2

There are two reasons you would want to prevent Linux from writing anything to an external harddrive or USB drive when you plug it in:

  • To recover accidentally deleted files from now "empty" part of the drives
  • For digital forensics, you need to be certain nothing on the drive has changed when you make a clone of it

There are drive connectors and external enclosures just for this purpose, and have a switch or button on them which physically blocks any write commands from reaching the drive.

However, my USB-to-IDE connector doesn't have that luxury. I have heard this is possible to achieve by software instead (which would include having to disable Ubuntu's auto-mounting), but I'm not finding any instructions online on how to do this.

How do I prevent Ubuntu from writing anything to an external harddrive for the purposes of preserving all data on it?

In my particular case I will be using Ubuntu, however, I asked on Unix & Linux rather than AskUbuntu in the hope of finding an answer that would work across distributions, and not just in my particular case. Both types of answers are welcome.

Community
  • 1
IQAndreas
  • 10,345
  • 1
    Do you know the UUID of the USB drive volume you want to mount? If so, can you create an entry in /etc/fstab and set a read-only mount option for that UUID? – Arkanon Mar 13 '15 at 19:19
  • yeah it seems like unless you already knew the UUID there would be no way to plug it in without Ubuntu mounting it RW. You could try a distro on a live CD that has a forensics mode. Kali or Ubuntu Rescue Remix come to mind. Or perhaps someone will know how to edit fstab so that all future drives that are inserted are mounted RO but I searched the man page and didn't have any luck :( – Dylan Mar 13 '15 at 19:58

2 Answers2

2

For actual forensics scenarios, you do need a hardware blocker. A software blocker isn't good enough because you risk making a mistake, and for legal cases, it's very important to be able to claim without a shadow of a doubt that you did not modify the disk image, and to be able to explain in very simple terms to non-technical people that you could not possibly have modified the original. In addition, the only thing you would do with the original disk is to make a copy to new media, and then analyze the copy (again, with a write blocker — you might make additional copies that you write to to locate the interesting stuff, then you would reproduce the extraction of the interesting stuff with the guaranteed-accurate copy).

That being said, you can make a block device read-only with the blockdev command.

# blockdev --setro /dev/sde
# mount /dev/sde /mnt/
mount: block device /dev/sde is write-protected, mounting read-only

Beware that mount -o ro is not enough to ensure that the device won't be modified. With journaling filesystems, if the filesystem was not cleanly unmounted, even a read-only mount will replay the journal and update the filesystem on disk to match. To prevent this, with ext3 or ext4, you can pass the noload option — but making the block device read-only is a safer way of ensuring that nothing will be written, and may be the only way with some other filesystems.

Gilles 'SO- stop being evil'
  • 829,060
  • I'm having trouble finding hardware blockers on Newegg. Do you need to order it from a speciality (read: over-priced) shop, or should I be searching for any specific terms? Do the blockers come as extra features on external harddrive enclosures and USB adapters, or are they separate devices? – IQAndreas Mar 16 '15 at 09:39
  • @IQAndreas I don't know, I've never done forensics. Someone probably knows in Security SE chat. – Gilles 'SO- stop being evil' Mar 16 '15 at 13:06
  • IQAndreas - I used to use ones from Guidance software (EnCase company), back in a previous role. May not be the cheapest... – Rory Alsop Mar 16 '15 at 13:18
1

This setup is usually enough. I used this during my external HD's recovery:

Disable automount first. (You can do this using gconf-editor on a GNOME setup. I don't know for other systems). Then, you refer to your drive as /dev/sda or /dev/sda1 or whatever in your programs. (sda is usually reserved for boot device. refer to this post to know which sd* is your device. Try going for sdb when you only have two drives connected.

A simple example:

root@yo-machine# dd_rescue /dev/sdc1 /home/user/the-disk-image.img

Where sdc1 is your unmounted device's first partition.

Note: /dev/sda will refer to the entire device, including boot sectors and MBR and stuff. /dev/sda1 will refer to the first partition of said device.

Community
  • 1
Aloha
  • 2,111
  • 1
  • 15
  • 22