4

After reading through this question about the dangers of untrusted usb drives, I was wondering if there was a way to actually see what happens when a usb drive is installed. Is it possible to say run a virtual machine of windows or linux, install the drive, and see a listing of what commands run when it is inserted?

EDIT: It seems that physically the best option is to plug it into a computer I don't care about that is not plugged into a network. What I am more interested in though is how to see what gets executed when the usb gets plugged in. Is there some kind of logging that will show me every command that gets executed when the usb stick is plugged into a windows and/or linux machine. Or is there something like wireshark, but for usb instead of networks?

Community
  • 1
Zillakon
  • 143
  • 4
  • A similar question was asked this morning: http://security.stackexchange.com/questions/103088/is-there-any-way-to-safely-examine-the-contents-of-a-usb-memory-stick –  Oct 19 '15 at 17:38
  • @Justin updated to show that it can be done easily, and microsoft has your back on this one – Robert Mennell Oct 19 '15 at 18:45

1 Answers1

5

Well that edit means a new answer.

Yes you can. You can monitor the individual bits sent to and from the USB stick in many ways. Then you decode those bits, and follow the rabbit down the hole, so to say.

A quick google search turns up plenty of things. Search for USB analyzer

Although if you're on windows, Microsoft released a first party tool: https://msdn.microsoft.com/en-us/library/windows/hardware/dn741264(v=vs.85).aspx

These tools will allow you to follow the entire stack as it comes off of the USB and watch an infection happen real time. It's actually pretty cool to dive into.

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38