https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/

Make USB devices read-only

Another Registry modification can be made to instruct Windows to treat newly attached USB devices as read-only devices, preventing accidental writes. I am not advocating that this should replace a physical write blocker - in fact, there are several reports of Windows not respecting this setting and allowing writes to some USB devices (albeit, I have not directly observed this behavior). However, this setting can be implemented as part of a reasonable layered approach to help you prove that you were taking all steps possible to prevent accidental writes to attached evidence, etc.

To implement this feature, you'll need to make a few changes to your Registry, as follows:

Open the Registry and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control If it doesn't already exist, create a new key called "StorageDevicePolicies". If it doesn't already exist, create a new Dword called "WriteProtect" and set the value to 1 (where 1 means that the OS will treat newly attached USB devices as read-only devices and 0 means writes are allowed). Disable automount

Windows will gladly mount any newly attached storage devices for you, which can be a bad thing. I prefer to explicitly define what storage devices are mounted to my forensics workstation. To turn off the Automount feature, from a command prompt (with elevated privileges, if using Windows 7/Vista) either:

run diskpart and once at the prompt type: automount disable or, run the standalone command: mountvol /N or, set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MountMgr\NoAutoMount to 1 in the Registry (you'll see this entry change appropriately if you use one of the previously mentioned commands).