Solved

add write-protect to external USB hard drive

Posted on 2010-09-23
24
1,911 Views
1 Endorsement
Last Modified: 2013-11-14
here is my situation.

I made a bootable USB 500 hdd (hdd and case were bought separately) with lots tools in it. such as bartpe, reset pwd tools and so on.
I use it to boot up workstations or laptop  and perform troubleshoot/maintenance  works, but once a while, it gets corrupted or accidentally written by workstation during boot up or infected by virus, which cause me big time to re-create the tools and copy data over to external hdd again.

so I'm looking for a solution that can enable write-protect on regular external hdd.

note: setting up permissions on hdd does not seem to work since write operation seems happen accidentally during boot up.

many thanks
1
Comment
Question by:Ikelca
  • 8
  • 8
  • 7
  • +1
24 Comments
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 33749596
Interesting question.
If there are instances where the file permissions are ignored, perhaps you should try setting the read-only attribute which is more rudementary to all OSes including the WinPE (preinstall environment)
Not an experienced informed answer mind you, but speculating further, depending on the brand of HDD internal to the enclosure, you may be able to set it.
In the bad-ole days you could jumper a drive as read only on old-style drives, but this being newer, perhaps use the manufacturer's advanced diagnostics to set it read-only?  Maybe much the same way you might adjust the drive LBA to deal with older LBA limit issues?  However with the usb adapter acting as middle-man the diagnostics have limited access to the HD firmware so you may need to attach it directly to do so, and then see if the USB daughtercard will operate ok with it set read-only or not.
I just checked the Seagate Seatools and there is NO mention of readonly BUT if I were you I would contact your HD manufacturer's tier-2 or tier-3 support and find out since I know for a fact the sleep spin-down mode can be adjusted with their help and the tools documentation makes no mention of that either.  It's an idea.
0
 

Author Comment

by:Ikelca
ID: 33750721
i dont think Western Digital will release such info to me........

ideally, i prefer an enclosure that has a switch to disable/enable write operation on HDD.
in addition, i dont think any s/w based solution could work here, because they are windows based s/w and it will be non-functioning under ghost 32 or ghost dos version.
0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33754226
Open up an administrative command prompt.

Type "diskpart" and press enter.

At the "DISKPART >" prompt, type "list volume". This will show you a list of your drives and a corresponding number.

Assuming you rusb hdd is listed as "5", type "select volume 5".

Type "attributes volume set readonly" and press enter.

This will make the hdd read only(write protected).
Capture.jpg
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 33757134
How about a USB flash stick instead of a hard disk?

There are models of those that can be write protected.
0
 

Author Comment

by:Ikelca
ID: 33758609
USB flash stick is usually smaller in capacity
And I need to store some large files
Diskpart option looks good, I will try later
Thx
0
 

Author Comment

by:Ikelca
ID: 33759204
i have  tested diskpart option, unfortunately, it works only under windows OS, with Ghost program under Dos, HDD can still be written.........
0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33760545
In addition to diskpart, you can hide the drive(s) on the hdd  so it is universally inaccessible.   Ghost program will not be able to see the drive, nor will any other software or user.

When you need the drive(s) for your own personal use, just unhide the drive(s).  Note that it will still be read only if the diskpart command is set.

Use Partition Wizard Home Edition to hide(unhide) the drive(s): http://www.partitionwizard.com/free-partition-manager.html.

See attached.  
Capture.jpg
0
 

Author Comment

by:Ikelca
ID: 33762585
tried with hidden partition, however ghost still sees it
0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33764534
I have also tried this with Norton Ghost.  A hidden drive is seen in the "backup from" list, but is not seen in the "backup to" list.  In other words, no user could use the hidden drive as the destination drive.  In terms of write protection, Ghost is not an issue as I see it.  

Since the drive does not have a letter assigned after hiding, there is no way that any software can write to the drive.
Capture.jpg
Capture-1.jpg
0
 

Author Comment

by:Ikelca
ID: 33764631
if u try ghost 11 32bit or boot up from ghost 11 cd, you will see it shows up as DRIVE 0 partition 1 or drive 0 partition x (2,3,4.....) assuming hidden partition is the only drive.
i attached a copy of ghost11 for you, so u can test it
ghost-11.zip
0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33769278
You are not going to like my answer, but here it is anyway.

The capability for defining a hidden partition(partition type 23 in NTFS file system) was created so that it is not usable (for lack of a better word).  This is similar to being off-line without being physically dismounted.

It is my opinion that any software, other than disk management, which attempts to read or write to a hidden partition would be a programmatic error.  Indeed, the newest version of Norton Ghost 15 does not see a hidden partition.  See attached.

No one can control what softwares are out there and how they may be handling a hidden partition.  

Suffice it to say that hidden partitions should be handled as they were originally intended and I think you will find most software companies adhere to the procedure.
Capture.jpg
0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33769401
I truly believe you are stretching the issue beyond the content of your original post. What I have posted would be sufficient for the majority of users who want a drive(partition) to be inaccessible to anyone but themselves.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 6

Expert Comment

by:che6ausc
ID: 33769866
I have the ultimate solution for anyone who would like to listen.

NTFS.sys which is the kernel driver for reading/writing to to hard drives in the Windows Operating System could query the partition type in the partition table for type 23 (hidden NTFS) and refuse access thereby.

Also, display an error message "access to hidden partition denied" and create a new BSOD code especially for this situation.

This would filter out all the scumbag software houses who really do not know what they are doing.

I think I deserve the 500 points from this post alone.
0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 33771617
The whole thing is moot

The author wants to prevent programs that boot from CD in their own live environment (read NOT under windows while windows is running so what windows .sys or DLLs do or do not hide or prevent has nothing to do with it) from making changes to drive partitions or anything on the drive including programs designed specifically to do so.  How you stop a program that's designed with the specific purpose of wiping or restoring a drive from doing so?  Um, how do you stop people from breathing? (ha ha, pardon the sarcasm)  But seriously, @che6ausc, do you follow the distinction?  

The difference between running the gHost GUI front-end presentor that you screenshot which still must reboot into it's own tiny run-environment to effect major changes VERSUS the gHost that one runs standalone in a dos-like text environment off a bootable CD illustrates the difference of what Ikelca wants to prevent making any changes with, basically everything.

I'll raise the stakes further and ask does that mean the standalone manufacturer's hard disk diagnostics should be prevented from taking any actions on the hard disk too?  Um, good luck preventing that one.

What he wants is the drive to have a mechanical jumper like the write-protect tab on a memory-stick or VHS tape or audio casette that prevents any recording.  As I mentioned in the bad-ole-days drives had such a jumper among the jumper pins.  Who knows, there may even be a mini-jumper-pin on the logic-board somewhere for such a purpose.  However since @Ikelca doubts WesternDigital will tell him how or release such information he hasn't bothered asking, and was rather hoping instead an EE had already solved this question with that specific solution..

Should I mention here the write-protect tab on memory-stick readers is notorious for not working properly as the mechanical switch in the slot gets stuck in either open or closed position and then pays no attention to the position of the plastic tab, doh!
0
 
LVL 6

Accepted Solution

by:
che6ausc earned 250 total points
ID: 33773254
ocanada_techguy,

Do not add or distort what the author wants and does not want.

His original post made no mention of dos, linux, mac, cds, or anything else.  He simply wants to make a usb hdd write protected  during the ordinary course of events that take place while he does his work.

Diskpart readonly attribute will do that as he found out himself in a Windows environment.  End of story.

Quote by Ikelca:
USB flash stick is usually smaller in capacity
And I need to store some large files
Diskpart option looks good, I will try later
Thx

He then found that a legacy version of Norton Ghost(the newest version is fixed) wrote to the hdd even though it was write protected.  This is a bug in the software which has subsequently been fixed in the newest version as I have shown.  

As an added security measure and more broad based he can hide the partition according to NTFS conventions (partiton type 23 if you are familiar with partition types, which you evidently are not).  This would prevent all other software from writing to the partition provided that they are following NTFS conventions, which most do.

Of course, as I mentioned previously disk management software is exempt from all restrictions placed on the hdd.

Jumpers are not available on newer hard drives and he does not want to have to buy a new hard drive
anyway.

I don't see anywhere in the original post that someone is purposely trying to corrupt the hard drive by formatting it or ghosting to it or anything else.
0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 33774084
I agree his follow-ups in the thread elaborate to what is not included in the original post.

Yes I can read, yes I know what partition types are, often solving the attach XP system drive to Win7 and Win7 then hides it "problem" for many people.  Sorry you took offense.  I cn take equal offense at some of your statements now directed toward me and also previously your "I deserve all the points" being rude #&% statement.  Offended?  tough, get over it.

I can appreciate you are trying hard and putting effort into offering solutions, screenshots and all.  Would that points were money eh.

ACTUALLY, he stated he'll attach it to numerous workstations SO altering NTFS.sys only helps the one machine it's done on none of the others
AND when you get right down to it he DID specifically say VIRUSES on the workstationS and since they are as likely designed to write directly to the device paying no attention whatsoever to any niceties or partition attributes, a hardware solution is necessitated to solve his original question as originally stated.

The gHost behaviour wasn't a bug, it was designed to work that way, so that hidden partitons can be backed up and restored.  A virus could be designed to clobber a disk regardless as well.

Good try though.  I thought your original answer of readonly attribute nailed it, and could certainly mitigate some viruses and solves it most of the way.  That's why when all these nswers were shot down it triggered the "oh just give up then sheesh" mode.
0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33778280
My post about "deserving all the points" was meant to add a lighter moment to a thread that was and is rapidly spinning out of control with taunts and attacks on your behalf, as well as the authors effort to stretch the issue beyond his original post. I am sorry that you were offended by it.

He obviously wanted a software solution which I provided to the best of my ability.  You will not get any better of a software solution than I have provided. In the ordinary course of events and while running competent anti-virus software, it should be sufficient to protect the drive.  

The newest version of Norton Ghost does not allow a hidden partition to be used as the destination in the ghosting process, so if in fact the legacy version does, then how can you say it was anything other than a bug.

For my own personal information, what advanced diagnostic from the manufacturer would have the capablity to set the drive as read only and how would that stop viruses, disk management software ,ghosting software et al from writing to the drive?  You may be on to something in which case you deserve all the points. In your words "Um, how do you stop people from breathing?



0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 33780446
Exactly.  Ooops LOL  Our bad.

Well, for example, most all SCSI drives have the jumper http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=SCSI_Jumper_Settings&vgnextoid=bc71e5cc0783e010VgnVCM100000dd04090aRCRD so a USB enclosure that used a SCSI drive internally would be able to be jumpered as read only, said jumper could be wired with a switch..
This is implemented right on the logicboard of the drive by the firmware of the hard disk itself and so cannot be ignored by anything.

Another hardware solution may be a "foresic write blocker" which is a SILLY litte device colour-coded red or yellow which you attach between the drive interface as a legal chain of custody measure to ensure that writing to the device is prevented.  Example http://www.forensicpc.com/proddetail.asp?prod=T14%2DRW&cat=38

This is how forensic write blockers work. Since we know this drive has blocking capability, all that need be done is for a simple firmware controlled logic circuit to remain open on the write pins to prevent all writes. The drive manufacturer's utility merely allows you to close that circuit to permit writes.  It only has to open the circuit on two pins on the IDE bus and the drive will behave normally in all respects - except for writes.  

Moving forward on a technology timeline, some IDE ATA/ATAPI hard drives have a read only jumper, many do not.  This is because instead of a jumper most all IDE ATA/ATAPI hard drives have a set of security features whereby the hard drive can be password protected at the firmware level.

This is most often used by select laptop BIOSes due to the ease with which they can be stolen, much like BIOSes can have power-on passwords, the key difference being the security on the HDD can password protect the drive contents and is implemented as much by the firmware of the HDD itself.  Here is an inquiry against a drive's firmware settings, note the security settings

ATA device, with non-removable media
      Model Number:       SAMSUNG SP6003H                        
      Serial Number:      XXXXXXXXXXXXXX      
      Firmware Revision:  QV100-61
Standards:
      Used: ATA/ATAPI-6 T13 1410D revision 1
      Supported: 6 5 4
Configuration:
      Logical            max      current
      cylinders      16383      16383
      heads            16      16
      sectors/track      63      63
      --
      CHS current addressable sectors:   16514064
      LBA    user addressable sectors:  117304992
      device size with M = 1024*1024:       57277 MBytes
      device size with M = 1000*1000:       60060 MBytes (60 GB)
Capabilities:
      LBA, IORDY(cannot be disabled)
      Standby timer values: spec'd by Standard, no device specific minimum
      R/W multiple sector transfer: Max = 16      Current = 16
      Recommended acoustic management value: 128, current value: 0
      DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 *udma5
           Cycle time: min=120ns recommended=120ns
      PIO: pio0 pio1 pio2 pio3 pio4
           Cycle time: no flow control=120ns  IORDY flow control=120ns
Commands/features:
      Enabled      Supported:
         *      SMART feature set
                Security Mode feature set
         *      Power Management feature set
         *      Write cache
         *      Look-ahead
         *      Host Protected Area feature set
         *      WRITE_BUFFER command
         *      READ_BUFFER command
         *      DOWNLOAD_MICROCODE
                SET_MAX security extension
                Automatic Acoustic Management feature set
         *      Mandatory FLUSH_CACHE
         *      SMART error logging
         *      SMART self-test
Security:
      Master password revision code = 65534
            supported
      not      enabled
      not      locked
      not      frozen
      not      expired: security count
            supported: enhanced erase
      72min for SECURITY ERASE UNIT. 72min for ENHANCED SECURITY ERASE UNIT.
HW reset results:
      CBLID- above Vih
      Device num = 1 determined by the jumper
Checksum: correct

Security (and S.M.A.R.T. btw) was first introduced and implemented in ATA version 3, "ATA-3".  (see http://en.wikipedia.org/wiki/Advanced_Technology_Attachment#ATA_standards_versions.2C_transfer_rates.2C_and_features )  ATA-3 features are of course supported in the merged ATA ATAPI standards ATA/ATAPI-4, -5, -6, -7 and -8  
Here http://www.t10.org/t13/project/d2008r7b-ATA-3.pdf we have the ATA-3 standard established in 1997 which first introduced the Security features (see section 6.5, starting on pg 33, and particularly helpful the diagrams on page 34)  

The challenge is that unless you were using a laptop BIOS that is designed to handle this situation, that is: to prompt the user at power-on for the password to unlock the drive, how would you achieve that and provide the password to the drive when connecting via USB?  

Well, one way, under unix/unbutu/Linux variants would be to use the hdparm --security command which supports ATAPI fully,
or under Windows say, would be to use a drive utility, if not the drive diagnostics tool.  Here http://www.seagate.com/support/disc/manuals/external/pocket/Toolkit-security.htm  from the "Seagate USB 2.0 Pocket Hard Drive User's Manual" is the section about using the tool to password protect, and/or "HOW TO WRITE PROTECT THE DRIVE"

Moving ahead in the timeline, when hard drives were getting bigger, larger than 80GB, larger than 127GB, some BIOSes did not support larger geometries of later ATAPI stnadards not anticipated.  In order to get a 160GB hard drive to work in a laptop that supported at most a 127GB hard disk, the drives typically had a jumper which would LIMIT the drive size geometry.  INSTEAD of a physical jumper,  most drives now implement the LBA limit setting and/or size limit setting as a setting implemented on the drive itself via the firmware, so that the HDD works with those BIOSes.  This setting is usually managed by using the drive diagnostics utility.  Another setting in firmware in lieu of jumper.

B.T.W.  When you "try" to boot off of the 1TB external USB drive you'll discover many of the workstations, and not necessarily antiquated, may not recognize the drive because the BIOS of said workstation does not support drives that big, either at all, or else to boot off of.  You've probably already encountered this.  So, you might need to boot off a USB flash/pen drive with a CDFS or floppyFS on it so that it in turn with the correct usb and ATAPI drivers on its boot OS can see the USB physical storage drive in the also attached enclosure.

SATA is replacing parallel ATA, the older IDE, and there is hardly any jumpers whatsoever, with a preference for everything being implemented in the firmware logic settings.

And that is why I suggest he ask Western Digital, because in fact the ATAPI standard establishes such support going way back to 1997

For a discussion of specialized hardware devices and data lab services designed to defeat hard drive password protection, see here http://www.wwpi.com/?option=com_content&task=view&id=2669&Itemid=129   To date no virus has yet been found to have been released that is complex enough to reprogram any firmware to defeat highest password locking of the Master password but in theory it could be done one supposes.

Interesting topic anyway.
0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 33780555
Purchase a Seagate USB 2.0 Pocket Hard Drive" and use the tool to "HOW TO WRITE PROTECT THE DRIVE"
or
when contacting WesternDigital, you might make emphasis of the point that "Seagate does it, so how does WD do it, and if not, why not?! your competitor does" type notion as an extra enticement to receive help and a useful solution from them.
0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 33780831
You've also probably seen USB hard drives that come with atwo partitions and a software bundle on the smaller partition, said partition formatted as CDFS and designed to appear to the computer as if it's a CD.  The software bundle will often wish to install onthecomputer and/or automatically run, and then offer the user an option to encrypt/decrypt the huge partition, so not only is the drive password protected but the huge partition is also encrypted.  This is how many drives come initially so as to offer some bundled data security.
They just don't typically bundle a actual boot OS on the CD emulating partiton, but nothing to say you couldn't mimic that scenario AND have a "live CD" OS on it, such as WinPE, BartPE etc and then the ramaining 99% of the drive protected with encryption.  As a fallback position you could have a bootable flash stick drive so even if the CDFS partition were messed up you'd simply use the flash stick so as to gain access to the larger encrypted partition.   Could the boot partition be DVD in size.  Could that boot support Windows 7 native EFS encryption on the seconnd partition.  That would be similar to external drives that are encrypted and require a USB dongle with an encryption key to access them.

Still, there's always a chance that something could overwrite/wipe those partitions even if they were marked hidden type or read only attribute, nevertheless much credit to @che6ausc it ought to be much less likely to happen as such.  But yeah  I say near impossible if the drive were jumpered / firmware set read only.
0
 

Author Comment

by:Ikelca
ID: 33783635
wow, I have to say im surprised, you guys are truly informative.
In addition, just to clarify, my original goal was not specifically limited to hardware or software, as long as it makes my portable usb HDD write-protect, then it's good.
thanks to all of you and I will test each of method you provided and get back to you shortly.

ps: you both deserve points for all the efforts and time.
0
 

Author Comment

by:Ikelca
ID: 33783732
clarification: i meant write-protect from both OS and pre-OS or DOS

as for Seagate Pocket HDD, i think it's based on s/w under windows, when I boot into bartpe or any other kinds of pre-OS, it will lose what its write-protection feature, am I right?
0
 
LVL 11

Assisted Solution

by:ocanada_techguy
ocanada_techguy earned 250 total points
ID: 33784571
Clarification:
@Ikelca excellent question, and I honestly can't be 100% sure unless someone has one to try.  It's not outside the realm of possibility all it does is change the readonly attribute of a partition just like DISKPART does.  It does however bear the title "How To Write Protect The DRIVE"

Let me emphasise, I'm sorry, but it remains UNCLEAR whether the Seagate tool is doing it at the firmware level.

( The ATA-3 specification for security is focussed on password protection, as is ATA/ATAPI-7 http://www.t10.org/t13/project/d1532v1r4a-ATA-ATAPI-7.pdf (see pg 22) that applies to SATA in volume 3 http://www.t10.org/t13/project/d1532v3r4a-ATA-ATAPI-7.pdf  and the draft -8.  My examination found only the differentiation between user and master password behaviour. )

Therefore it would seem the only ways would be
a) use SCSI jumper found on SCSI drive  
(USB drives are not exclusively the domain of pata or sata although I assumed the 1TB one you have in hand is sata)
b) set the partition read only attribute (does not make entire disk and partition table itself readonly so operations that ignore the partition's attribute will still ignore it i.e. not most viruses but theoretically malicious ones that wipe the disk or block 0 or partition table YET not most viruses that focus on injecting or altering or wipe files via the filesystem access)
c) forensic device
d) some kludge altering the pins on the pata IDE cable emulating what the forensic device does
   perhaps straightforward on parallel ATA but not  possible / likely a buffer device needed/extremely difficult and cost prohibitive if SATA
e) jumper on daughtercard IF ANY (make/model specific) (i.e. ask if they make any drives with a read-only switch)
f) the possibility manufacturers may have moved what used to be vendor-specific readonly and LBA limit jumper pin next to the MA/SL/CS jumpers to a vendor specific regsiter in firmware of select make/models and can be set with utility/diagnostics (as is known to be the case with LBA size limit setting)

or here's more suggestions triggered by obvious limitations of d) for serial ...

since the USB to PATA or SATA iterface has to reduce all disk operations down to the SCSI command set to adhere to the standards conventions for communicating with all disk drives on USB 2.0 (they standardized on the "ancient" SCSI set which I'll again point out sucks because via USB many types of low-level direct access to ATA drives are thereby impossible)
  g) an enclosure/adapter daughtercard that connects USB to HDD could have  it's own chip firmware rewritten and reburned on a substitute chip to NULL OP and treat as read or to return FAILURE or do exactly what SCSI drives do when the readonly jumper is on all WRITE operations (remember EPROM burners? ahh the good ole days eh)
  h) a USB to USB middleman buffer device could be constructed which would buffer and reinterpret the SCSI commands being communicated serially via USB and substitute it's own behaviour for WRITE operations, or any operations for that matter (Oooo can you say Spy-vs-Spy James Bond 007 Q stuff? lol)
I got the idea from this
  i) HDD Sherriff http://www.hdd-sheriff.com/products.htm  a PCI device (or software, ignoring that) HDD controller card which intercepts and redirects all disk write attempts.  Neat!  But it's an internal solution so outside the scope as defined in the title description "write-protect to external USB"

Are we having fun yet? lol

How stupid that the read-only jumper that was obvious to people in the 1960s seems to have vanished from the face of technology.  That's almost as stupid as modern OSes taking 25 years to reintroduce features that were already in unix 35 years ago eh.  Little things like keeping the OS files, program files and user files oh, in their own folders and not mixed together say, or, or, when drives are mounted having a -readonly option. sheesh
0
 

Author Closing Comment

by:Ikelca
ID: 33856602
thanks for all the efforts guys
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
AWS Glacier is Amazons cheapest storage option and is their answer to a ‘Cold’ storage service.  Customers primarily use this service for archival purposes and storage of infrastructure backups.  Its unlimited storage potential and low storage cost …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now