Hi every one!
This post I have decided write in english why? Answer is why not? In Digital Forensics it's so important to mantain integrity of evidence, is for this reason what you need read data without any modification. Sometime you get the "evidence" and write into a USB stick, then if you have to read data into windows device, you must enable write protetection for USB device to avoid any modification of them.
This is the target of this "post", I've wrote a simple batch script to "enable" and "disable" the USB write protection it as soon as you need. By default windows always allow write into USB device.
The usage is so easy, is like "stop / start", before you plug the USB device you must used the script, so on all USB is write protected. And if you used script again, you disable it, so on the next USB device is not write protected.
Here the script:
@ECHO OFF &SETLOCAL
:: ****************
::
:: getUSBProtect v.01
::
:: @Fecha: 16/09/2015
:: @Version: 0.1
:: @Autor: Julian J. Gonzalez
:: @Dept: ST2Labs - www.seguridadparatodos.es
::
:: ****************
SET key="HKLM\System\CurrentControlSet\Control\StorageDevicePolicies"
SET value=WriteProtect
:: BatchGotAdmin
:-------------------------------------
REM --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
exit /B
:gotAdmin
if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
pushd "%CD%"
CD /D "%~dp0"
:--------------------------------------
:: Check if Key exist
reg query %key% >nul 2>&1
IF ERRORLEVEL 1 (
GOTO writeup
)
:: Key exist and now we can verify Registry Value
FOR /F "tokens=2*" %%A IN ('reg query %key% /v %value%') DO SET _base=%%B
:: Verify is WriteProtect is Enable
if %_base%==0x1 (
GOTO writeoff
) else ( GOTO writeup )
:writeup
reg add %key% /v %value% /t REG_DWORD /d 0x1 /f
mshta "about:<script>alert('USB Write Protect is Enable !!!');close()</script>"
GOTO:EOF
:writeoff
reg add %key% /v %value% /t REG_DWORD /d 0x0 /f
mshta "about:<script>alert('USB Write Protect is Disable !!!');close()</script>"
GOTO:EOF
Get the Script // Check my GitHub:
https://github.com/ST2Labs/DFIR
How works
Windows control write protection on USB device through windows registry key:
SET key="HKLM\System\CurrentControlSet\Control\StorageDevicePolicies"
SET value=WriteProtect
Value 0 - Write Protection is disable
Value 1 - Write Protection is enable.
Remember, USB Device must be unplugged to make effect.
#Windows #Forensics #DFIR #ST2Labs
@seguridadxato2
@st2labs
@rhodius
![[Tools] Passware Kit 11.3 - Cracking Apple Filevault Encryption](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG28PvRxQT6iUJSoWxHDPJzY-IRpHD_CGUdNMhRwJHUj8Y0D_kstR8OAyM7YrDfuhzyOqLgfeWlTj6j0oI4UsbPhO-yMsRnTb2-RIZ5xSJDhKq3p1WyQpvTnhyuwnmFTXtdmAy7HUJMIdH/s250-c/passware_kit_forensics.png)
0 comentarios:
Publicar un comentario