Windows Forensics Tips - USB Write Protected

Hi every one!

This post I have decided write in english why? Answer is why not? In Digital Forensics it's so important to mantain integrity of evidence, is for this reason what you need read data without any modification. Sometime you get the "evidence" and write into a USB stick, then if you have to read data into windows device, you must enable write protetection for USB device to avoid any modification of them.

This is the target of this "post", I've wrote a simple batch script to "enable" and "disable" the USB write protection it as soon as you need. By default windows always allow write into USB device.

The usage is so easy, is like "stop / start",  before you plug the USB device you must used the script, so on all USB is write protected. And if you used script again, you disable it, so on the next USB device is not write protected.

Here the script:

:: ****************
:: getUSBProtect v.01
:: @Fecha: 16/09/2015
:: @Version: 0.1
:: @Autor: Julian J. Gonzalez
:: @Dept: ST2Labs -
:: ****************

SET key="HKLM\System\CurrentControlSet\Control\StorageDevicePolicies"
SET value=WriteProtect

:: BatchGotAdmin
REM  --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    exit /B

    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"

:: Check if Key exist
reg query %key% >nul 2>&1
GOTO writeup

:: Key exist and now we can verify Registry Value
FOR /F "tokens=2*" %%A IN ('reg query %key% /v %value%') DO SET _base=%%B

:: Verify is WriteProtect is Enable
if %_base%==0x1 (
GOTO writeoff
) else ( GOTO writeup )

reg add %key% /v %value% /t REG_DWORD /d 0x1 /f
mshta "about:<script>alert('USB Write Protect is Enable !!!');close()</script>"

reg add %key% /v %value% /t REG_DWORD /d 0x0 /f
mshta "about:<script>alert('USB Write Protect is Disable !!!');close()</script>"

Get the Script // Check my GitHub:

How works

Windows control write protection on USB device through windows registry key:

SET key="HKLM\System\CurrentControlSet\Control\StorageDevicePolicies"
SET value=WriteProtect

Value 0 - Write Protection is disable
Value 1 - Write Protection is enable.

Remember, USB Device must be unplugged to make effect.

#Windows #Forensics #DFIR #ST2Labs

0 comentarios:

Publicar un comentario