Saturday, January 18, 2014

Daily Blog #210: Sunday Funday 1/19/14

Hello Reader,
       If you watched the lunch this week you heard Sarah Edwards discuss her OSX class and a great conversation with Craig Ball regarding his work as a special master and other topics. One of things Craig and I discussed was the need for passion and deep knowledge in forensics, so I thought I'd let this weeks challenge let you show your deep knowledge.

The Prize:

The Rules:
  1. You must post your answer before Monday 1/20/14 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
 Since Windows XP we've been able to create a registry key that will treat USB devices as a read only. Answer any or all of the following questions to show how well you understand that functionality:

1. How does the write blocking become effective between XP, Vista and 7? What steps between applying the registry key and the write protection coming into effect need to take place.
2. What windows subsystem is enforcing the write protection?
3. What happens to USB devices already plugged in when the write protection?
4. Can anything bypass the write protection offered by this registry key?
5. Does this registry key protect MTP USB Devices?
6.  Why does this registry key not protect non USB Devices?