I found two USB sticks on the ground. Now what?

8

As from the subject, I want to see what's inside. I am seriously interested in finding the owner if possible and returning them, but I am worried it could be an attempt at social engineering. I own a MacBook Pro Intel with OS X v10.6 (Snow Leopard). It is a very important install.

What would you do in my situation if you want to see the content without risks? Any proposal is welcome.

I decided not to plug them in, and I brought them to the hotel reception. They will forward it to the police.

Stefano Borini

Posted 2009-10-31T10:06:14.133

Reputation: 2 034

Question was closed 2017-05-05T22:01:03.077

1@Arjan: since Stefano didn't replied after your last comment, can we assume you were right about his job (that is, he is working at some nuclear power plant, or secret government agency, or for a company that has very powerful and evil competitors)? :D – dag729 – 2010-06-09T09:28:50.447

@davidpostill this question is 7 years old. The linked duplicate is from yesterday. It's the other one being duplicate of this one, not the other way around. – Stefano Borini – 2017-05-06T15:11:23.100

@StefanoBorini An older question can be a duplicate of a newer one if the newer question has better answers. See Should I vote to close a duplicate question, even though it's much newer, and has more up to date answers?

– DavidPostill – 2017-05-06T15:51:06.717

@StefanoBorini, I like some of the answers here better, but the other thread deals with an important consideration not covered here, the potential for a "killer USB". It's worth directing readers to the other thread based on coverage of that issue. – fixer1234 – 2017-05-06T18:03:29.707

@DavidPostill this makes no sense, for three reasons: 1. the new question should have never got to the point there are better answers, because it's the question to be duplicated, and it should have been closed even before getting answers. 2. if the answers are better, they should be part of this question, not that one. 3. my question can be edited and expanded to cover any additional cases. – Stefano Borini – 2017-05-08T13:37:30.473

@StefanoBorini If you disagree the correct place for this discussion in on [meta] not in comments. – DavidPostill – 2017-05-08T13:38:56.827

The correct place is to delete this answer. Contributing to you guys is like getting punched in the face. – Stefano Borini – 2017-05-08T14:15:52.440

2

Please do not vandalize your posts. Once you've posted a question, you have licensed the content to the Super User community at large (under the CC-by-SA license). If you would like to disassociate this post from your account, see What is the proper route for a disassociation request?

– CalvT – 2017-05-08T14:20:31.483

@calvt so what's the point of a delete button if I can't delete anything? – Stefano Borini – 2017-05-08T16:30:00.370

@StefanoBorini, why are you so concerned about the direction of the duplicate? True, you posted a question earlier, but age isn't always the best basis for linking, and the direction doesn't reflect on your post or affect past or future voting. Killer USBs weren't even a thing when you asked your question. With technology questions, it's often good to try to attract new, current answers after many years. Sometimes it's a tough decision for the community as to which is the best direction for the chain of threads. (cont'd) – fixer1234 – 2017-05-08T16:47:45.197

I answered on the newer post to deal specifically with killer USBs, but I cited this thread in my answer, which may direct additional traffic here. To answer your question about the delete button, you can delete your own question before other people are affected. Once people have taken the time to answer, it isn't fair to those authors or readers to delete the question. You've created a community resource. The question and answers are fine and have attracted a lot of upvotes for yourself and other authors. Why would you want to delete the thread? – fixer1234 – 2017-05-08T16:53:39.627

@StefanoBorini If you'd clicked the delete button, you wouldn't have vandalized your post. Vandalizing your post is when you replace a post's contents (including, say, the body) with gibberish. Deleting is only allowed when other people haven't contributed things that you'd be making worthless if you deleted. – Fund Monica's Lawsuit – 2017-05-08T17:24:26.363

@fixer1234 I am not concerned with the direction of the duplicate. I am tired of contributing to a mechanism where every contribute eventually gets rewarded with a punch to the face. – Stefano Borini – 2017-05-09T06:45:01.023

> For starters, I would print 10GB USB 2.0 on a 128MB USB 1.0 flash drive if I wanted someone to pick it up... ;-)   I would be more likely to pick up the smaller one. You can get a large drive for peanuts these days, but a nice, small flash-drive to use as a simple DOS boot disk or to put my mother’s 10 MP3s which take up only ~80MB on is harder to come by (especially for a reasonable price—read <$1-2). – Synetech – 2012-11-18T03:47:18.457

Of course, you don't know for sure it's a drive to start with. Even if the casing tells you it's a drive, it could be just any kind of device. – Arjan – 2009-10-31T12:18:16.770

what's a drive? I always called them like this. – Stefano Borini – 2009-10-31T12:34:30.740

He means that while it looks like a USB stick (or usb drive, usb key, usb dongle, memory stick, memory key, file tube (no, really), or one of any other hundreds of possible names because it wasn't standardized), it could actually be something else entirely, designed to LOOK like a USB stick - however I don't think it could do any damage by itself. – Phoshi – 2009-10-31T12:42:41.517

For example, a bluetooth USB dongle or a proprietary wireless mouse receiver could easily look like a USB flash drive. (No harm there, of course.) But to truly fool someone into social engineering, whatever is printed on the casing is not necessarily true. For starters, I would print 10GB USB 2.0 on a 128MB USB 1.0 flash drive if I wanted someone to pick it up... ;-) – Arjan – 2009-10-31T13:00:49.230

They were the real thing. also, pretty large. – Stefano Borini – 2009-10-31T13:02:16.813

Ah! Now we'll never know what's inside :P – Phoshi – 2009-10-31T13:07:00.443

Before I picked it up I did not know either, still I was living fine. – Stefano Borini – 2009-10-31T13:56:28.330

1Now my only hope is that it goes back to his legitimate owner. I did my part – Stefano Borini – 2009-10-31T13:57:02.340

They were the real thing. also, pretty large. -- aha, so you did plug them in after all. Or how would you know...? ;-) – Arjan – 2009-10-31T14:16:32.533

Because the size in GB was written over them, and the brand was quite known – Stefano Borini – 2009-10-31T15:22:49.017

I'm complication things, but my point was: when afraid of social engineering, then why trust the casing of the device you found? (But unless you are working at some nuclear power plant, or secret government agency, or for a company that has very powerful and evil competitors, of course chances are zero you "accidentally" found something that looks like a flash drive but in fact is a computer chip that tries to do other things...) – Arjan – 2009-10-31T17:00:54.513

Answers

11

Why look at the content? I can understand that you are curious, but the content of those drives is none of your business. If you lost a drive, would you want others to look at the content?

Leave some notes in the area where you found them or bring them to the lost property office if you have one.

innaM

Posted 2009-10-31T10:06:14.133

Reputation: 9 208

4Here is Tokyo. I don't know how to write, I don't know where I was, I don't know how to put a post it note in the middle of the street. If I find a wallet, I would look for personal documents. Why shouldn't I do the same for a lost drive ? – Stefano Borini – 2009-10-31T10:12:06.820

7And if I lost my drive, it would contain an encrypted image, with a clear text file containing my email address. – Stefano Borini – 2009-10-31T10:13:49.780

2Further to this - in the rarest circumstance of the drives actually being of some importance (e.g. government / military), even attempting to access them could wind you up in a whole heap of trouble. – Ian – 2009-10-31T10:46:05.550

2So chances are it's all Japanese after you plug it in... If you can't read that, and given iAn's comment, I guess dropping it off at some police station is all your Scout's Duty can do then? – Arjan – 2009-10-31T11:25:12.007

Because I speak no japanese and they 99.9% speak no english. I was hoping that the usb stick contains what I said it's on mine "if found please send mail to " and then an encrypted file, but maybe I'm a dreamer. – Stefano Borini – 2009-10-31T12:28:38.200

I know plenty of dreams that I can guarantee are a Very Bad Idea (TM) – Stefano Borini – 2009-10-31T12:53:35.723

18

Disconnect from network. Boot from CD. Do not mount HDD.

Plug in USB drives, mount them and poke around.

briealeida

Posted 2009-10-31T10:06:14.133

Reputation: 484

that was my idea too, however... Linux for intel mac is a pain. If I boot OSX install cd, the HDD gets mounted in any case. – Stefano Borini – 2009-10-31T10:27:01.750

is it? I've often run ubuntu livecd countless times with no problems, no hdd mounted. osx install cd of course is another matter, plus it's definitely not linux. care to detail your problems? – ptor – 2009-10-31T14:14:25.220

kernel panics at boot. apic troubles. tried many solutions as proposed on the net, with no result. – Stefano Borini – 2009-11-01T12:24:59.570

4

It could be full of nanites that are going to crawl into your computer and turn it into the master computer for the super-secret Tristan da Cuhna nuclear program. :)

All kidding aside, with the possibility that it could have some form of malware, government secrets, terrorist documents, data used in identity theft, illegal pornography, or child pornography your best bet is to turn it over to law enforcement in whatever jurisdiction you found it in with as much information about where you found it as possible. Leave it to them to figure out what to do with the USB stick.

Mike Chess

Posted 2009-10-31T10:06:14.133

Reputation: 5 583

1

Just open it! OS X doesn't have any form of AutoRun, and (unlike Firewire) USB does not allow Direct Memory Access attacks. So looking through the USB stick and not executing anything would be perfectly safe.

Phoshi

Posted 2009-10-31T10:06:14.133

Reputation: 22 001

1The op states USB drive, I suppose it could be some sort of starship engine, in which case plug it in faster :P – Phoshi – 2009-10-31T11:09:23.927

I've no idea, been a windows/linux guy all my life, but it sounds plausable to me. – Phoshi – 2009-10-31T11:10:41.880

Unless my Google-Fu is failing me, there's no USB DMA vulnerabilities on a Mac. So, cleaned up my comments a bit (and added a link to Firewire vulnerabilities as a reference). – Arjan – 2009-10-31T12:16:43.107

That's indeed my worry. That plugging specially crafted stuff could compromise my security. I know that mac is not windows, but you never know. – Stefano Borini – 2009-10-31T12:30:46.827

Aye. If it is a social engineering thing, the attacker would most likely aim the device at Windows machines, partially because there are more people using them, and partially because you're more likely to get somebody who would plug in a USB drive without thinking, triggering the trap. I think you'd be safe, but, of course, it never hurts to be careful with these things. – Phoshi – 2009-10-31T12:52:17.347

Just be careful you don't get complacent and somehow end up triggering rootkit.{exe,app,sh}: One rootkit, triple OS. And because everyone knows that linux and mac don't have viruses, it's safer to do it. And therefore an easier target. (You call yourself a fanboi, Kevin? You're a sorry excuse for one) – Kevin M – 2009-11-01T04:31:10.670

It'd still have to execute, Kev, which wouldn't happen if you were just poking around. – Phoshi – 2009-11-01T10:35:41.713

1

If booting to a LiveCD is not an easy option, do you have any virtualization software? You could create a virtual machine and connect the device to that isolated machine. I've done that in the past using VMWare Workstation. You could probably download an eval copy of VMWare Workstation, which allows sharing of USB devices.

I would be careful that you know the USB device is going to be connected to the VM and not the host. I've done this enough in the past that I was comfortable knowing that the device would be connected to the VM and not my host machine.

To be safer, make sure the VM OS does not have any sensitive information or connectivity to sensitive information (i.e. network connectivity or other sharing with the host).

Edit: I've actually done this too. Turns out the drive contained the person's entire work portfolio. I was able to track down her contact information from the content on the device. She was so relieved when I returned the device to her. It was a very attractive drive too. I asked her if she knew where I could get one, but she got it as a gift in Korea, so she didn't know where I could find one. It was very similar to the Pico USB flash on Thinkgeek, except that the pins weren't exposed.

Jason R. Coombs

Posted 2009-10-31T10:06:14.133

Reputation: 1 952

Asked: 2009-10-31T10:06:14.133

Viewed: 2 253 times

Active: 2017-05-12T00:22:25.300