How can I browse an untrusted USB flash drive safely?

6

5

Say I have a USB flash drive I found lying on the ground. I want to see if it has any information that could help me return it to its owner, but I live in an urban society. It could easily contain malware and be lying on the ground in wait for its next victim.

How can I browse the contents of this USB flash drive safely?

IntrepidPig

Posted 2015-10-08T04:00:15.673

Reputation: 73

Question was closed 2017-05-07T02:14:13.167

1My 1st thought is you boot the PC up with a liveCD – David Dai – 2015-10-08T04:21:31.693

1

@Moab This question has answers listing lots of dangers of untrusted USBs that can indeed jump off the drive into a PC.

– IntrepidPig – 2015-10-08T04:30:02.043

2use virtual machine and open the pendrive – BlueBerry - Vignesh4303 – 2015-10-08T06:10:19.553

@moab exactly opposite - there are still code execution bugs found in filesystem mounting, autorun.inf handling etc. – DarkWanderer – 2015-10-08T07:33:35.447

1Find somebody you don't like and plug it in their computer. – Fiasco Labs – 2016-04-06T03:40:43.517

Use Virtual machine, find it mounted first in the host OS and oh, ooops! – Fiasco Labs – 2016-04-06T03:41:29.597

Related: Safely opening a suspect USB Drive,  Is there any way to safely examine the contents of a USB memory stick?,  What is the danger of inserting and browsing an untrusted USB drive?,  How can a flash drive spread a virus?,  and  How can USB sticks be dangerous?,  and probably more.

– Scott – 2017-05-06T22:03:12.837

Answers

8

There were many options to open it, but in case of safety concern it will consume more time:

  1. Open it up through some live CD version of Linux. If the USB flash drive was infected it would infect only the OS on the live CD.
  2. Boot the OS in a virtual machine and test the USB flash drive[Note: You can set the guest OS to detect USB first which would disable the host USB detection].
  3. If you are using a Windows machine: Disable autorun.inf on a local computer.
  4. If you are on mac mount the USB as readonly
  5. You could disable autorun in mac by following this steps :

You need to remove the auto launch job with the launchctl command.

For example, in my case I have already installed a modem manufactured by ZTE. So I searched for LAUNCHD listings using the launchctl list command and grepped for those modem strings.

launchctl list | grep -i zte

Showing:

5681    -   cn.com.zte.usbswapper.plist

If you do not find your app, then output all the jobs to a file. This awk command tries to overcome the chance that you may have spaces in your launchd job name.

launchctl list 2>/dev/null | awk '
{ x="\""substr($0, match($0, $3), 100)"\""; print x; system("launchctl list " x) }
' > launchList.txt

Open launchList.txt. The name of the launchd job will be shown in "..." above the {} block where you hopefully find a "Mobile Partner" or "AutoOpen" string.

Perhaps inspect the item to be more confident before removal. Surround by "" if there are spaces in the job name.

launchctl list "cn.com.zte.usbswapper.plist"

Then just remove it. This is the command to stop the auto load. Be very sure you are removing the correct agent or deamon. 

launchctl remove "cn.com.zte.usbswapper.plist"

Add it again if you want, using the full path of the PLIST file.

launchctl load /Library/LaunchAgents/cn.com.zte.usbswapper.plist

Scan through a computer and all USB flash drives regularly.

Note for BADUSB :

When you plug a USB device into a computer, the device tells the computer what sort of thing it is, so the computer can select the appropriate driver. For example, a thumb drive declares itself as a "USB Mass Storage" device, while a keyboard is a "Human Interface Device".

BadUSB is a technique for re-writing the firmware of a plugged-in USB device from the computer. For example, it could make a thumb drive identify itself as a mouse and cause the pointer to jump around at random. Or it could make the thumb drive identify as a USB hub with connected keyboard and mass storage, that when plugged in types a sequence of keystrokes that causes a program on the thumb drive to be run.

If you were using linux and wish to prevent against badusb :

BadUSB attacks are based on the fact that computers allow and enable HID devices on all usb ports. Faked network adapters are no real danger. My answer tries do describe how to use udev to temporarily disable the addition of new HID devices

For preparation, create a file /etc/udev/rules.d/10-usbblock.rules with the content:

#ACTION=="add", ATTR{bInterfaceClass}=="03" RUN+="/bin/sh -c 'echo 0 >/sys$DEVPATH/../authorized'"

If you want to block other classes too, then look up the class number, and copy the line, and change the class.

Now you can block all new HID devices using the command 

sed -i 's/#//' /etc/udev/rules.d/10-usbblock.rules; udevadm control --reload-rules

and unblock with:

sed -i 's/^/#/' /etc/udev/rules.d/10-usbblock.rules; udevadm control --reload-rules

Before you shut down, always unblock, as the setting is persistent, and your "good" HID devices would be rejected on reboot.

I don't know whether you can edit the temporary rules directory, but if changes there affect the behaviour, you should edit that instead, as then you don't need to unblock before shutdown.

BADUSB Credits source : Security DMZ

BlueBerry - Vignesh4303

Posted 2015-10-08T04:00:15.673

Reputation: 7 221

Does your answer also apply to compromised firmwares such as BadUSB? More specifically, can the USB firmware of the physical USB port on the physical machine be affected by a USB drive whose firmware is compromised? – nehcsivart – 2015-10-08T06:52:33.147

Also if mounting to Linux, use the mount options noexec,nosuid,nodev. – Wildcard – 2015-10-08T07:32:09.400

1On MAC, does mounting the USB stick readonly really protect my HDD? Sounds to me like it protects the USB stick, not the HDD. – Thomas Weller – 2015-10-08T09:39:10.387

Option 2 is not quite safe, as before you transfer USB control to VM, OS sees it. At least that's the case with VMWare. – DarkWanderer – 2015-10-12T09:02:16.660

Thanks for clarification. It's worth mentioning in the answer then, as it's a crucial point and not all VM software support it – DarkWanderer – 2015-10-12T10:31:15.763

@DarkWanderer updated answer thanx – BlueBerry - Vignesh4303 – 2015-10-12T11:39:39.903

0

Disable autorun in windows as mentioned here: https://support.microsoft.com/en-us/kb/967715

After that you could safely browse files. If you do not execute/open files which could countain viruses/malware, you are safe.

Malware can be placed in these files: .exe, .dll, .scr, .doc(m)**, .xls(m), .xlsb, .ppt(m), .dot(m), .xlt(m), .pot(m), .bat, .cmd, etc.

Malware cannot be places in: .jpeg, .gif, .png, .txt, .docx, .xlsx, .pptx

** May be either the .doc or .docm versions

joro

Posted 2015-10-08T04:00:15.673

Reputation: 286

2

Take attention that -x extensions of Microsoft Office (.docx, .pptx, .xlsx) cannot contain macros so cannot have viruses. https://support.office.com/en-US/article/Introduction-to-new-file-name-extensions-ECA81DCB-5626-4E5B-8362-524D13AE4EC1

– joro – 2015-10-12T06:32:08.910

so editors of my answer are WRONG – joro – 2015-10-12T06:33:25.913

Asked: 2015-10-08T04:00:15.673

Viewed: 7 307 times

Active: 2016-04-06T03:31:22.697