2

There are two reasons you would want to prevent Linux from writing anything to an external harddrive or USB drive when you plug it in:

  • To recover accidentally deleted files from now "empty" part of the drives
  • For digital forensics, you need to be certain nothing on the drive has changed when you make a clone of it

There are drive connectors and external enclosures just for this purpose, and have a switch or button on them which physically blocks any write commands from reaching the drive.

However, my USB-to-IDE connector doesn't have that luxury. I have heard this is possible to achieve by software instead (which would include having to disable Ubuntu's auto-mounting), but I'm not finding any instructions online on how to do this.

How do I prevent Ubuntu from writing anything to an external harddrive for the purposes of preserving all data on it?

In my particular case I will be using Ubuntu, however, I asked on Unix & Linux rather than AskUbuntu in the hope of finding an answer that would work across distributions, and not just in my particular case. Both types of answers are welcome.

Improve this question
2
  • 1
    Do you know the UUID of the USB drive volume you want to mount? If so, can you create an entry in /etc/fstab and set a read-only mount option for that UUID? Commented Mar 13, 2015 at 19:19
  • yeah it seems like unless you already knew the UUID there would be no way to plug it in without Ubuntu mounting it RW. You could try a distro on a live CD that has a forensics mode. Kali or Ubuntu Rescue Remix come to mind. Or perhaps someone will know how to edit fstab so that all future drives that are inserted are mounted RO but I searched the man page and didn't have any luck :( Commented Mar 13, 2015 at 19:58

2 Answers 2

Reset to default
2

For actual forensics scenarios, you do need a hardware blocker. A software blocker isn't good enough because you risk making a mistake, and for legal cases, it's very important to be able to claim without a shadow of a doubt that you did not modify the disk image, and to be able to explain in very simple terms to non-technical people that you could not possibly have modified the original. In addition, the only thing you would do with the original disk is to make a copy to new media, and then analyze the copy (again, with a write blocker — you might make additional copies that you write to to locate the interesting stuff, then you would reproduce the extraction of the interesting stuff with the guaranteed-accurate copy).

That being said, you can make a block device read-only with the blockdev command.

# blockdev --setro /dev/sde # mount /dev/sde /mnt/ mount: block device /dev/sde is write-protected, mounting read-only

Beware that mount -o ro is not enough to ensure that the device won't be modified. With journaling filesystems, if the filesystem was not cleanly unmounted, even a read-only mount will replay the journal and update the filesystem on disk to match. To prevent this, with ext3 or ext4, you can pass the noload option — but making the block device read-only is a safer way of ensuring that nothing will be written, and may be the only way with some other filesystems.

Improve this answer
3
  • I'm having trouble finding hardware blockers on Newegg. Do you need to order it from a speciality (read: over-priced) shop, or should I be searching for any specific terms? Do the blockers come as extra features on external harddrive enclosures and USB adapters, or are they separate devices? Commented Mar 16, 2015 at 9:39
  • @IQAndreas I don't know, I've never done forensics. Someone probably knows in Security SE chat. Commented Mar 16, 2015 at 13:06
  • IQAndreas - I used to use ones from Guidance software (EnCase company), back in a previous role. May not be the cheapest... Commented Mar 16, 2015 at 13:18
1

This setup is usually enough. I used this during my external HD's recovery:

Disable automount first. (You can do this using gconf-editor on a GNOME setup. I don't know for other systems). Then, you refer to your drive as /dev/sda or /dev/sda1 or whatever in your programs. (sda is usually reserved for boot device. refer to this post to know which sd* is your device. Try going for sdb when you only have two drives connected.

A simple example:

root@yo-machine# dd_rescue /dev/sdc1 /home/user/the-disk-image.img

Where sdc1 is your unmounted device's first partition.

Note: /dev/sda will refer to the entire device, including boot sectors and MBR and stuff. /dev/sda1 will refer to the first partition of said device.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.