Hi every one!
This post I have decided write in english why? Answer is why not? In
Digital Forensics it’s so important to mantain integrity of evidence, is
for this reason what you need read data without any modification.
Sometime you get the “evidence” and write into a USB stick, then if you
have to read data into windows device, you must enable write
protetection for USB device to avoid any modification of them.
This is the target of this “post”, I’ve wrote a simple batch script to
“enable” and “disable” the USB write protection it as soon as you need.
By default windows always allow write into USB device.
The usage is so easy, is like “stop / start”, before you plug the USB
device you must used the script, so on all USB is write protected. And
if you used script again, you disable it, so on the next USB device is
not write protected.
Here the script:
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>@ECHO
OFF &SETLOCAL
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
****************
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>:: <span
class=“Apple-tab-span” style=“white-space: pre;“> getUSBProtect
v.01
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
@Fecha:
16/09/2015
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
@Version:
0.1
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
@Autor:
Julian J. Gonzalez
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
@Dept:
ST2Labs - www.seguridadparatodos.es
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
****************
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>SET
key=“HKLM\System\CurrentControlSet\Control\StorageDevicePolicies”
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>SET
value=WriteProtect
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
BatchGotAdmin
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>:————————————-
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>REM
–> Check for permissions
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>>nul
2>&1 “%SYSTEMROOT%\system32\cacls.exe”
”%SYSTEMROOT%\system32\config\system”
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>REM
–> If error flag set, we do not have admin.
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>if
’%errorlevel%’ NEQ ‘0’ (
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“> echo
Requesting administrative privileges…
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“> goto
UACPrompt
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>) else (
goto gotAdmin )
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>:UACPrompt
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“> echo
Set UAC = CreateObject^(“Shell.Application”^) >
”%temp%\getadmin.vbs”
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“> echo
UAC.ShellExecute “%~s0”, “”, “”, “runas”, 1 >>
”%temp%\getadmin.vbs”
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
”%temp%\getadmin.vbs”
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“> exit
/B
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>:gotAdmin
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“> if
exist “%temp%\getadmin.vbs” ( del “%temp%\getadmin.vbs”
)
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
pushd “%CD%”
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“> CD
/D “%~dp0”
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>:————————————–
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>:: Check
if Key exist
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>reg
query %key% >nul 2>&1
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>IF
ERRORLEVEL 1 (
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px;“><span
class=“Apple-tab-span” style=“white-space: pre;“> GOTO
writeup
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>)
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>:: Key
exist and now we can verify Registry Value
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>FOR /F
“tokens=2*” %%A IN (‘reg query %key% /v %value%’) DO SET
_base=%%B
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>::
Verify is WriteProtect is Enable
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>if
%_base%==0x1 (
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px;“><span
class=“Apple-tab-span” style=“white-space: pre;“> GOTO
writeoff
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>) else (
GOTO writeup )
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>:writeup<span
class=“Apple-tab-span” style=“white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>reg add
%key% /v %value% /t REG_DWORD /d 0x1 /f
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>mshta
“about:<script>alert(‘USB Write Protect is Enable
!!!‘);close()</script>“
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>GOTO:EOF
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>:writeoff
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>reg add
%key% /v %value% /t REG_DWORD /d 0x0 /f
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>mshta
“about:<script>alert(‘USB Write Protect is Disable
!!!‘);close()</script>“
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>GOTO:EOF
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“background-color: #f8eec7; font-size: 12px; line-height: 18.2px; white-space: pre;“>Get
the Script // Check my GitHub:
<span
style=“color: #333333; font-family: Consolas, Liberation Mono, Menlo, Courier, monospace;“><span
style=“font-size: 12px; line-height: 18.2px; white-space: pre;“>https://github.com/ST2Labs/DFIR
How works
Windows control write protection on USB device through windows registry
key:
SET
key=“HKLM\System\CurrentControlSet\Control\StorageDevicePolicies”
SET value=WriteProtect
Value 0 - Write Protection is disable
Value 1 - Write Protection is enable.
Remember, USB Device must be unplugged to make effect.
#Windows #Forensics #DFIR #ST2Labs
@seguridadxato2
@st2labs
@rhodius
Ver también
- [cymon-analyzer] | Modulo de Análisis Reputación IP en Cymon.io para Cortex Engine | theHive-project
- [SIPI] Simple IP Information Tool is out
- Feliz Navidad with Custom Python Reverse Shell
- Digital Forensics of Android WhatsApp SQLite Database (Part III)
- Digital Forensics of Android WhatsApp SQLite Database (Part II)