When someone asks me for a read-only USB stick, I recommend to use an SD card with a SD-to-USB adapter, because these are easier to find than USB sticks with write-protection. Most SD cards have a write-protection tab.
But last time I got a surprise: when testing a new SD card reader, I was able to write to the write-protected SD card. Turns out that this particular SD card reader doesn’t support the write-protection tab and always allows the OS to write to the SD card.
Quickpost info
That’s a nice tip Didier.
I’m surprised that the hardware can bypass the write protect switch on the SD card. I’d be interested to know which makes/models of SD-USB adapters work as expected, along with the make/model of that which gave you a surprise!
Comment by Iain — Monday 21 December 2009 @ 18:05
It works like floppies: the floppy-reader has a sensor for the write-protection notch. Although the SD-card is an electronic device, the write-protection tab is mechanical. It’s up to the reader to detect the position of the tab and act accordingly.
The reader in the picture is a SanDisk MicroMate and works fine.
The one that doesn’t support the write-protection tab is an EMTEC EKAK101
Comment by Didier Stevens — Monday 21 December 2009 @ 20:36
Thanks for this interesting post, Didier ! Once again it shows that we have to be careful and check material on some neutral stuff before going for real forensic investigation.
Comment by Cédric Pernet — Tuesday 22 December 2009 @ 11:15
Purely by chance, I visited PC World today and saw the one that you photographed above. I’ll certainly visit again and get one after Christmas. It’ll be a useful addition to my IT “box of tricks”!
Comment by Iain — Tuesday 22 December 2009 @ 18:28