Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Read only USB stick trick - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Read only USB stick trick

The sad demise of readily available, cheap USB sticks with a switch to flip the device to be read only has caused some problems when dealing with suspicious machines, especial when I’m off duty and I hear the dreaded words “Oow, you’re in IT – could you have a look at my computer quickly?”

Back in the good old days, I could pick them up at nearly all my favourite shops and the vendors gave them away by the bucket load, but alas, they seem to have all but disappeared.

CD/DVD or Blu-ray disks are great, but lugging around a harden CD case really does clash with some of my outfits and doesn’t always send out the right message, particularly at: romantic diners, standing at a checkouts or trying to order drinks at a bar. This is where a small USB key, fitting neatly in to a pocket, helps me blend in with the rest of humanly almost seamlessly.  Almost. 

The standard read/write USB keys fall prey to being infected and compromised the very second they are insert in to a machine, which, as we know is a bad thing.

Stuck with this dilemma, I stumbled upon a neat solution – Secure Digital (SD) Memory Cards.
 
SD Memory cards have a small lock switch on them, making them read only; they can reach up to a whooping 32GB, are only slightly more expensive than similar size USB drives and are common place (I can find them in the petrol stations, corner stores and on aeroplanes). Now add in a small SD reader, around the size of a normal USB drive, and this is perfect for incident response on an untrusted system in a pinch or when a full response kit isn’t viable.

With the size of SD memory cards, it means I can have my favourite recovery [1], incident handling and fun at -someone else’s  - party [2] boot images each on their own SD card, hidden in a wallet, jacket lapel or hat band for ease of use. Producing them, seeming out of thin air, to fix a broken or infected machine amazes and astounds plus get brownie points at unexpected moments in life.

Another option for the uncluttered, nattily dressed Incident-Handler-around-town’s toolkit.

As always, if you have any better suggestions, insights or tips please feel free to comment.

[1] BartPE - http://www.nu2.nu/pebuilder/
[2] Backtrack - http://www.backtrack-linux.org/downloads/

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler
SD cards only go up to 4Gb - which is enough, frankly.
SDHC support larger sizes, but aren't compatible with all but the latest readers. SD is much more common, and has been around for years and years.

A better fix may be a SD/SDHC card in an appropriate 'mini' card reader - as this gives you both compatibility and the read-only feature you're after.

Share and Enjoy,
Dom
DomMcIntyreDeVitto

40 Posts
At my work we utilise this trick as well because we needed a large swath of read only USB devices and couldn't buy any so out came the SD cards to save the day. The biggest problem we had was the USB readers didnt fit into the USB slots on the computers so had to use USB extension cables
Raymond

14 Posts
These Kanguru USB flash drives are pretty good. They have the write lock switch. I recently bought a couple of them. http://www.amazon.com/Kanguru-Solutions-ALK-8G-8GB-Flashblu/dp/B00190IX40/ref=sr_1_3?ie=UTF8&qid=1300792232&sr=8-3
Rod

6 Posts
The IronKey USB drive has the ability when unencrypted to be in ReadOnly mode. So you can keep all of your tools and files secure, and then make them available ReadOnly when needed. Not cheap, but so it lost data.
Scott

5 Posts
I too have been using a Kanguru (32G) drive and am quite satisfied with it. We got a few of them after extensively searching for hardware write-protect drives and not finding any real alternatives (SD cards did cross my mind a time or two).
They are a little bit bulkier than most of your drives but I have never needed an extension to fit it to a USB slot. The rugged aluminum case and cap design do give me a little peace of mind as it rattles amongst my pocket change that it is not as likely to be damaged as previous drives have...

The IronKey drives do offer a great solution for protecting data on the drive from being destroyed but in this scenario do not offer the desired protection. When dealing with viruses, you need to be sure that the nasties can't be written to the drive and then on to the next computer...
John

11 Posts
I have considered using SD cards in the past, but I have always preferred my old read-only switchable flash drives. Not too long ago I ran across the write-protection specification for SD cards and decided they are a no-go. Per SDCard.org, "A proper, matched, switch on the socket side will indicate to the host that the card is write-protected or not. It is the responsibility of the host to protect the card. The position of the write protect switch is unknown to the internal circuitry of the card."

With the varied range of host equipment I run into daily, that is too vague for me to feel comfortable with a storage device/medium I use often. I'm now using an 8gb Kangaru drive and it works as advertised.
Mike S

1 Posts
Eliminate the need for an SD card reader by getting one that has USB compatibility built-in:

http://www.amazon.com/SanDisk-Ultra-Plus-2GB-Card/dp/B000EWI8IK
Mike S
1 Posts
I use this trick at work for my thumb drives. First I get the number of free bytes and then run this .cmd file on the usb drive. It takes a few minutes but effectively write protects the drive.

@echo off
echo "Enter Size"
set /p len=

fsutil file createnew fillup %len%
PAUSE
Miq

2 Posts
After grappling with a pocket full of USB drives and a case full CD's/DVD's I discovered a great little utility called SARDU http://www.sarducd.it/ that lets me build (and maintain) a custom collection of boot disks on a single high capacity USB. Since I'm booting from the USB I'm not so concerned about R/W.
Miq
1 Posts
@Danny - no, all that does is preclude new file creation. Edits can take place to your heart's content.
Steven

42 Posts
I got out of break-fix years ago, but recall that booting from USB was quite a novelty then. Is it really so common now? Can most BIOS/mobo support large volume USB drives for boot? If I plugin 32 gigs will I see it all or do I need to partition into more modest volume sizes?

Someone should put up an image of their emergency response USB up for other to take a look at and consider.
Steven
4 Posts
[from Wikipedia]
On the left side may be a write-protection notch. If this is present, the card cannot be written. If the notch is covered by a sliding write protection tab, or absent, then the card is writeable. Because the notch is detected only by the reader, the protection can be overridden if desired (and if supported by the reader). Not all devices support write protection, which is an optional feature of the SD standard.

This seems to be fairly clearly saying that the acknowledgement of the read-only mechanism is a function of the driver and/or the program reading the device.
Steven
3 Posts
I have been using the Imation "Clip" USB drives, very heavy duty and have "Write Protect". Mounts on key chain and really holds up (3 years now).
www.imation.com/en-us/Imation-Products/USB-Flash-Drives--Accessories/Clip-Flash-Drive/.
I am not associated with Imation.
Steven
1 Posts
With many of the new notebooks and netbooks coming with SD memory slots, it does make sense that using an SD card in place of a USB drive makes sense. Having said that, I do have an Imation 16Gb drive with a lock, which helps when you're dealing with systems and suspect malware. The only downside is occasionally utilities do want to write to the drive (like HiJack) but that's a minor annoyance.
Steven
4 Posts
I looked into this idea a couple of months ago. It seemed like a really good idea. After buying some sd card readers and finding that they dont look at the state of the switch I shelved it.

I use a thumb drive that I format after its been in a users computer. With the price of usb drives I am not worried about the wear on the drive.

http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/
"SD Cards – Not Recommended

SD Cards, while they have a write-protect switch, are actually no good for this purpose because it’s not actually hardware write protection – at best the card reader sends a signal to the operating system that the drive should be treated as read-only. The write-protect switch on the cards is read by a sensor that’s part of the card reader, and the card reader then passes along to the operating system whether the card is read-only. According to the specification from http://www.sdcard.org/:

A proper, matched, switch on the socket side will indicate to the host that the card is write-protected or not. It is the responsibility of the host to protect the card. The position of the write protect switch is unknown to the internal circuitry of the card.

Basically this means that either a) cheap card readers that lack the sensor or b) operating systems or malware that don’t respect the “please don’t write to this disk” flag can write to the drive. While this may not be likely, it’s also not as secure as you might think based on the presence of that switch."

This site goes on to talk about
"Software Tricks – Last Resort"
Steven
2 Posts
I too have been using the Imation drives. They come with a very durable keychain carrier, and have a hardware write protection switch. I make a label with a Brother label maker, which is on adhesive tape. I wrap this label around the drive to cover the write-protect switch to make it harder to accidentaly move it to the writable position. I use these for recovery images, and for 2-factor authentication to boot encrypted laptops, along with a pass-phrase. I love them!
Moriah

133 Posts
Underlining the fact that it's not hardware write protect: I have custom firmware (CHDK) for my Canon digital camera. The firmware uses the SD card write-only switch to indicate whether to load the normal firmware or the custom extensions. When it's set to "protect," the custom extensions load and happily write to the card anyway.
Anonymous
Err, meant to say "read only," of course. A write-only switch would be pretty interesting. ;)
Anonymous
The "IronKey" USB product would appear to be a software-accessible write-protect system. That is, software on the host tells the USB stick if it's write protected or not. I would not trust such a system.

I want an electromechanical switch which is inaccessible to the host.

We buy branded drives from http://www.promolocker.com/. Their "Government" line features such a switch. I've verified the switch electrically connects to the Write Protect pin on the flash memory controller chip.

I've also had RI Data's stuff recommended to me, but haven't tried it personally.
Anonymous
The Imation clip drive sounds like it relies on software to unlock an encrypted partition. Is that part of it's write-protect mechanism or is the write-protect truly a physical mechanism like the PromoLocker stuff Ben Scott mentions.
Jasey

93 Posts

Sign Up for Free or Log In to start participating in the conversation!