Didier Stevens

Sunday 20 December 2009

Quickpost: Read-Only USB Stick

Filed under: Forensics,Hardware,Quickpost — Didier Stevens @ 20:52

When someone asks me for a read-only USB stick, I recommend to use an SD card with a SD-to-USB adapter, because these are easier to find than USB sticks with write-protection. Most SD cards have a write-protection tab.

But last time I got a surprise: when testing a new SD card reader, I was able to write to the write-protected SD card. Turns out that this particular SD card reader doesn’t support the write-protection tab and always allows the OS to write to the SD card.


Quickpost info


8 Comments »

  1. That’s a nice tip Didier.

    I’m surprised that the hardware can bypass the write protect switch on the SD card. I’d be interested to know which makes/models of SD-USB adapters work as expected, along with the make/model of that which gave you a surprise!

    Comment by Iain — Monday 21 December 2009 @ 18:05

  2. It works like floppies: the floppy-reader has a sensor for the write-protection notch. Although the SD-card is an electronic device, the write-protection tab is mechanical. It’s up to the reader to detect the position of the tab and act accordingly.

    The reader in the picture is a SanDisk MicroMate and works fine.

    The one that doesn’t support the write-protection tab is an EMTEC EKAK101

    Comment by Didier Stevens — Monday 21 December 2009 @ 20:36

  3. Thanks for this interesting post, Didier ! Once again it shows that we have to be careful and check material on some neutral stuff before going for real forensic investigation.

    Comment by Cédric Pernet — Tuesday 22 December 2009 @ 11:15

  4. Purely by chance, I visited PC World today and saw the one that you photographed above. I’ll certainly visit again and get one after Christmas. It’ll be a useful addition to my IT “box of tricks”!

    Comment by Iain — Tuesday 22 December 2009 @ 18:28

  5. Sorry to return to an old post, but are you sure the reader doesn’t allow write operations, and not simply asking the OS ‘please don’t write’?
    See here:

    http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/

    BTW it’s sad such a useful and simple feature is so damn hard to find.

    TY

    Comment by Anonymous — Wednesday 2 November 2011 @ 0:10

  6. No, I’m not sure, and if you read that in my post, it’s not the message that I wanted to pass along.

    I wrote this blogpost because I found a USB SD-card reader that doesn’t detect the write tab, and wanted to inform my readers about this.

    This is a Quickpost, wich means that I didn’t do extensive research for this post.

    Comment by Didier Stevens — Wednesday 2 November 2011 @ 13:35

  7. TY for the reply. I didn’t mean to correct you, or anything like that. Just seeking clarification.

    I did try your tip, and at least Windows doesn’t write anything. I’ll keep an eye out for anyone trying to bypass it with software, or written why it can’t be.

    Comment by Anonymous — Wednesday 2 November 2011 @ 16:52

  8. No problem, no offense taken.

    I think that on a Windows system, this write block is implemented in the device drivers for USB-to-SD-card adapters. I’ll make a note to research this.

    It’s just that people sometimes ask me for a non-writable USB stick to install their anti-malware tools on an infected machine.
    This solution is appropriate for that, because AFAIK there is no malware in the wild that changes the drivers to be able to write to an SD card with the write protect tab.

    Comment by Didier Stevens — Wednesday 2 November 2011 @ 17:01


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: