2

There are two reasons you would want to prevent Linux from writing anything to an external harddrive or USB drive when you plug it in:

  • To recover accidentally deleted files from now "empty" part of the drives
  • For digital forensics, you need to be certain nothing on the drive has changed when you make a clone of it

There are drive connectors and external enclosures just for this purpose, and have a switch or button on them which physically blocks any write commands from reaching the drive.

However, my USB-to-IDE connector doesn't have that luxury. I have heard this is possible to achieve by software instead (which would include having to disable Ubuntu's auto-mounting), but I'm not finding any instructions online on how to do this.

How do I prevent Ubuntu from writing anything to an external harddrive for the purposes of preserving all data on it?

In my particular case I will be using Ubuntu, however, I asked on Unix & Linux rather than AskUbuntu in the hope of finding an answer that would work across distributions, and not just in my particular case. Both types of answers are welcome.

Community
  • 1
IQAndreas
  • 10,145
  • 21
  • 59
  • 79
  • 1
    Do you know the UUID of the USB drive volume you want to mount? If so, can you create an entry in `/etc/fstab` and set a read-only mount option for that UUID? – Arkanon Mar 13 '15 at 19:19
  • yeah it seems like unless you already knew the UUID there would be no way to plug it in without Ubuntu mounting it `RW`. You could try a distro on a live CD that has a forensics mode. Kali or Ubuntu Rescue Remix come to mind. Or perhaps someone will know how to edit fstab so that all future drives that are inserted are mounted `RO` but I searched the man page and didn't have any luck :( – Dylan Mar 13 '15 at 19:58

2 Answers2

2

For actual forensics scenarios, you do need a hardware blocker. A software blocker isn't good enough because you risk making a mistake, and for legal cases, it's very important to be able to claim without a shadow of a doubt that you did not modify the disk image, and to be able to explain in very simple terms to non-technical people that you could not possibly have modified the original. In addition, the only thing you would do with the original disk is to make a copy to new media, and then analyze the copy (again, with a write blocker — you might make additional copies that you write to to locate the interesting stuff, then you would reproduce the extraction of the interesting stuff with the guaranteed-accurate copy).

That being said, you can make a block device read-only with the blockdev command.

# blockdev --setro /dev/sde
# mount /dev/sde /mnt/
mount: block device /dev/sde is write-protected, mounting read-only

Beware that mount -o ro is not enough to ensure that the device won't be modified. With journaling filesystems, if the filesystem was not cleanly unmounted, even a read-only mount will replay the journal and update the filesystem on disk to match. To prevent this, with ext3 or ext4, you can pass the noload option — but making the block device read-only is a safer way of ensuring that nothing will be written, and may be the only way with some other filesystems.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • I'm having trouble finding hardware blockers on Newegg. Do you need to order it from a speciality (read: over-priced) shop, or should I be searching for any specific terms? Do the blockers come as extra features on external harddrive enclosures and USB adapters, or are they separate devices? – IQAndreas Mar 16 '15 at 09:39
  • @IQAndreas I don't know, I've never done forensics. Someone probably knows in [Security SE chat](http://chat.stackexchange.com/rooms/151/the-dmz). – Gilles 'SO- stop being evil' Mar 16 '15 at 13:06
  • IQAndreas - I used to use ones from Guidance software (EnCase company), back in a previous role. May not be the cheapest... – Rory Alsop Mar 16 '15 at 13:18
1

This setup is usually enough. I used this during my external HD's recovery:

Disable automount first. (You can do this using gconf-editor on a GNOME setup. I don't know for other systems). Then, you refer to your drive as /dev/sda or /dev/sda1 or whatever in your programs. (sda is usually reserved for boot device. refer to this post to know which sd* is your device. Try going for sdb when you only have two drives connected.

A simple example:

root@yo-machine# dd_rescue /dev/sdc1 /home/user/the-disk-image.img

Where sdc1 is your unmounted device's first partition.

Note: /dev/sda will refer to the entire device, including boot sectors and MBR and stuff. /dev/sda1 will refer to the first partition of said device.

Community
  • 1
Aloha
  • 2,021
  • 1
  • 14
  • 22