It is possible to use the Windows registry to write protect USB mass storage devices. An investigator can combine this USB write-blocking trick with an USB-IDE or USB-SATA adapter to protect the vast majority of evidence drives that he or she might encounter. The write-blocking functionality was added with Windows XP SP2, and has worked with all subsequent Windows versions, including Windows Vista (but I have not tested this with Windows 7). Below is a step by step guide to create a write-protect switch for USB devices on Windows.
- Select Start > Run or press + R
- Type regedit in the box that pops up. This opens up the Window’s Registry Editor.
- In the tree in the left pane of the editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet and highlight the ‘Control’ key by clicking on it.
- Right-Click on the ‘Control’ key and select New > Key
- Name the new key StorageDevicePolicies
- Right-Click on StorageDevicePolicies and select New > DWORD
- Name it WriteProtect
- Right-Click on WriteProtect and select Modify
- Change the value of WriteProtect to a 1; this enables write protection
- Right-Click on StorageDevicePolicies and select Export. This creates a .reg file that will apply this key to the registry when double-clicked. Save this file on your Desktop as ‘USB Write Protection On’.
- Right-Click on WriteProtect and select Modify; change the value to 0. This allows writes to occur once more.
- Right-Click on StorageDevicePolicies and select Export again. Save this .reg file on your Desktop as ‘USB Write Protection Off’.
- Now simply double-click on either .reg file to enable or disable USB write protection.
Note: From my experience the write-protection only applies to devices plugged into the computer after the registry changes have been applied. It may still be possible to write to the disk if it was attached prior to the “USB Write Protection On” file being applied. Be sure to always apply this setting before plugging in any evidence items.