on other sites

Posted

How about a better idea and NOT use USB drives in infected machines. Burn a CD with whatever utilities that you need. ZERO chance of infection.

CD's do work well, I use USB because I have a backup routine setup inside Syncback which automatically updates the key as necessary with all the new updated apps. Pretty much a 1 click sort of things.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

That device you've showed there has the same flaw as cheap IDE or SATA drive write blockers, it only catches the most common write codes, so yeah, for the majority of the time you won't be able to write to it.

Got an unusual USB device or one that writes data differently to how that blocker picks it up? Writes will still occur.

Same as if malware uses strage/forged methods to write to a USB device, that thing won't block it at all.

From doing forensics before, if you're worried about malware, you've just wasted your money.

You know this device suffers from the same flaw as cheap IDE or Sata write blockers how?

Share this post


Link to post
Share on other sites

Posted

lolwut... optical drives? it hurts my brain just thinking about it.

slow burn time... no/slow rewrite... not to mention that many machines now have no optical drives.

WTF? Never heard of an external USB optical drive?

Here's what you do:

Plug in the external drive.

Throw in the utilities disk.

Clean that **********ing machine.

Send a bill.

:|

2 people like this

Share this post


Link to post
Share on other sites

Posted

You know this device suffers from the same flaw as cheap IDE or Sata write blockers how?

Because back in the forensics division of the uni. I was in, we had a load and got to test them and see their flaws.

There's a reason why ALL the officers in the met cybercrime unit have specialist hand-held disk data transferrers and use the write blockers on them and then ONLY work with the cloned drives to dig up data on pretty modified machines.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

strage/forged methods

Could you give any links to that. I'd like t read up on it but I can't seem to hit anything on google.

Share this post


Link to post
Share on other sites

Posted

WTF? Never heard of an external USB optical drive?

Here's what you do:

Plug in the external drive.

Throw in the utilities disk.

Clean that **********ing machine.

Send a bill.

:|

I personally stopped using optical drives years ago for several reasons, some which I listed above.

In a few years, we'll think of CDs the way we think about floppies - archaic (even though I already consider them archaic).

Share this post


Link to post
Share on other sites

Posted

Please explain.

Your script works for /bin/bash. By changing a few things that are bashisms (Bash specific), your script would be more portable. I'll post something when I get to a terminal at home.

Why does it need a license?

If it's in public domain it doesn't need one. Otherwise what gives? Can I modify and redistribute your code? If so in what terms?

Share this post


Link to post
Share on other sites

Posted

lolwut... optical drives? it hurts my brain just thinking about it.

slow burn time... no/slow rewrite... not to mention that many machines now have no optical drives.

No matter if customer has a optical drive or not.

If customer has it, then I can load an utilities CD in it so I could fix the computer with. Otherwise, I can download the drivers or whatever from the internet as long as the computer has internet connection. If no internet, then I ask customer to bring it to my workplace... or I take it with me if I show up on-site. I have thousands thousands of drivers on CD since 90's. Ahhell's right... external USB optical drive is useful if customer has no internet or on a dial-up.

That way, you never know how old the computer is.... There are some people who have old computers that who can not afford to get a new one. From the stats I have viewed, I have seen people who are using 98, XP, Vista, etc.

Warwagon, you are paranoid and wasted your money on that crap. I haven't used that device.. I have fixed computers for myself and others for many years, no problems...

Share this post


Link to post
Share on other sites

Posted

Could you give any links to that. I'd like t read up on it but I can't seem to hit anything on google.

You probably won't find them, you'd need viruses that exploit that flaw and dissassemblers to view how it's communicating with the hardware and whatnot.

If you really want read-only, get an SD card and an SD-reader.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.