this post was submitted on 29 Jul 2024
14 points (100.0% liked)
Cybersecurity
5958 readers
376 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You might want to expand your search to include forensic USB devices, that's a arena where people absolutely want read only data acquisition, and that might help find what you want.
"Forensic bridges"
There is complexity to read only modes. Depending on the underlying technology the read-only switch could be implemented in software, or the host needs to honor it by protocol, but not physically. That's pretty common for SD cards, if the host computer wants to write to them it can
Some of the better USB sticks, the Read only button, actually prevents the write enable signal from physically reaching the storage, that would be best in class. But you need the schematic to actually verify that. So you don't know if it's actually just implemented in software
For the forensic bridges, they actually speak the USB protocol, because it's just a serial bus, and they simply don't relay any commands they believe are related to writes. That relies on them enumerating every possible serial command, and that both the talker and the listener both have the same understandings for the same commands... It's pretty good, but there is room for error
Most encrypted USB devices, the ones with the keypads on them, have a read only mode. If you trust their software: https://www.kingston.com/en/usb-flash-drives/ironkey-kp200-encrypted-usb-flash-drive
Honestly, your cheapest option is to get cheap USB drives, image them. Put some red gaffers tape on them, whenever you break the tape to plug them into a device they're now tainted, and you as a human must reimage the drives again before you put them into another computer.
https://github.com/o7-machinehum/ovrdrive Here's a fully open source flash drive, if you look at the schematic you can see you just want to be able to disable the right enable pin. This drive is designed with some fancy controller in front of the USB controller so you could actually disable it in software if you wanted... https://www.crowdsupply.com/interrupt-labs/ovrdrive-usb/updates/a-look-at-our-firmware-and-how-to-modify-it
Thanks for the wonderful info. I think I will go with the iStorage datAshur PRO+C because it has the best speeds out of all of them. It is slightly more involved to activate read-only mode than a simple switch, but it should be negligible compared to the time to boot the system and other overhead.
There is no way for me to verify how the write-protect works with this drive, but that is true for all of them, so I have to trust one. However, this company seems very competent. And importantly there are many 3rd party reviews of this and similar iStorage products. Also the firmware is supposedly signed so it should be immune to badUSB. But you do make the point that there is no way to be sure.
I plan to use root on LUKS anyway (I want persistent storage), so I can keep / encrypted and checksum my /boot every boot to search for anomalies. Once LUKS is decrypted, theoretically malware could get embedded in there, but I feel like it would be unlikely for malware to infect one partition and not the other.
I wonder if there is a way to setup a "honeypot" partition which holds no useful data but exhibits traits that are appealing for malwares to embed themselves in. It would be checksummed regularly while the system was running and alert me if anything changed.
That open source flash drive looks awesome, and I will keep my eye on it, maybe I would consider it if my threat model was tougher.