3

I have just been passed some data in a thumb drive (which I was expecting). While I'm not too sure exactly what format the data will be in, it should be a mixture of numbers and text, possibly in one of the Microsoft office document formats.

My concern now is how to (1) access the files safely without receiving any virus or passing any virus to the drive, and (2) eliminating any virus if there exists any in the drive.

I'm using a Macbook still running El Capitan 10.11.5, and while it seems like most viruses target windows, I'm not taking any chances. I'm concerned about the kind that just activate and replicate automatically the moment I plug my drive in.

One idea I have is to just purchase a cheap new laptop, be it a mac or windows, and plug the drive into it while making sure its disconnected from the internet. Then I'll run some antivirus scans to discinfect the drive, and once I'm sure about that, to extract out the data files and store them into another flash drive, and use the other flash drive from then on.

It seems like I'm being paranoid, but I think there is good reason to be suspicious here, because the files contained in the drive are confidential information.

Any suggestions will be greatly appreciated! Thank you very much!

EDIT I couldn't really find any other questions that had answers for mine, because in my case, I really need to do analytics on the data files contained in the drive, so beyond just ensuring safety when plugging in the drive, I need to know someway to cleanly transfer all the data to my local system so that I can do data analysis.

FURTHER EDIT Appreciate the links to possible duplicate questions, but on examining the answers there, I still couldn't find a definitive answer. The best answers I could find were the following, but they still lead to more questions rather than an actionable solution that I am comfortable trusting to be safe:

(1) The answer by @mostlyinformed on Is there any way to safely examine the contents of a USB memory stick? did help by suggesting the use of a new cheap tablet that one is willing to sacrifice, but offered no answers on how one could extract out all that data. Supposing I am able to access all the data as a one time use on that cheap tablet. Then what next? I really need to pull all that data, which is going to be about a few hundred objects...

(2) Otherwise, most of the other answers like the one by @Andre Borie on I have a virus in my USB drive. I haven't inserted it on my PC yet. How should I proceed? don't really help in making me feel like there's any fully safe way. Is there always going to be some risk that I cannot eliminate????

I would greatly appreciate it if someone could answer my questions. Please pardon my "noob-ness" but I'm a total non-expert, but really need to extract out all the data from the thumbdrive and analyze it. I'm not fooling around with a thumbdrive that I just picked up from the ground in a carpark or something. This is a serious drive that contains serious data associated with IP/trade secrets. While I received the drive from a trusted party (I'm not involved in some secret operation that just stole some trade secret off a firm or something, what I'm doing here is legit accessing of confidential data), I'm not sure if the data was written to the drive on an infected machine or not, and whether the person who prepared that drive (who is different from the person who passed me the drive) had a malicious intent or not, so I'm being careful to be safe. Everyone's situation is unique, so please understand that my situation is not well addressed by many existing answers.

Community
  • 1
AKKA
  • 33
  • 5

2 Answers2

0

Just boot from a Linux live CD and remove your internal hard drive, if you are that concerned about malware inside the USB. You can turn off your wifi adapter manually as well, if you need that level of security. I think at that point, short of it writing to the BIOS (which only one current piece malware in the wild exploits), it is almost impossible for it to infect your computer. I would suggest that you do not transfer any files off of the USB at any point, as anti-malware utilities are nearly useless against unique/new malware due to signature based detection.

I should really emphasize the point of not transferring the data to anything else you might be concerned about infecting and keeping it isolated while in use, as any file within the drive could theoretically contain some type of malware, and you do not want that at all.

DeepS1X
  • 321
  • 1
  • 5
  • Appreciate your suggestions. However, I really want to do analytics on the data files in the drive, so that's why I need to be able to have the data in my full environment. Is there any other options that I can explore? – AKKA Jan 02 '17 at 05:31
0

Open the document in the live linux environment as mentioned, then copy the contents to a new document with an open source office environment. This will eliminate any exploits in the file format or malicious macros. Any malware in the USB sticks firmware will be rendered practically ineffective by the linux environment as mentioned.

J.A.K.
  • 4,793
  • 13
  • 30
  • Thank you for your suggestion. I can understand that your method would make it possible for me to extract out the data from the drive without copying the viruses along, but how would I be able to save the data? Would I be saving the new open office documents into disk? Wouldn't I be risking compromising the hard disk, since if the disk is still accessible during the live linux session, the virus can write itself to it? – AKKA Jan 03 '17 at 15:10
  • The other way I can think of, is that maybe I use another second USB stick and save the open office docs into that second USB stick all while working under the Live linux environment? Is that safe??? – AKKA Jan 03 '17 at 15:11
  • Do I actually have to worry about the hard disk being accessible during the live linux boot? – AKKA Jan 03 '17 at 15:12
  • Only theoretically if you're worried about state-level actors ( e.g. NSA ). commercial malware authors will not have the sophistication to maliciously write to the HDD from a USB – J.A.K. Jan 04 '17 at 08:11
  • The other USB would work as well, but this might even be more high-risk then saving it to the local HDD because USB firmware is easier to infect than HDD firmware – J.A.K. Jan 04 '17 at 08:12
  • I see. So just to be sure then the correct way I could safely access the data then, based on what you have suggested would be: (1) Boot up into a Live Linux environment using my machine, (2) Plug in the flash drive that is currently holding the data I want to obtain, (3) Open the data files (which are, presumably, in microsoft office formats) and copy all the text from them into Open Office formats, (4) save these open office documents unto the HDD. Is this right? – AKKA Jan 04 '17 at 14:22
  • After finishing (4) am I done? So if I boot up my machine into its usual env, will I still be able to access these open office files? But where on the filesystem would they reside? – AKKA Jan 04 '17 at 14:22
  • To be extra safe, I'm thinking of incorporating the advice from one of the posts, which is to get a fresh cheap tablet or PC which has none of my personal data on it (since it'll be entirely new), and do this whole procedure on it. So I'm thinking that what I might do once I have saved all the open office files unto the HDD of this fresh PC, I would need to transfer the data to my workstation. What then would be the safe way to do it? Would it be safe to then just then transfer the data over from the fresh PC into a new HDD or thumbdrive, and consider that to be my new clean copy? – AKKA Jan 04 '17 at 14:26
  • The only thing you should be worried about for commercial malware is a file format exploit. If you copy the plain text and paste it, it's ok to save it to your main HDD. But it sounds like you want to take every precaution you can, so then a throwaway device would provide a small amount of security over a live system. Are you worried about more than commercial malware? If you are i'll adjust my answer. – J.A.K. Jan 04 '17 at 16:35
  • Using a separated VM or an OS like Qubes will provide the same protection as a separate machine for commercial malware if used carefully – J.A.K. Jan 04 '17 at 16:37
  • I think I am dealing with commercial malware here, although I'm not sure how I would need to be handling the drive differently if I wanted to guard against state level malware? Would it be possible for you to briefly explain the difference in a comment here? – AKKA Jan 07 '17 at 03:23
  • Nonetheless, it is good to know the procedure you have explained to guard against commercial malware. May I confirm where then in the filesystem would the open office document files be residing at when I save them to the HDD? That is, after doing the data transfers in the live linux environment, I would shut down and boot into the default OS of the machine, and where then in the default environment would I be able to find those files which I had saved while under the live linux environment? Thank you so much for your help! – AKKA Jan 07 '17 at 03:26
  • Commercal malware will as good as always hide in the original file, and won't get copy-pasted to the new file, so you can just mount your normal C drive, and place them on your desktop :). Also consider uploading the file to VirusTotal, if it has hidden functionality, chances are it will be marked as suspicious. – J.A.K. Jan 07 '17 at 12:31
  • Thanks, this clarifies pretty much everything! I won't be uploading anything to VirusTotal though, the files are way too confidential for me to risk uploading to any remote server that isn't mine! I'll be triangulating your answer with a second post I made on [Reddit](https://www.reddit.com/r/cyber_security/comments/5lyy0p/best_way_to_securely_obtain_information_from_a/), namely to do antivirus scan under a kali environment. – AKKA Jan 09 '17 at 02:36
  • So my flow now is: (1) Create a USB bootable Kali with persistent storage (2) install clamscan to the Kali environment (3) Get a fresh machine and boot into this live kali environment (4) plug in the flash drive with all my data files (5) Perform clamscan (6) Regardless of whether the results from the scan are clean or not, just perform copy and paste of text from microsoft office format to open office format. No shortcuts, all safety procuedures enforced! – AKKA Jan 09 '17 at 02:39