How do I safely investigate a USB stick found in the parking lot at work?

security usb-flash-drive

TENS

A good security distribution for testing suspicious USB flash drives that you found in the parking lot is Trusted End Node Security (TENS), previously called Lightweight Portable Security (LPS), a Linux security distribution that runs entirely from RAM when it is booted from a bootable USB flash drive. TENS Public turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity (or malware) can be written to the local computer hard drive.

In addition to the security feature TENS has another useful purpose. Because it runs entirely from RAM, TENS can boot on almost any hardware. This makes it useful for testing the USB port of a computer that is unable to boot most other live bootable USB ISO images.

TENS

USBGuard

If you are using Linux, the USBGuard software framework helps to protect your computer against rogue USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce the user-defined policy, it uses the USB device authorization feature implemented in the Linux kernel since 2007.

By default, USBGuard blocks all newly connected devices and devices connected before daemon startup are left as is.

A quick way to start using USBGuard to protect your system from USB attacks is to first generate a policy for your system. Then, start the usbguard-daemon with the command sudo systemctl start usbguard.service. You can use the usbguard command-line interface command and its generate-policy subcommand ( usbguard generate-policy ) to generate an initial policy for your system instead of writing one from scratch. The tool generates an allow policy for all devices currently connected to your system at the moment of execution.1

Features

  • Rule language for writing USB device authorization policies

    The target of a rule specifies whether the device will be authorized for use or not. Three types of target are recognized:

    • allow - authorize the device
    • block - deauthorize the device
    • reject - remove the device from the system

  • Daemon component with an IPC interface for dynamic interaction and policy enforcement

  • Command line and GUI interface to interact with a running USBGuard instance
  • C++ API for interacting with the daemon component implemented in a shared library

1Revised from: Built-in protection against USB security attacks with USBGuard

Installation

USBGuard is installed by default in RHEL 7.

To install USBGuard in Ubuntu 17.04 and later, open the terminal and type:

sudo apt install usbguard

To install USBGuard in Fedora 25 and later, open the terminal and type:

sudo dnf install usbguard

To install USBGuard in CentOS 7 and later, open the terminal and type:

sudo yum install usbguard

compilation from source of USBGuard requires the installation of several other packages as dependencies.


If you didn't want to use it but are curious - I'd actually start by cracking open the case (very carefully) and taking a look at the chips inside.

I know. This sounds crazy, but the presence of a identifiable controller and flash chip would make it more likely it's an actual USB drive rather than something like a USB rubber duck or a USB killer.

Then do what everyone else suggests and test it on a disposable install, run a few bootable virus scanners as well, then if you're sure it's safe, wipe it.

Related

Is it worth cleaning the registry?
Blocking web sites with Windows Firewall
How to copy file path to clipboard?
Laptop randomly waking up = Hibernate / Low Battery?
Recover Data from Card that cannnot be read
Can I make Ctrl+Alt NOT act like AltGr on Windows?
Using multiple keyboards with different keyboard layouts in Windows
How do I troubleshoot high 'svchost.exe' usage in Windows 7?
How can I hide an application from the Windows taskbar?
What does wwws mean?
Trigger Task Scheduler in Windows 7 when computer wakes up from sleep/hibernate
How many passes are enough with Memtest?