'nosuid,nodev,nofail,noauto' equivalent in Windows?
So I'm doing forensic tool validation with multiple tools and operating systems. I have started on Linux using dd and the other two tools I need to use are FTK Imager and ProDiscover; both windows based programs. The problem I am facing is that I don't have a write blocker; what would the equivalent of 'nosuid,nodev,nofail,noauto' be in Windows?
linux windows dd forensics
add a comment |
So I'm doing forensic tool validation with multiple tools and operating systems. I have started on Linux using dd and the other two tools I need to use are FTK Imager and ProDiscover; both windows based programs. The problem I am facing is that I don't have a write blocker; what would the equivalent of 'nosuid,nodev,nofail,noauto' be in Windows?
linux windows dd forensics
Um, but the options you're asking about aren't anything like a "write blocker".
– grawity
Feb 13 at 19:58
add a comment |
So I'm doing forensic tool validation with multiple tools and operating systems. I have started on Linux using dd and the other two tools I need to use are FTK Imager and ProDiscover; both windows based programs. The problem I am facing is that I don't have a write blocker; what would the equivalent of 'nosuid,nodev,nofail,noauto' be in Windows?
linux windows dd forensics
So I'm doing forensic tool validation with multiple tools and operating systems. I have started on Linux using dd and the other two tools I need to use are FTK Imager and ProDiscover; both windows based programs. The problem I am facing is that I don't have a write blocker; what would the equivalent of 'nosuid,nodev,nofail,noauto' be in Windows?
linux windows dd forensics
linux windows dd forensics
edited Feb 5 at 0:30
Andrew Polemeni
asked Feb 5 at 0:25
Andrew PolemeniAndrew Polemeni
12
12
Um, but the options you're asking about aren't anything like a "write blocker".
– grawity
Feb 13 at 19:58
add a comment |
Um, but the options you're asking about aren't anything like a "write blocker".
– grawity
Feb 13 at 19:58
Um, but the options you're asking about aren't anything like a "write blocker".
– grawity
Feb 13 at 19:58
Um, but the options you're asking about aren't anything like a "write blocker".
– grawity
Feb 13 at 19:58
add a comment |
1 Answer
1
active
oldest
votes
https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/
Make USB devices read-only
Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.
To implement this feature, you'll need to make a few changes to your Registry, as follows:
Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
If it doesn't already exist, create a new key called "StorageDevicePolicies".
If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
Disable automount
Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:
run diskpart and once at the prompt type: automount disable
or, run the standalone command: mountvol /N
or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402056%2fnosuid-nodev-nofail-noauto-equivalent-in-windows%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/
Make USB devices read-only
Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.
To implement this feature, you'll need to make a few changes to your Registry, as follows:
Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
If it doesn't already exist, create a new key called "StorageDevicePolicies".
If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
Disable automount
Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:
run diskpart and once at the prompt type: automount disable
or, run the standalone command: mountvol /N
or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).
add a comment |
https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/
Make USB devices read-only
Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.
To implement this feature, you'll need to make a few changes to your Registry, as follows:
Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
If it doesn't already exist, create a new key called "StorageDevicePolicies".
If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
Disable automount
Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:
run diskpart and once at the prompt type: automount disable
or, run the standalone command: mountvol /N
or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).
add a comment |
https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/
Make USB devices read-only
Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.
To implement this feature, you'll need to make a few changes to your Registry, as follows:
Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
If it doesn't already exist, create a new key called "StorageDevicePolicies".
If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
Disable automount
Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:
run diskpart and once at the prompt type: automount disable
or, run the standalone command: mountvol /N
or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).
https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/
Make USB devices read-only
Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.
To implement this feature, you'll need to make a few changes to your Registry, as follows:
Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
If it doesn't already exist, create a new key called "StorageDevicePolicies".
If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
Disable automount
Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:
run diskpart and once at the prompt type: automount disable
or, run the standalone command: mountvol /N
or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).
answered Feb 13 at 18:52
Andrew PolemeniAndrew Polemeni
12
12
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402056%2fnosuid-nodev-nofail-noauto-equivalent-in-windows%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Um, but the options you're asking about aren't anything like a "write blocker".
– grawity
Feb 13 at 19:58