View Full Version : USB Drive - Control Access

08-17-2009, 06:30 PM

Id like to setup my computer so access is only allowed to certain drives / folders when a USB stick is plugged in containing a special file.

Im guessing there would need to be two files. One on the computer and one on the stick. When there is a communication access is allowed as normal, when there isnt communication then it denies access.

I dont have a good knowledge of C programming at the moment, but can you please tell me if this is possible first before I begin trying to work it out.

08-17-2009, 06:47 PM
Technically anything is possible when it comes to programming, however something like this will definitely not be easy. No operating system I've ever used has supported this feature either, to the best of my knowledge. Maybe it's possible with some distribution of Linux - not sure though.

If you were to attempt to program this yourself, you're going to need to have years of experience with your respective programming language (and probably Assembly as well). Not only that, you'll also need to be well versed in Cryptology, which also entails being an expert in Linear Algebra, Discrete Mathematics, Calculus and basically any other branch of math out there.

You would also have to consider how an outside attacker would attempt to infiltrate the system, so you also need to know everything about the operating system you would program this for.

I've skipped over plenty of other things as well, but at the base level, it should be possible but it'll be extremely difficult to implement, even when you are working with a team.

08-17-2009, 07:37 PM

Thank you for the reply. Fortunately this system is more convenience rather than a bullet proof system against hackers. I leave my comptuer on all day and some times I let other people use it, but I would want certain folders to be private when the usb isnt plugged in. This means I could get away with a simply "query" approach rather than relying on complicated algorithms.

In the mean time, im going to draw up a simple flow chart which should help. Until then if anyone has any experience or insight i would really appreciate it.

I dont have much experience with coding, so initially id like to find out what is possible, what language it would need to use and the scale of the project. Ill do as much of the work myself that I can and then enlist some help on rentacoder.

08-17-2009, 07:42 PM
While I understand that you probably want to build this since it would be cool. And you could reduce your required knowledge by leveraging existing cryptography libraries, there is no reason to reinvent the wheel, especially in this area. (So you can avoid all that complicated math stuff that BWiz was talking about)

However still as BWiz indicated, this is a very ambitious project to undertake. You might want to see if truecrypt has support for what you want to do. If it doesn't you could modify it to do what you want since it is open source.

In the short term you might want to consider leveraging the filesystem permissions provided in your operating system. All major OSes support it and then other users that aren't using your account, cannot access any files or folders you choose.

08-17-2009, 08:14 PM

Thank you for the reply. Ive looked into truecrypt and it does seem very interesting. However, as far as I understand, that encrypts every file on the harddrive to stop access to the files. This seems to raise two problems as far as I can see:

Encryping the files surely causes performance decreases as it has to decrypt a file everytime it is accessed?
This seems like quite a complicated way of doing it, id like to keep this as simple as possible.

Here is what I was hoping I could do, please stop me if this isnt possible or is a bad way of doing it. When you right click on a folder and go to the security tab there is a list of permissions with allow and deny. Would it not be possible to query the USB drive, and then write the permissions for the folder accordingly.

If USB is connected then give folder "Allow" permissions
If USB isnt connected then give folder "Deny" permissions

Again I understand this is an ambitious project. Ive wanted something like this for a while and thus far it hasnt been programmed. Im going to try and get as much insight into the program as possible solutions as I can, then enlist help at rentacoder, then ill release the code to the public.

08-17-2009, 08:53 PM
Ive found this simple BAT file tutorial online which apparently can lock a folder. I havent tried it yet, but I thought Id post it here just in case it is of use.

1- make a new folder ( name it as you like )

2- inside this folder make a ( TXT ) file & copy inside it this:

title Folder Private
if EXIST “Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}” goto UNLOCK
if NOT EXIST Private goto MDLOCKER
echo Are you sure you want to lock the folder(Y/N)
set/p “cho=>”
if %cho%==Y goto LOCK
if %cho%==y goto LOCK
if %cho%==n goto END
if %cho%==N goto END
echo Invalid choice.
ren Private “Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}”
attrib +h +s “Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}”
echo Folder locked
goto End
echo Enter password to unlock folder
set/p “pass=>”
if NOT %pass%== password here goto FAIL
attrib -h -s “Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}”
ren “Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}” Private
echo Folder Unlocked successfully
goto End
echo Invalid password
goto end
md Private
echo Private created successfully
goto End

3- After u copy the Commanding go to line ( 23 ) u will find this word : password here (Change it with ) any password u like.

4- After that make ‘save as’ & name as (locker.bat )

5- Now back to the folder & u will find a ( LOCKER ) commanding.

6- Click on it & u will find a new folder (Private )

7- Ok ,, now copy what u want in it & after that go to ( locker ) by click on it , it will open and ask you want lock your folder? Y/N ?

8- Type Y

9- If you want to UNLOCK your folder ,go to (locker) & type your pass and you will see your private folder.

Also something else I have found is this, which is apparently the code to change access permissions to files, might this also be of use?:

To restrict access:

@echo off

To grant access:

@echo off

08-17-2009, 10:41 PM
truecrypt won't encrypt your entire drive unless you tell it to...

you can use it to create a file which is essentially a partition that nothing can identify or read except truecrypt. it will be password protected. if you're really paranoid you can nest hidden partitions.

and shoot, if you want you can copy the entire chunk onto your usb drive and walk away with it.

08-17-2009, 10:54 PM

The issue I have with this method is the data I wish to lock and unlock is around 250GB, including movies, music and programs. When I think of encryption at this scale, I think the performace would be cripled.

On the other hand the built in windows permission system might be a more lightweight option?

Is this fair to say or am I barking up the wrong tree?

08-17-2009, 11:05 PM
windows permissions can be circumvented if you're not in windows...... guess it depends how sensitive your material is. i agree that just tweaking permissions would be very lightweight.

i can't speak to the performance of an encrypted drive of that size. i imagine the worst bit would be the initial creation of the encrypted partition. past that it does everything on the fly as you access it. so it's not like you're going to read 250GB of data all at once anyway.


08-17-2009, 11:08 PM
On the other hand the built in windows permission system might be a more lightweight option?

Is this fair to say or am I barking up the wrong tree?

Yeah, if you are just trying to keep casual people from looking through your stuff, the built-in permissions are fine. Just make it so you are the only one using your user account. And the guest users shouldn't have admin rights either.

Beyond that, if the slight performance overhead for encryption is too much, then the data probably isn't that sensitive.

08-18-2009, 10:59 AM
Thank you for the reply. This isnt military grade information, but its to stop people playing my games on the computer and looking through my work documents without having more than one account. Im concerned that when it actually is time to play my games, listen to my music, watch my movies etc, im going to have to decrypt it in real time and it will slow the whole system down.

The built in permission system will be fine I think. I know it can be bypassed in two ways:

User takes out the "storage" harddrive of my computer, plugs it into their computer and accesses the files, but my computer is key locked.

The user boots up to linux off a CD and then accesses the files. However there is a bios password and ive disabled CD / USB booting.

The kicker is that I only what to have one user account that is left on all the time. Is it possible to change folder permissions within windows on the fly with a program without requiring a restart?

08-18-2009, 03:19 PM
Is it possible to change folder permissions within windows on the fly with a program without requiring a restart?

i think not.... tried it once and didnt get it.. may be u wil have more luck

08-18-2009, 04:28 PM
The kicker is that I only what to have one user account that is left on all the time. Is it possible to change folder permissions within windows on the fly with a program without requiring a restart?

File permissions take affect as soon as you apply the changes, there no is need to restart.

08-18-2009, 04:44 PM
Excellent. What is the most effective way of changing the permissions? Ive seen ways through the command prompt or by writting directly to the registry.

EDIT: So with a single admin account would it work to use built in windows permissions to either allow access or stop access by using a program to automate the process

08-18-2009, 05:10 PM
Why don't you want to have more than one user account?

That would be the best solution, that way you only need to set the permissions once. And the other people on the other account can't just change the permissions back so they can look at the files.

Plus it would isolate your application data like your browsing history from the other users.