Jump to content

Question

Posted

Something that has boggled my mind for a while now. In the beginning write protected USB drives were pretty common place (so I've been told). But as the progression of Malware has increased, the number of write protected USB drives has decreased.

To be honest, most people don't even care if they stick their usb drive into an infested computer. Even though autorun, for the most part has been disabled on windows systems (so malware shouldn't technically get activated when sticking the stick into a clean machine) I would still never stick a usb flash drive that wasn't write protected into someone else machine. If I did, I would (and have in the past) format the stick from a BartPE environment on another machine before sticking it back into my own.

I was looking online and came across this neat little product. It's called the USB Write blocker. 1 end plugs into the computer and you plug your usb hard drive or USB memory stick into the other end.

[center][img]http://ecx.images-amazon.com/images/I/41MsNWtLhbL.jpg[/img][/center]
[center][media]http://www.youtube.com/watch?v=5RdCyIRK1B8[/media][/center]
[center][media]http://www.youtube.com/watch?v=BQYcI3GmSeU[/media][/center]
[center][url="http://www.amazon.com/WiebeTech-31300-0192-0000-USB-writeblocker-Rohs/dp/B002DH1P0W"]http://www.amazon.co...s/dp/B002DH1P0W[/url][/center]


This device obviously isn't for everyone. But those who do repairs where write protection is a serious concern this might be for you. What I like about this idea, is that you would use it when ever you plug in a usb drive into someones computer. This way you KNOW it's write protected. The problem I had with USB memory sticks that had write protection switches, is I always had to check the switch to make sure it was activated, which means it would be possible to forget.

The only thing I wish it did was not to spoof the writes (showing it copied when it didn't) but just through up a write protection error. For this reason I could never temporary used it on an usb sata dock, because if It was behind the computer and if I forgot it was there, and i went to backup someones files, it would show they got backed up but in the end they would not be. But to be used in combination with a USB repair thumb drive or now a USB repair hard drive, would work great.

it's $160 on Amazon, I think I might get one. Lemme know what you think.
1 person likes this

Share this post


Link to post
Share on other sites

51 answers to this question

  • 0

Posted

The idea itself is excellent. But 160 for that? What's in there - pure magic with unicorn horn salt? :huh:
5 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Phouchg' timestamp='1344621420' post='595078905']
The idea itself is excellent. But 160 for that? What's in there - pure magic with unicorn horn salt? :huh:
[/quote]

I just bought one. This device is a dream come true. I'll do a review once it arrives.

Share this post


Link to post
Share on other sites
  • 0

Posted

Ah, well, forensics products, of course - when one sells for government officials and such nosy buggers, appending at least one zero to all prices can be completely justified.
Do review it, yes. If they call it a forensics device, I'd hope it's at least tamper proof and reasonably indestructible.

Share this post


Link to post
Share on other sites
  • 0

Posted

That is a really neat idea, but I agree with Phouchg that the price seems somewhat excessive.

While this certainly isn't the ideal solution, I pseudo write protect my flash drives which may be plugged into infected computers using a simple Batch script (or, more often than not, the equivalent BASH script, since I don't spend very much time in Windows anymore). The idea is that if there is no free space left on disk, no files can be infected and no new files can be added without deleting something. When I want to write to disk, I remove my dummy file, modify stuff, and "write protect" it again.

In case anyone is interested, the Batch script is below. There is a bug in the way disk space is calculated (not just in my script, by the way, in Windows itself), and you may need to eject the disk after "write protecting" it and run the script on it a second time. Sometimes it will claim to be 100% full before you eject it, but show 4.00 KiB of free space when you plug it back in. If anyone knows exactly why this happens or how to fix it please let me know.

[CODE]
::Write Protect Drive
::Description: This script will write protect a flash drive by using all the remaining free space.
::Modification: modifications are clearly marked by the <MOD> and </MOD> flags
::Last Synced with Awesome Script Version 1.3.5
::Author: xorangekiller
::Released: 10 December 2009
@echo off
::<MOD> the following code did not exist (it was handled by the awesome script)
:start
::set the default errorlevel
set exitCode=0
::change the starting directory (if necessary)
set firstdir=NULL
if "%cd%\"=="%~dp0" goto writeprotect
set firstdir=%cd%
cd /D "%~dp0"
::</MOD>
:writeprotect
::attempt the write protect the drive (presumably a flash drive) by creating a dummy file to use all remaining free space
::this prevents viruses and such from attaching themselves to files or copying themselves to your drive
::this does NOT, however, prevent files from being deleted and replaced!
::<MOD>set current=writeprotect</MOD>
fsutil 1>nul 2>nul
if %errorlevel%==1 goto writeprotectNoAdmin
:writeprotectDialog
echo.
echo Write protect the specified drive by using all available free space.
echo.
echo To protect the current drive just type "current" at the prompt.
echo.
set /p userinp=Which drive would you like to protect?
::special cases of the variable
if "%userinp%"=="" set userinp=%cd%
if "%userinp%"=="current" set userinp=%cd%
::check to make sure that we have a drive path
if not "%userinp:~1,1%"==":" goto writeprotectPathError
::only use the drive letter, colon, and slash regardless of the path entered
set userinp=%userinp:~0,3%
if not "%userinp:~2,2%"=="\" if not "%userinp:~2,2%"=="/" set userinp=%userinp%\
::this check was implemented because of Cooper... DO NOT TRY TO WRITE PROTECT YOUR C: DRIVE!
if "%userinp:~0,2%"=="%systemdrive%" ( echo.
echo Error! You are attempting to write protect your system drive.
::according to my PL (Dave DiCarlo) using rehtorical questions in this manner is something New Yorkers primarily do
echo Are you sure you want to do that? I don't think so!
echo.
echo Press any key to try again . . .
pause >nul
::<MOD> "goto start" is not the proper reference
goto writeprotect )
::</MOD>
::create a directory to hold the (potentially large) number of dummy files
::set /p userinp=%userinp%IamDummy\
::mkdir %userinp%IamDummy
setlocal ENABLEDELAYEDEXPANSION
:writeprotectCreateLoop
set bytesfree=0
::capture the bytes free determined by dir and remove the commas (because fsutil doesn't like those)
for /f "tokens=3-6 delims==, " %%a in ( 'dir "%userinp%" ^| findstr /C:"bytes free"' ) do ( if %%a==bytes goto writeprotectEndLoop
if %%a GTR 0 set bytesfree=%%a
if %%b==bytes goto writeprotectEndLoop
if %%b GTR 0 set bytesfree=!bytesfree!%%b
if %%c==bytes goto writeprotectEndLoop
if %%c GTR 0 set bytesfree=!bytesfree!%%c
if %%d==bytes goto writeprotectEndLoop
if %%d GTR 0 set bytesfree=!bytesfree!%%d
if %%e==bytes goto writeprotectEndLoop
if %%e GTR 0 set bytesfree=!bytesfree!%%e)
::the EndLoop label is a hack to break the loop if necessary
:writeprotectEndLoop
::it is absolutely necessary to check if there is no space left free and break the loop
::although there IS such a number as infinity most computers cannot reach it within a reasonable amount of time
::so this is a good "workaround"
if %bytesfree% EQU 0 goto writeprotectComplete
::1024 Bytes = 1 Kilobyte; 1048576 Bytes = 1 Megabyte; 1073741824 Bytes = 1 Gigabyte
::1 gigabyte in bytes
set gb=1073741824
::determine the dummy file(s) to create
if %bytesfree% GEQ %gb% set bytesfree=%gb%
set filenum=0
::check to make sure that the dummy file does not already exist... it causes problems
:writeprotectFileNumCheck
if not exist %userinp%IamDummy%filenum% goto writeprotectCreateDummy
set /A filenum=%filenum%+1
goto writeprotectFileNumCheck
:writeprotectCreateDummy
::create a dummy file
::echo Writing file %userinp%IamDummy%filenum% of size %bytesfree% . . .
fsutil file createnew "%userinp%IamDummy%filenum%" %bytesfree%
::check to see if we need to repeat the procedure with another dummy file (recurse)
::although infinite looping is generally not a good thing batch gives us no choice
::"The time has come for the cobra to come up and reveal himself. You will call me - Commander."
goto writeprotectCreateLoop
:writeprotectComplete
endlocal
::brag by printing a message informing the user that we did our job successfully (hopefully, bytes free should be ZERO)
echo.
dir "%userinp%" | findstr /C:"bytes free"
echo.
pause
::<MOD> "goto start" is not the proper reference
goto end
::</MOD>
:writeprotectNoAdmin
echo.
echo ERROR! You need administrative privileges to run this function!
echo.
pause
::<MOD> "goto start" is not the proper reference
goto end
::</MOD>
:writeprotectPathError
echo.
echo ERROR! You must enter a valid drive path!
echo.
echo Example: %cd:~0,3%
echo.
set /p userinp=Continue or Quit (C\Q)?
set userinp=%userinp:~0,1%
::<MOD> "goto start" is not the proper reference
if "%userinp%"=="Q" goto end
if "%userinp%"=="q" goto end
::</MOD>
goto writeprotectDialog
::<MOD> the following code did not exist (it was handled by the awesome script)
:end
::revert the current directory (if necessary)
if not "%firstdir%"=="NULL" cd /D "%firstdir%"
::exit the script but not cmd.exe
exit /B %exitCode%
::</MOD>
[/CODE]

The BASH version of this same script is below. It has been tested to work on Debian 6, Debian 7, Ubuntu 10.04, Ubuntu 12.04, and Fedora 17. Presumably it should work on any GUN/Linux distribution, and probably BSD and OS X too.

[CODE]
#!/bin/bash
# Write Protect Drive
# Description: This script will write protect a flash drive by using all the remaining free space.
# Last Synced with Awesomestik Installer 1.0
# Author: xorangekiller
# Released: 21 Feb 2012
writeprotect() {
loop=0
free=$(df $USBDEV | tail -n 1 | awk {'print $4;'})
echo "Free space on ${USBDEV}: ${free}K"
while [ $free -gt 0 ]; do
# Note that 1048576 is 1 gigabyte in kilobytes.
if [ $free -gt 1048576 ]; then
free=1048576
fi
# Check that the name of the file we want to write is not already taken.
while [ -e "${USBMNT}/IamDummy${loop}" ]; do
let loop=loop+1
done
echo "Writing file ${USBMNT}/IamDummy${loop} of size ${free}K . . ."
dd if=/dev/zero of=${USBMNT}/IamDummy${loop} bs=${free}K count=1
sleep 5 # Give everything time to settle.
free=$(df $USBDEV | tail -n 1 | awk {'print $4;'})
done
echo "Free space on ${USBDEV}: ${free}K"
}
# Check that we are root before doing anything particularly useful.
#if [ $(id -u) != 0 ]; then
# echo "You need to be root to run this script"
# exit 1
#fi
if [ -n "$1" ]; then
drivetoprotect="$1"
else
echo "Write protect the specified drive by using all available free space."
echo "To protect the current drive just type current at the prompt."
echo "Which drive would you like to protect?"
read drivetoprotect
fi
if [ "$drivetoprotect" == "current" ]; then
drivetoprotect=`pwd`
fi
if [ ! -d "$drivetoprotect" ]; then
echo "ERROR: $drivetoprotect is not a valid directory."
exit 1
fi
# This check was implemented in the original write protect script because of Cooper and carried over here... DO NOT TRY TO WRITE PROTECT YOUR SYSTEM DRIVE!
if [ "$(df "$drivetoprotect" | awk '{print $6}' | tail -n 1)" == "/" ]; then
echo "ERROR: You are attempting to write protect your system drive."
exit 1
fi
# Use the USBMNT variable to maintain compatability with the writeprotect function from the Awesomestik Installer script.
USBMNT=$drivetoprotect
USBDEV=$(df "$USBMNT" | awk '{print $1}' | tail -n 1)
writeprotect
echo "The drive is now write protected!"
exit 0
[/CODE]

Edit: Indentation and line spacing got a little bit messed up when I copy/pasted the scripts into the post editor, so I attached a zipped copy of both scripts to this post as well.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

Neat Script. I just don't trust software. I need a physical lock or device.
2 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='warwagon' post='595078351']Something that has boggled my mind for a while now. In the beginning write protected USB drives were pretty common place (so I've been told).[/quote]My first USB pen (32 MB?) had a write-protect slider on the leaner side, and that was pretty much the norm.
Then someone or something made a jerk move.

[quote name='warwagon' post='595079001']Neat Script.[/quote] Yeah, but needs a license, less BASH, and more POSIX.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='warwagon' timestamp='1344623285' post='595079001']
Neat Script. I just don't trust software. I need a physical lock or device.
[/quote]

I agree. That's why I said that it only pseudo write protects drives. It can fairly easily be circumvented. However, it seems to be fairly effective against most malware in lieu of a hardware write protected disk, which is clearly superior.

[quote name='tiagosilva29' timestamp='1344623885' post='595079053']
Yeah, but needs a license, less BASH, and more POSIX.
[/quote]

Please explain. I have been using this script for years, but I am open to suggestions. Why does it need a license? What do you mean by "less BASH, and more POSIX"? What should I do to improve it?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='xorangekiller' timestamp='1344625112' post='595079117']
What do you mean by "less BASH, and more POSIX"?
[/quote]
It should be independent of any dependencies (such as bash)

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='metro2012' timestamp='1344625568' post='595079137']
It should be independent of any dependencies (such as bash)
[/quote]

Currently I'm using BASH, awk, df, and dd. The requirements are fairly low. Do you think that it should be rewritten in C?

Share this post


Link to post
Share on other sites
  • 0

Posted

I'm curious if this will introduce compatibility issues (for example, certain machines not registering your USB key because it's attached to this $160 device).

Couldn't you also use an SD card with a USB adapter as an alternative? (Most) SD cards have lock switches.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='warwagon' timestamp='1344621476' post='595078907']
I just bought one. This device is a dream come true. I'll do a review once it arrives.
[/quote]
Dream come true?
Why not save $160 and not stick it anywhere unclean? :shifty:

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Tha Bloo Monkee' timestamp='1344626162' post='595079163']
I'm curious if this will introduce compatibility issues (for example, certain machines not registering your USB key because it's attached to this $160 device).

Couldn't you also use an SD card with a USB adapter as an alternative? (Most) SD cards have lock switches.
[/quote]

Maybe. I hope not, but we'll see. I'll let ya know what happens.

[quote name='ahhell' timestamp='1344626205' post='595079173']
Dream come true?
Why not save $160 and not stick it anywhere unclean? :shifty:
[/quote]

Because I work on Malware infected machines almost every day. Even if I have no reason to suspect a machine is infected, I DO NOT put a usb thumb drive that is not write protected into another users PC other than my own.

The only exception is if i just preformed a clean install of windows. Once that known clean machine leaves my office a stick or drive that is not write protected will never be inserted into that machine unless a clean install has just been preformed again or if I'm in a clean PE or Linux environment.

If by chance it does accidentally occur that a stick that was not write protected gets inserted into a customers PC (without a clean install having just been done) the media is then hooked up to a machine that has no hard drive attached and is booted into a PE environment where it is formatted before it is inserted back into any of my workstations.

Those are the rules that I follow.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='warwagon' timestamp='1344626397' post='595079177']
Maybe. I hope not, but we'll see. I'll let ya know what happens.



Because I work on Malware infected machines almost every day. Even if I have no reason to suspect a machine is infected, I DO NOT put a usb thumb drive that is not write protected into another users PC other than my own.

The only exception is if i just preformed a clean install of windows. Once that known clean machine leaves my office a stick or drive that is not write protected will never be inserted into that machine unless a clean install has just been preformed again or if I'm in a clean PE or Linux environment.

If by chance it does accidentally occur that a stick that was not write protected gets inserted into a customers PC (without a clean install having just been done) the media is then hooked up to a machine that has no hard drive attached and is booted into a PE environment where it is formatted before it is inserted back into any of my workstations.

Those are the rules that I follow.
[/quote]
How about a better idea and NOT use USB drives in infected machines. Burn a CD with whatever utilities that you need. ZERO chance of infection.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

That device you've showed there has the same flaw as cheap IDE or SATA drive write blockers, it only catches the most common write codes, so yeah, for the majority of the time you won't be able to write to it.
Got an unusual USB device or one that writes data differently to how that blocker picks it up? Writes will still occur.
Same as if malware uses strage/forged methods to write to a USB device, that thing won't block it at all.

From doing forensics before, if you're worried about malware, you've just wasted your money.
2 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='ahhell' timestamp='1344626897' post='595079219']
How about a better idea and NOT use USB drives in infected machines. Burn a CD with whatever utilities that you need. ZERO chance of infection.
[/quote]
lolwut... optical drives? it hurts my brain just thinking about it.
slow burn time... no/slow rewrite... not to mention that many machines now have no optical drives.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='ahhell' timestamp='1344626897' post='595079219']
How about a better idea and NOT use USB drives in infected machines. Burn a CD with whatever utilities that you need. ZERO chance of infection.
[/quote]

CD's do work well, I use USB because I have a backup routine setup inside Syncback which automatically updates the key as necessary with all the new updated apps. Pretty much a 1 click sort of things.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='n_K' timestamp='1344627088' post='595079231']
That device you've showed there has the same flaw as cheap IDE or SATA drive write blockers, it only catches the most common write codes, so yeah, for the majority of the time you won't be able to write to it.
Got an unusual USB device or one that writes data differently to how that blocker picks it up? Writes will still occur.
Same as if malware uses strage/forged methods to write to a USB device, that thing won't block it at all.

From doing forensics before, if you're worried about malware, you've just wasted your money.
[/quote]

You know this device suffers from the same flaw as cheap IDE or Sata write blockers how?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Tha Bloo Monkee' timestamp='1344627317' post='595079257']
lolwut... optical drives? it hurts my brain just thinking about it.
slow burn time... no/slow rewrite... not to mention that many machines now have no optical drives.
[/quote]
WTF? Never heard of an external USB optical drive?
Here's what you do:
Plug in the external drive.
Throw in the utilities disk.
Clean that **********ing machine.
Send a bill.
:|
2 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='warwagon' timestamp='1344627819' post='595079303']
You know this device suffers from the same flaw as cheap IDE or Sata write blockers how?
[/quote]
Because back in the forensics division of the uni. I was in, we had a load and got to test them and see their flaws.
There's a reason why ALL the officers in the met cybercrime unit have specialist hand-held disk data transferrers and use the write blockers on them and then ONLY work with the cloned drives to dig up data on pretty modified machines.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='n_K' timestamp='1344629010' post='595079381']
strage/forged methods
[/quote]

Could you give any links to that. I'd like t read up on it but I can't seem to hit anything on google.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='ahhell' timestamp='1344628109' post='595079325']
WTF? Never heard of an external USB optical drive?
Here's what you do:
Plug in the external drive.
Throw in the utilities disk.
Clean that **********ing machine.
Send a bill.
:|
[/quote]
I personally stopped using optical drives years ago for several reasons, some which I listed above.

In a few years, we'll think of CDs the way we think about floppies - archaic (even though I already consider them archaic).

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='xorangekiller' post='595079117']Please explain.[/quote]
Your script works for /bin/bash. By changing a few things that are bashisms (Bash specific), your script would be more portable. I'll post something when I get to a terminal at home.
[quote name='xorangekiller' post='595079117']Why does it need a license?[/quote]
If it's in public domain it doesn't need one. Otherwise what gives? Can I modify and redistribute your code? If so in what terms?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Tha Bloo Monkee' timestamp='1344627317' post='595079257']
lolwut... optical drives? it hurts my brain just thinking about it.
slow burn time... no/slow rewrite... not to mention that many machines now have no optical drives.
[/quote]

No matter if customer has a optical drive or not.

If customer has it, then I can load an utilities CD in it so I could fix the computer with. Otherwise, I can download the drivers or whatever from the internet as long as the computer has internet connection. If no internet, then I ask customer to bring it to my workplace... or I take it with me if I show up on-site. I have thousands thousands of drivers on CD since 90's. Ahhell's right... external USB optical drive is useful if customer has no internet or on a dial-up.

That way, you never know how old the computer is.... There are some people who have old computers that who can not afford to get a new one. From the stats I have viewed, I have seen people who are using 98, XP, Vista, etc.

Warwagon, you are paranoid and wasted your money on that crap. I haven't used that device.. I have fixed computers for myself and others for many years, no problems...

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='warwagon' timestamp='1344629258' post='595079399']
Could you give any links to that. I'd like t read up on it but I can't seem to hit anything on google.
[/quote]
You probably won't find them, you'd need viruses that exploit that flaw and dissassemblers to view how it's communicating with the hardware and whatnot.
If you really want read-only, get an SD card and an SD-reader.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='shozilla' timestamp='1344674482' post='595080629']
Warwagon, you are paranoid and wasted your money on that crap.
[/quote]

You have a way with words. I think you should write books.
3 people like this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.