16

Let's say a friend gives me a SD-card which I'm not sure is safe (i.e. it may contain malware), what is the safest way to access this card on a Mac OSX? E.g. is it possible to create a sandbox in Finder?

I know some of you may say, "Just don't access it." But assume this is a scenario where I have to access it.

Anders
  • 64,406
  • 24
  • 178
  • 215
Honey Badger
  • 419
  • 1
  • 4
  • 8
  • 1
    Related (but not duplicate): http://security.stackexchange.com/questions/64524/how-to-prevent-badusb-attacks-on-linux-desktop – paj28 Sep 11 '14 at 14:49

2 Answers2

8

So you've got yourself a hot agent and want to examine it? This is going to be fun!

First, do not simply plug it in and look around. Even if you were to create a 'sandbox' finder, that would not protect you from potential malware. So how do you actually see the goods? Well you need to perform a forensic examination! Here's what you'll need:

  • A Virtual Machine is crucial so you do not infect your machine. Make sure you configure it so that the VM does not have network access.
  • A forensic imager. I use helix or autopsy suite. FTK imager works well if you have a windows VM.
  • A Write Blocker to protect the integrity of the usb device being examined. This means preventing all writes to the target usb. This keeps a pristine record of the target but also prevents some types of malware from altering themselves on the target usb. Personally I say to use a hardware write blocker because they are more reliable (just go to amazon and find one).

Configure your VM with preferably a linux distro (like helix). Now, you simply attach the write blocker to your pc and set that up. Open your imager program and finally plug in your hot usb stick.

You now take a forensic image of this drive - either directly into RAM (if you have the capacity) or onto another (non-OS) drive. It may take a while depending on how large target is. Once you have the image, you can look through it in any number of ways using that same imager program (FTK makes it super simple).

The whole concept is called incident response and SANS has many good documents on what to do. Here is one. Also, I used this book to learn a lot about forensics. I know a guy taking his CISSP and he also just finished it so it is still relevant.

Good luck and have fun!

In response to your comment, malware can indeed spread without you knowing it once you connect an infected device. The best way to protect against that is to run the examination in a VM with a different OS than the target. The different OS helps in disallowing the malware to run and the VM acts as damage control should the malware break out and run anyway.

The most common and easiest way malware can spread like this would be the 'autoplay' feature but if you actually consider what is happening behind that feature you can see that there are certain things from that external media being loaded into RAM and written to your pc's harddrive (in the form of metadata/logs/etc). All* an attacker has to do is leverage that threat vector. * this is no small feat however :)

It's not all gloom and doom though. All you have to do is toss up a properly configured VM and you've essentially stopped 99.99% of that particular threat.

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
  • thank you very much for a very comprehensive response. Btw, what do you think of this post (http://security.stackexchange.com/questions/35420/safe-to-connect-to-external-drive). Is it true that malware can't just "transport itself onto your computer", but needs you to actively run it? – Honey Badger Jul 31 '14 at 20:19
  • 2
    @HoneyBadger, I posted an answer in that question and downvoted the accepted answer (it's inaccurate). It is a common misconception that malware somehow needs explicit permission to infect. There is a lot to say on that topic though. So I'm updating my answer with some details... – Matthew Peters Jul 31 '14 at 20:45
  • 1
    → Honey: it highly depends upon the mechanisms provided by the OS. On MacOS X, and from an USB peripheral, a crapware *can't* magically transport itself onto your disk, memory or any other peripheral. – dan Jul 31 '14 at 22:02
  • @danielAzuelos, there is no magic about it. Ignorance of a vulnerability does not mean security. Check out this for example (http://www.techspot.com/news/57591-researchers-uncover-fundamental-usb-security-flaw-no-fix-in-sight.html) it leverages the drivers themselves. – Matthew Peters Aug 02 '14 at 22:28
  • Accept my apologies. This sentence: "a crapware *can't* magically transport itself onto your disk[...]" is *wrong*. What I should have said is "a crapware can't transport through standard OS mechanisms itself onto your disk [...]". If your system, your USB driver, or any firmware was tampered with, then every evil action is possible. – dan Aug 03 '14 at 15:49
  • @danielAzuelos, my point is that even with clean native host systems, exploits can still be had that could still transport malware to your system. – Matthew Peters Aug 03 '14 at 21:05
  • 3
    I'm not following how a write blocker can "prevent a device from writing to you". The threat is not that malware resident on a USB device will "magically" write itself into the host system. The threat is that the host system will *read* the malware from the USB device and then write it to itself. Really, for the sole purpose of protecting oneself from a malware infection, a write blocker is excessive. The write blocker is there to keep your system from altering the contents of the USB drive. The risk here is that the system might be tricked by the USB drive's contents into writing to itself. – Iszi Sep 11 '14 at 13:44
  • 5
    Matthew, a write blocker is used during forensic investigations to avoid corrupting evidence. It will **absolutely not** stop the device infecting you. – Rory Alsop Sep 11 '14 at 13:49
  • Clarification: In the earlier comment, I said "USB device" or "USB drive" where this question seems to be about SD cards. Same statements still apply, though. – Iszi Sep 11 '14 at 14:07
  • @Iszi, thanks for bringing that to my attention. The properly configured VM really helps to stop (or at least mitigate) malware from being read from the target device. I've updated my answer to reflect that. – Matthew Peters Sep 11 '14 at 14:36
  • @roryAlsop, you're absolutely correct. There's really no such thing as a read and write blocker (or perhaps there is -air). I've changed my answer to make this clearer. – Matthew Peters Sep 11 '14 at 14:38
  • That's grand Matthew - I hope my edit didn't seem too cheeky. Your edit rolls that all up nicely – Rory Alsop Sep 11 '14 at 14:43
  • @RoryAlsop, not at all! I actually had a complete misconception of how much a writeblocker could do (after using one that had an internal buffer) and after researching more, I realised the error. I thought I had cleaned up my answers/comments everywhere though but I guess not here. – Matthew Peters Sep 11 '14 at 14:49
  • This doesn't account for BadUSB (google it). The USB drive could in fact be a USB keyboard that sends malicious key strokes when plugged in. And a VM alone doesn't protect you as devices bind initially to the host - unless you take special precaution. – paj28 Sep 11 '14 at 14:49
  • @paj28, that's why I say read through SANS incident response. There are many threats out there and this is just an oversimplified overview. – Matthew Peters Sep 11 '14 at 14:58
  • @MatthewPeters, Re "hot agent"; Meaning? – Pacerier Mar 06 '18 at 08:41
  • Re "a different OS than the target"; Target here refers to? – Pacerier Mar 06 '18 at 09:13
1

Since you are dealing with dangerous material I would start by running this process on a dedicated system for this kind of investigation:

  • unplugged from any network connection (MacOS X in isolated network configuration: the equivalent of Airplane mode on an iPhone),

  • a system you can fully erase in case of malware evidence you can't fully erase.

On MacOS X, this task of sandboxing and analysing a suspicious external USB is basically a 2 step process.

Mount this USB key readonly

Please read this answer: How can I write-protect (make read-only) a USB drive in OS X? on Ask Different which is, from my experience the best answer.

This will protect the evidence from being corrupted by any MacOS X daemon (mdworker, Spotlight…) a human error or any forensic tool. This won't protect MacOS X which is still on a read-write filesystem.

Run clamscan and chkrootkit

If your USB storage is now mounted under /Volumes/suspicious_SD, and you have MacPorts, clamav & chkrootkit installed, run:

/usr/bin/sudo /opt/local/bin/clamscan -r /Volumes/suspicious_SD
/usr/bin/sudo /opt/local/bin/chkrootkit -r /Volumes/suspicious_SD

These are just two basics tools to detect publicly known malwares. This doesn't constitute a real forensic analysis which should start from there, based on tools like: find, tcpdump, opensnoop

dan
  • 3,033
  • 14
  • 34
  • 3
    You are assuming that `clamscan` and `chkrootkit` will detect all or most malware. That assumption is dubious. – D.W. Aug 01 '14 at 00:34
  • No one in information security will ever make such an assumption about an *anti-virus* approach. → D.W.: do you mean I should make the residual risk clear in case dummies would read this technical answer and could hurt themselves :) ? – dan Aug 01 '14 at 06:33
  • 1
    @danielAzuelos, what you are suggesting is simply a tool to research potential malware. You still need to conduct that work inside a secure environment which generally includes a write blocker. – Matthew Peters Aug 02 '14 at 22:26
  • 3
    @MatthewPeters As noted in comments on your answer, a write blocker (or even mounting as read-only) is to protect the *evidence* (in this case, the SD card which may contain malware) *not* you. Additionally, protection of the evidence does not appear to be a major concern here - Honey Badger obviously just has some data they need to get off the drive without getting infected. To be properly protected, a LiveCD or VM should be used instead. – Iszi Sep 11 '14 at 14:03