Mystery flashdrives... An investigation. by Ben from 09 Sept 2016
This morning I was handed a stack of random thumbdrives and told “Five hundred of these showed up in the bosses office and we need to know if they are safe to use.”. This is a new occurrence for me but I welcome the challenge. We’ve all heard about malicious USB sticks spreading viruses, so to me the threat is credible.
First thing I did was open one of these things up and take pictures of the USB chip. It has “TW218B1552AACB020” on the back of the chip itself. A bit of googling did not turn up any information about the chip itself based on this only real identifiable marker.
I then booted up my laptop with a Kali Linux USB stick. If I was super paranoid I would have done this in a system without a hard drive in it. But I'm not paranoid. So I just did the rest of this on my regular laptop trusting that whoever sent these sticks isn't resourced enough to have malware that can install itself from a live environment onto unmounted harddrives. Once booted up I then stuck the flashdrive in and tried to figure out as much as I could discern from it. First I used lsusb to find the hardware information reported from the flashdrive. I was no longer worried about BADUSB style attacks as the drive did in fact tell the system it was simply a mass storage drive and not something else like a keyboard or ethernet adaptor.
It says its manufactured by Speed Tech Corp, which is about the most generic name a company could have I think. A quick google search turned up their homepage which can be found here. I wouldn't reccommend hanging out on the site for long though as the music that plays is bad at best. Also, who plays songs on their homepages still? They are a Taiwanese company. According to their site and a few Taiwanese stock trading sites, Speed Tech Corp is a legitimate company that currently manufactures USB connectors. But I couldn't find anything about them making whole flashdrives or the chips for flashdrives.
I then reverse google image searched the card that came with the flashdrives. The image of the lock and key comes from a stock image site named Cam Stock Photo, which can be found here. So that picture could have been bought or stolen and photoshopped by literally anybody.
Then I fired up GParted to make sure that this bad boy didn't have any hidden partitions. It had some un-allocated space at the beginning of the drive but it had no big un-formated partitions.
The flashdrive reported that it was empty with no files, but we all know files can be recovered after being deleted. So I then I used dcfldd to make a forensic image of the flashdrive and went about scanning the image with multiple tools built into Kali to make sure that there were not any hidden or deleted files. None of the tools I used provided anything of note. There are no hidden or deleted files on the flashdrive as far as I can tell. This eased all my fears about the flashdrives having traditional malicious autorun.ini files on them like the days of old. Here are some pictures from the image making process as well as the ouput of some of the tools I used to scan the image.
Now that we are at the end of the my investigation; I have concluded that these mystery flashdrives were benign; that nothing bad is on them that is going to own everyone that used one. Without presumably special equipment to remove the firmware from the flashdrive's chip I was unable to find anything suspicious about the drives. No hidden files, no hidden partitions, no autorun scripts, and no reporting itself as a device different from the device that it actually is. We don't always find anything that is amazing but alot of times the process and journey are just as important. If you have any tips or feedback on how I could better analyze a drive next time feel free to contact me.