Tuesday, September 25, 2018

Write blocker - Prevent Windows from writing to a USB drive for forensics purposes

1. Select Start > Run or press  the Windows key + R

2. Type in regedit in the box that pops up.

3. In the Windows Registry editor navigate to HKEY_LOCAL_MACHINE\SYSTEMS\CurrentControlSet and highlight the Control key by clicking on it

4. Right-Click on the “Control” key and select New > Key

5. Name the new key StorageDevicePolicies

6. Right-Click on the StorageDevicePolicies and select New > DWORD

7. Name it WriteProtect

8. Right-Click on WriteProtect and select Modify

9. Change the value of WriteProtect to 1. (This enables write protection)

10. Right-Click on StorageDevicePolicies and select Export. This creates a .reg file that we can use later. Save this file on your Desktop as “Enable USB Write Protection”

11. Right-Click on WriteProtect and select Modify and change the value to 0. This allows the writes to occur once more.

12. Right-Click on StorageDevicePolicies and select Export again. Save this .reg file to your Desktop and name it Disable “USB Write Protection”

13. Now you can Enable or Disable Write Blocker by double clicking on the two .reg files located on your Desktop

Note: It is still possible to write to the USB device if Write Blocker was enabled after the device was plugged in. To make sure Write Blocker is enabled apply the Write Blocker before plugging in the USB drive.


Post a Comment