.

USB write protect?

<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Feb 24, 2011 4:02 am

USB write protect?

I have a USB device I want to use purely for malware removal from infected systems. However, obviously I am worried about infections jumping from one computer to another, or to my machine when I need to update them. I did a google search, but I was unable to find a free program that meets my needs. The ones I did see supposedly locked the device on the computer the app was installed on, but not on all PC's
help?
sectestanalysis.blogspot.com/‎
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Feb 24, 2011 6:46 am

Re: USB write protect?

It's not foolproof, but in the past I've encrypted all the free space on the drive in a truecrypt volume and left the removal tools in the unencrypted area so malware has nowhere to write to unless it overwrites existing files. Also, if you are doing your malware removal from a bootable USB where the malware isnt executing it's probably a non-issue.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

awhitehatter

User avatar

Newbie
Newbie

Posts: 19

Joined: Wed Sep 01, 2010 1:42 pm

Post Thu Feb 24, 2011 10:53 am

Re: USB write protect?

I agree, TrueCrypt is going to be your best bet in a free solution.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Feb 24, 2011 2:27 pm

Re: USB write protect?

like that idea, its pretty unique. I haven't used TC in a while I mainly use BL. Thanks for the info. :)
sectestanalysis.blogspot.com/‎
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Mar 24, 2011 10:49 am

Re: USB write protect?

Here's another great solution i had not thought of

http://isc.sans.edu/diary/Read+only+USB ... rick/10588

Use the write protect switch on SD cards (+usb sd reader) :)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Mar 30, 2011 10:13 pm

Re: USB write protect?

Use two thumb drives. Use one as the clean/original copy and the other as the one that is actively used. Boot from a live CD and dd from clean to used after each use.

Don't mix them up.

Alternatively, save the image somewhere else if you want to get by with a single thumb drive.
The day you stop learning is the day you start becoming obsolete.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Mar 30, 2011 10:28 pm

Re: USB write protect?

I like the SD idea. I have a portable media reader, so even if the PC doesnt have a reader, im GTG. I have a 1GB card that should do the trick.
sectestanalysis.blogspot.com/‎
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Mar 31, 2011 9:52 am

Re: USB write protect?

dynamik wrote:Use two thumb drives. Use one as the clean/original copy and the other as the one that is actively used. Boot from a live CD and dd from clean to used after each use.

Don't mix them up.

Alternatively, save the image somewhere else if you want to get by with a single thumb drive.


I like the live-cd + saved image idea, but I wonder how that works after learning how hard it is to wipe a USB.
OSWP, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Mar 31, 2011 9:09 pm

Re: USB write protect?

chrisj wrote:I like the live-cd + saved image idea, but I wonder how that works after learning how hard it is to wipe a USB.


You're not wiping it to prevent forensic recovery though; you're just restoring the previous file system to prevent the auto-execution of something like switchblade or some other malware that may get on the drive during use on an untrusted system.
The day you stop learning is the day you start becoming obsolete.

Return to Hardware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software