Jump to content











Photo
- - - - -

Make USB read-only


  • Please log in to reply
16 replies to this topic

#1 Alexander Ceed

Alexander Ceed

    Frequent Member

  • Advanced user
  • 205 posts

Posted 09 January 2016 - 05:18 PM

I cannot buy a USB stick with read-only switch so I must come up with a software sollution for it. I have a usb device with portable programs and some files that I use. I will sometimes use this on infected systems. I need to make the USB read-only so that the only operation permitted is file copy. Nothing will be executed off the stick.

 

I have learned, from superuser.com, that
 

Any file/folder containing * in their name will be read-only in Windows.

Even admin can't delete or modify it. Remaing space is available for other use. Formting the device will delete it. As * is a invalid charactor for a file name you can't add it to a file name from Windows. In order the rename the file, boot into a linux OS and just rename it. Tested on Windows 7, from Ubuntu, NTFS formatted pen drive. FAT fs may not support.

 

However, even if the files are read-only, the available free space of the drive is still writable. And even if that weren't a problem, a malware code might even infect the firmware. The desired sollution should allow me to make it read-only but also undo it in order to update the usb.

 

 

I'm seeking advice from you guys as the best possible sollution to my problem.

Thanks again guys.



#2 steve6375

steve6375

    Platinum Member

  • Developer
  • 6541 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 09 January 2016 - 05:54 PM

Why not use a SD card + USB SD card reader (USB 3). Then you can use the WP tag on the SD card? These are not that fast though! Not all readers look at the switch though, so beware!

Zalman drive caddies have a write-protect switch at the top of the drive (VE200 does, not sure about later models?). I think the ISOStick has WP feature also??

Kanguru and some Netac drives (e.g. U335) have a WP switch - these are on Amazon.

You can write a script to fill the drive completely, thus preventing any s/w from adding or modifying files on it. Run a 'delete' script to remove the filler files when you need to modify it.

You can get USB devices which block writes to any USB device - see video - but expensive ($190 on Amazon)!



#3 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 09 January 2016 - 06:16 PM

Well, get *any* USB stick with a dual LUN controller AND with the manufacturer utility to make one of the two LUN's a CD-like device.

Not the easiest thing to do (to find a suitable USB stick) and not for the faintest of heart (to use an often under- or mis- documented Manufacturer Tool to set the device as CD).

 

Depending on how much you want to spend, you can get a USB Write blocker.

 

JFYI, that "asterisk in the name" thingy makes very little sense, it leverages  on non-standard characters in file name on Windows, very likely it may work for the "smart script kid" batch file, but arguably for "real" malware. 

 

:duff:

Wonko



#4 Alexander Ceed

Alexander Ceed

    Frequent Member

  • Advanced user
  • 205 posts

Posted 09 January 2016 - 06:20 PM

You can write a script to fill the drive completely, thus preventing any s/w from adding or modifying files on it. Run a 'delete' script to remove the filler files when you need to modify it.

 

Yes, but that is not preventing the existing files to be infected. Any mallicious code will not be able to copy itself but will  be able infect the existing ones.



#5 Alexander Ceed

Alexander Ceed

    Frequent Member

  • Advanced user
  • 205 posts

Posted 09 January 2016 - 06:20 PM

So, in other words: there's nothing I can do except buying an USB device with a ReadOnly Switch?


Edited by Alexander Ceed, 09 January 2016 - 06:23 PM.


#6 steve6375

steve6375

    Platinum Member

  • Developer
  • 6541 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 09 January 2016 - 06:26 PM

Yes, but that is not preventing the existing files to be infected. Any mallicious code will not be able to copy itself but will  be able infect the existing ones.

Malware cannot re-write any file. It could byte-modify the drive sectors, but most malware doesn't work like that, it overwrites a file to patch/replace it - but this is not possible if the drive is absolutely full because no temporary file can be made first.

At least that is the theory!



#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 09 January 2016 - 06:31 PM

So, in other words: there's nothing I can do except buying an USB device with a ReadOnly Switch?

In other words you have been given several alternative options, which you decided to ignore.

 

Just for the fun of it, I will add a link to an el-chapo DIY USB Write blocker, presented at BlackHat 2012:

http://dangerousprot...-write-blocker/

http://www.instructa...-Write-Blocker/

http://micsymposium....bmission_17.pdf

 

:duff:

Wonko



#8 Alexander Ceed

Alexander Ceed

    Frequent Member

  • Advanced user
  • 205 posts

Posted 09 January 2016 - 08:46 PM

Why not use a SD card + USB SD card reader (USB 3). Then you can use the WP tag on the SD card? These are not that fast though! Not all readers look at the switch though, so beware!

 

 

I cannot use an SD card because it is slow, and I use this usb for all my debugging purposes so I need it to be fast.

 

Zalman drive caddies have a write-protect switch at the top of the drive (VE200 does, not sure about later models?). I think the ISOStick has WP feature also??

 

 

I'll have to take a loot at ISOstick to see if it actually can do that.

 

 

Kanguru and some Netac drives (e.g. U335) have a WP switch - these are on Amazon.

 

 

I already have the usb sticks. In my current location, USBs with WP are very hard to come by and I'll have to buy them outside the country. The cost will greatly increase due to shipping... can't do that.

 

 

You can write a script to fill the drive completely, thus preventing any s/w from adding or modifying files on it. Run a 'delete' script to remove the filler files when you need to modify it.

 

 

Yes, I was thinking about doing this.

 

 

Well, get *any* USB stick with a dual LUN controller AND with the manufacturer utility to make one of the two LUN's a CD-like device.

Not the easiest thing to do (to find a suitable USB stick) and not for the faintest of heart (to use an often under- or mis- documented Manufacturer Tool to set the device as CD).

 

 

And this will work like an USB with two partitions? One readable and one writable?

 

Depending on how much you want to spend, you can get a USB Write blocker.

 

 

I'm looking just for a software sollution --not hardware.



#9 steve6375

steve6375

    Platinum Member

  • Developer
  • 6541 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 09 January 2016 - 09:52 PM

No non-hardware solution will prevent byte patching of sectors. I presume you don't want to install anything on the host system?

Do you want protection from Windows and linux malware?

There are ways of preventing Windows from accessing some volumes, but that won't stop linux programs.

If you can afford an ISOStick, then why not buy Netac U335's which I thought would be cheaper.

 

If there was an easy, universal non-hardware solution then every one would be using it! So you need to define the usage precise conditions that you want/need. e.g. OS's, FAT32/NTFS/exFAT on USB drive, do you boot any type of software from the USB drive, etc.



#10 Alexander Ceed

Alexander Ceed

    Frequent Member

  • Advanced user
  • 205 posts

Posted 09 January 2016 - 11:39 PM

So you need to define the usage precise conditions that you want/need. e.g. OS's, FAT32/NTFS/exFAT on USB drive, do you boot any type of software from the USB drive, etc.

 

 

It is an 64GB USB stick that I use for maintenance and debugging, it has grub4DOS configuration and will be used to boot images. On the same USB I also have lots of small portable applications that I usually run directly from the stick. On heavily infected system I just want to be able to copy the contents without actually allowing anything to edit the stick. The USB device uses only NTFS because I have files that exceed 4GB.

 

Since it is a portable solution, there is no fixed host.

 

Do you want protection from Windows and linux malware?

 

 

Just Windows.



#11 RoyM

RoyM

    Frequent Member

  • .script developer
  • 401 posts
  • Interests:Component level repair, Micro-processor based equipment. Computer Repair + Custom Builds.
    (ie. Game Machines, Custom Firewalls\Smoothwalls)
    Network Penetration and testing + Wireless.
    Fishing, Hunting, Camping, Gaming.
  •  
    United States

Posted 10 January 2016 - 02:28 AM

If you are only booting Windows OS's
you may use the WProtect Tool from Colin Ramsdens
Originaly written for Win7FE Boot disks.
 
Regards
RoyM


#12 Agent47

Agent47

    Frequent Member

  • Advanced user
  • 164 posts
  •  
    India

Posted 10 January 2016 - 03:59 AM

If you can't buy a flash stick with hardware write protection switch, i would suggest formatting the disk as NTFS and play with NTFS permissions to deny any write attempt to the file system. Yes, this is indeed not a false proof method. While theoretically a malware can bypass the NTFS permissions, it's very effective against common malwares which spreads through USB flash sticks - ie sality virus which modifies all exe files, viruses which makes all files/folders hidden, the one which creates "new folder.exe" etc.

 

I would suggest using "NTFS drive Protection" which can do the necessary permission changes on a single click   -

 

http://www.sordum.or...rotection-v1-4/

 

In my practical tests, common USB malwares like folder virus and those who take advantages of "autorun.inf" totally failed to infect my protected drive. Sure, there may be high level malwares which can bypass permissions but something is better than nothing  :) .


  • steve6375 likes this

#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 10 January 2016 - 09:33 AM

And this will work like an USB with two partitions? One readable and one writable?

Yes and no, depending on the specific controller one of the two LUN's may emulate a "CD-like" device or a "read only HD-like" device, whilst the second will be a "normal" RW "HD-like device.

What you will see normally will not be two partitions on a same device, but rather two devices, just like you had inserted two disks, the LUN concept goes back to good ol' SCSI, a device will have a number, a normal stick has one, these sticks can have two.

 

See also:

http://www.msfn.org/...-cdfs/?p=784641

And Steve6375*s example Tutorial:

http://www.rmprepusb...n-a-flash-drive

Please note how that SMI tool is one of the easiest or more "user friendly" ones that you can find, most of the others are much more difficult to use and may well "brick" your stick if used improperly.

 

@Agent47

Oww, comeon, if we are talking of protecting something from malware, we are talking of protecting it from most malware, to the best of our possibilties, not only from the common ones.

 

There is still however something that is "not right" in the sense that the usage paradigm of this stick is not at all clear (to me at least :dubbio:).

 

If it is used as a "recovery environment" or "malware removal/disinfectint" then it is ONLY used as a boot device so there is no way it can be infected if not in the (now really rare) case of a virus/malware residing in BIOS/UEFI.

 

If it is used as a "media to run some diagnostics programs" on a supposedly infected system (Windows only) there are normally no issues to:

  • boot from the stick (as before)
  • verify that the machine is not infected and clean it if needed (as before)
  • copy to the infected machine's hard disk the (small) bunch of diagnostics utilities/whatever
  • remove the stick and boot the machine to the built-in (possibly still infected) OS and then run the fiagnostics/utilities/whatever

 

The risk is 99.9999% connected to inserting the stick to an already booted and running OS, so just don't and you will be fine.

 

:duff:

Wonko



#14 Alexander Ceed

Alexander Ceed

    Frequent Member

  • Advanced user
  • 205 posts

Posted 10 January 2016 - 09:42 PM

The risk is 99.9999% connected to inserting the stick to an already booted and running OS, so just don't and you will be fine.

 

 

You are forgetting one thing: human error. I tend to forget when I am under pressure so that may and may not work.

 

 

The best course of action of course is to just buy an USB stick with a read/write switch. And I think I'll do just that, the money is worth it. As one final set of questions to you guys regarding these usb devices:

 

1. Are they slower/faster than regular usb devices? Say one 128GB drive RW Switch vs 128GB Normal without RW switch.

For the sake of argument take these two

http://www.amazon.co...r voyager 128gb

http://www.amazon.co...ction usb 128gb

 

2. What should I look for when choosing a hardware write protected usb? Any specifications I should be on the lookout for or anything will do?

 

 

Thanks for your valuable input guys.



#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 January 2016 - 08:56 AM

1. Are they slower/faster than regular usb devices? Say one 128GB drive RW Switch vs 128GB Normal without RW switch.

For the sake of argument take these two

http://www.amazon.co...r voyager 128gb

http://www.amazon.co...ction usb 128gb

 

 

There is no argument if you are even thinking to spend some 200 bucks for a stick.

 

Noone *needs* 128 Gb on a single stick.

 

Even if someone *needs* it, the same human error mentioned will have him/her lose it in no time.

 

You can get 15 (fifteen) of these:

http://www.amazon.co...00S83A8UI?psc=1

for the same money.

 

Anyway, no, here is nothing "different" between a "normal" USB stick and a "Write protected" one, as a matter of fact, if you crack open a few "normal" sticks, it is likely that you will find one or more that already have on the PCB the provision to install the switch (at least this was accurate for some no-name USB sticks I happened to have).

 

:duff:

Wonko



#16 Hydranix

Hydranix

    Newbie

  • Members
  • 18 posts
  •  
    United States

Posted 11 January 2016 - 06:09 PM

Listed from easiest to hardest.

 

* Modify firmware with manufacturer software. (easiest way by far)

(Private message me and i can help you, i've done this with hundreds of sticks. Some for the exact same intents you had. It is also possible to reserve a portion of the space on the flash drive as still-writable like normal, while the other portion is read-only and unable to be written to without using the manufacturer tool to reconfigure. [read: safe from malware, but not screwed if u forget something at last minute]) .You can even make the stick report your company/personal name on insert instead of Patriot or whatever.

 

* Buy flash drive with write-protect switch pre-installed

 

* Use sdcard reader with switch logic.

 

* Buy flash drive and solder switch onto unpopulated leads.​

 

* Use sdcard reader and create switchable circuit on write-protect lead on the microcontroller by referencing datasheet.

 

* Spend $400von a huge flash drive which will just fizzle (out of warranty) long before it becomes worth a tenth of that cost.

(You're better buying a handful of smaller drives, 32GB is more than enough for any use, especially recovery enviroments.)

 

I have a 64GB stick which has the install.wim files for Windows 7 through Windows 10 (all versions, both 32 and 64 bit), a Windows 7 x86 PE, Windows 8.1 x86_64 PE (no wow64), Custom Linux environment, Linux device testing environment, 6 memory testing baremetal programs, and 4GB or tools nearing almost 1000 separate tools (versions for 32 and 64 bit.Windows), and everything which is bootable has botyh BIOS and UEFI boot options, has graphic boot menu and fallback Grub4Dos or Syslinux.

 

That stick is not at 50% used space yet... also has trouble on some older systems and some oddball BIOS versions on newer systems. No smaller sticks have ever had issues.

 

 

I wouldn't dismiss Wonko's wisdom quite so quickly.


Edited by Hydranix, 11 January 2016 - 06:10 PM.


#17 Wonko the Insane

Wonko the Insane

    Silver Member

  • Advanced user
  • 500 posts
  • Location:The Inside of the Asylum (gate is wide open)
  • Interests:Oh, so you hate me too? Well, join the club! There are weekly meetings at the corner of Fuck You St. and Kiss My Ass Blvd.

Posted 14 January 2016 - 04:00 AM

Find a way to boot the contents of your stick so that it is stored entirely in RAM, then unplug the USB once everything is fully loaded in. Any changes malware tries to make won't last beyond a reboot.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users