'nosuid,nodev,nofail,noauto' equivalent in Windows?












0















So I'm doing forensic tool validation with multiple tools and operating systems. I have started on Linux using dd and the other two tools I need to use are FTK Imager and ProDiscover; both windows based programs. The problem I am facing is that I don't have a write blocker; what would the equivalent of 'nosuid,nodev,nofail,noauto' be in Windows?










share|improve this question

























  • Um, but the options you're asking about aren't anything like a "write blocker".

    – grawity
    Feb 13 at 19:58
















0















So I'm doing forensic tool validation with multiple tools and operating systems. I have started on Linux using dd and the other two tools I need to use are FTK Imager and ProDiscover; both windows based programs. The problem I am facing is that I don't have a write blocker; what would the equivalent of 'nosuid,nodev,nofail,noauto' be in Windows?










share|improve this question

























  • Um, but the options you're asking about aren't anything like a "write blocker".

    – grawity
    Feb 13 at 19:58














0












0








0








So I'm doing forensic tool validation with multiple tools and operating systems. I have started on Linux using dd and the other two tools I need to use are FTK Imager and ProDiscover; both windows based programs. The problem I am facing is that I don't have a write blocker; what would the equivalent of 'nosuid,nodev,nofail,noauto' be in Windows?










share|improve this question
















So I'm doing forensic tool validation with multiple tools and operating systems. I have started on Linux using dd and the other two tools I need to use are FTK Imager and ProDiscover; both windows based programs. The problem I am facing is that I don't have a write blocker; what would the equivalent of 'nosuid,nodev,nofail,noauto' be in Windows?







linux windows dd forensics






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 5 at 0:30







Andrew Polemeni

















asked Feb 5 at 0:25









Andrew PolemeniAndrew Polemeni

12




12













  • Um, but the options you're asking about aren't anything like a "write blocker".

    – grawity
    Feb 13 at 19:58



















  • Um, but the options you're asking about aren't anything like a "write blocker".

    – grawity
    Feb 13 at 19:58

















Um, but the options you're asking about aren't anything like a "write blocker".

– grawity
Feb 13 at 19:58





Um, but the options you're asking about aren't anything like a "write blocker".

– grawity
Feb 13 at 19:58










1 Answer
1






active

oldest

votes


















0














https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/



Make USB devices read-only



Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.



To implement this feature, you'll need to make a few changes to your Registry, as follows:



Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
If it doesn't already exist, create a new key called "StorageDevicePolicies".
If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
Disable automount



Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:



run diskpart and once at the prompt type: automount disable
or, run the standalone command: mountvol /N
or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402056%2fnosuid-nodev-nofail-noauto-equivalent-in-windows%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/



    Make USB devices read-only



    Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.



    To implement this feature, you'll need to make a few changes to your Registry, as follows:



    Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    If it doesn't already exist, create a new key called "StorageDevicePolicies".
    If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
    Disable automount



    Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:



    run diskpart and once at the prompt type: automount disable
    or, run the standalone command: mountvol /N
    or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).






    share|improve this answer




























      0














      https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/



      Make USB devices read-only



      Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.



      To implement this feature, you'll need to make a few changes to your Registry, as follows:



      Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
      If it doesn't already exist, create a new key called "StorageDevicePolicies".
      If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
      Disable automount



      Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:



      run diskpart and once at the prompt type: automount disable
      or, run the standalone command: mountvol /N
      or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).






      share|improve this answer


























        0












        0








        0







        https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/



        Make USB devices read-only



        Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.



        To implement this feature, you'll need to make a few changes to your Registry, as follows:



        Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
        If it doesn't already exist, create a new key called "StorageDevicePolicies".
        If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
        Disable automount



        Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:



        run diskpart and once at the prompt type: automount disable
        or, run the standalone command: mountvol /N
        or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).






        share|improve this answer













        https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/



        Make USB devices read-only



        Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.



        To implement this feature, you'll need to make a few changes to your Registry, as follows:



        Open the Registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
        If it doesn't already exist, create a new key called "StorageDevicePolicies".
        If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed).
        Disable automount



        Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:



        run diskpart and once at the prompt type: automount disable
        or, run the standalone command: mountvol /N
        or, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMountMgrNoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 13 at 18:52









        Andrew PolemeniAndrew Polemeni

        12




        12






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402056%2fnosuid-nodev-nofail-noauto-equivalent-in-windows%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            Touch on Surface Book