Is there a way of "safely" mounting a USB flash drive?

Hi altogether,

out of interest I´d like to ask you a hypothetical question concerning “safely” mounting a usb flash drive. :blush:

scenario:

  • OS: a Linux distro (like Lubuntu 20.04.2 in my case)
  • firejail as sandbox mechanism is installed and thus available

Suppose someone finds a USB-stick in the office yet doesn´t know about its contents. Perhaps it´s even a new one and “empty”.
He or she likes to take a closer look at it without putting the system at risk.

But: when connecting to the PC or laptop the stick is automatically mounted as can be seen in the file manager. In my case it´s PCManFM-Qt.

What I´d very much like to know:

  • Does the sheer mounting of the stick mean danger for the system in the first place?
  • Is there a way of preventing the automatism of mounting the stick when attaching it to the USB port?
  • Is there a way to “safely” mount the stick at all? Perhaps with the help of firejail or any other method?

Thanks a lot in advance for your views on the matter.

Many greetings.
Rosika :slightly_smiling_face:

2 Likes

I wouldn’t guarantee it, as I’m not a security engineer, but I’d say, the mere mounting of a device and the access with a program which doesn’t execute any active file contents, doesn’t pose a risk.

However, if I were very suspicious, I’d boot the computer from a live medium and then mount the stick. As long as nothing gets written on the computers hard disk, no permanent damage will be caused.

5 Likes

Hi @Mina,

how good to see you here again. Thanks a lot for sharing your views :hearts:

O.K. That makes sense I suppose. I would have thought so too but wasn´t sure at all.

It makes sense to use a live medium if in doubt. Yet I´ve noticed that some OSes (at least when being used as live distros) automatically mount the partitions of the installed OS.

I that case prior to attaching the USB-stick it´s certainly advisable to unmount these partition, I think.

Thanks again for your help, Mina. :+1:

Many greetings.
Rosika :slightly_smiling_face:

1 Like

Using this distribution is one of the safest ways I can think of. I’m pretty sure, any safety that goes even higher than that would be extremely paranoid.

The distribution is usually meant to be used live. It also mounts everything read-only by default and you have to explicitly mount something with read/write permissions, if necessary.

This way the worst thing that could happen is that the USB stick, for example, issues some commands on the live distribution or something like that. However, even then it wouldn’t matter because nobody would try to attack Linux users this way, as most people use Windows and, as is evident in this thread, Linux users are generally more security conscious, so it wouldn’t make sense at all, to start an attack like this.
And even if it magically would do something with your Linux distribution, which probability is almost zero, then it could still neither damage your OS, as it is a live system, nor could it modify your computer’s storage devices, as everything is mounted read-only by default, anyway.

Long story short:
Just use the aforementioned live distribution and you are safe.

3 Likes

I don’t think it’d mount automatically… While you try to get into the drive, you can see that there’s a little time delay. I believe that the delay is because, the device is getting mounted at that point.

In my case, I’d create a VM and mount it inside. I’m not a geek; please don’t expect high-level answers :slight_smile:

1 Like

Using a live distribution like Akito suggests is probably the safest plan, although a VM should be about the same if you happen to have one installed. In the olden days we used Knoppix, but Akito’s recommendation looks interesting.

1 Like

Great question

I think today we are ok but tomorrow …

I have used Linux to format usb media from Windows infected machines but do wonder about mount virus worms as many set the default on mount to open and activate a process such as open with

If in doubt I just bin them as the cost is nothing

2 Likes

As many on this Forum and others know I use Tails+Tor which is designed to work in RAM only. Indeed; my Tails+Tor lives on a USB flash drive so can be used on any computer anywhere and when you quit it never leaves a trace that you were ever there let alone what you did… :supervillain: You can write to persistent storage if you wish - cool or what - just ask Edward Snowden. :male_detective: It also has - unlike CAINE - extensive helpful documentation :smiling_face_with_three_hearts: according to TechRadar-Pro and Linux Format :male_detective:
Do not wish to knock gnu software too much - when was the last update :thinking: CAINE 11.0 has been updated 02/Dec/2019
Is it a dead project…?

https://tails.boum.org/

So @Rosika if you have a spare port you could fire up Tails live and take a look at the USB stick or dodgy email whatever. Warning - I know you have the forensic mindset to investigate my solution for yourself - Take care to Stay Safe… :thinking:

ps: Attacks from Israel mass surveillance spyware are more of a problem at present

1 Like

Hi all, :wave:

thanks a lot to all of you for your splendid input. I´m so pleased. :smiley:

@Akito:

In theory it´s really a great suggestion to use CAINE.

That´s secure indeed and would suit my needs (or anybody´s needs for that matter) perfectly. :+1:
Plus: it´s really reassuring that …

The only “negative” point (to me at least) is the size of the download.
Distribution Release: CAINE 11.0 (DistroWatch.com News) mentions its size and apparently it´s 4,138MB! That´s quite hefty. But only for me (I think) as I have to make do with 4.5 GB per month.
Although AldiTalk has changed its policy now and I´ll be able to reign over 5 GB per month next time. :grinning:
Nevertheless thanks so much for you suggestion.

Many greetings from Rosika :slightly_smiling_face:

@Pranav:

Thanks for your views on the matter as well.

That´s an interesting approach.
If I were to do that the only thing left do achieve is prevent the system (Lubuntu 20.04.2) from
automatically mounting the attached USB stick.

I just found out that PCManFM-Qt (which is my default file manager) has an interesting option under “settings”:

Datenträger: Wechseldatenträger automatisch beim Einlegen einbinden

rough translation:
Disk: automatically embed (i.e. “mount” a removable disk when you insert)

So basically I´d have to uncheck this option. Seems cool.

Thanks so much for your help Pranav. :+1: :heart:

@berninghausen:

Hi Bill,

Yes, that should be do-able. I have BodhiLinux available as a VM using KVM/qemu/virt-manager.
I´ll probably go for that.

Thanks a lot.
Greetings from Rosika :slightly_smiling_face:

@callpaul.eu:

Hi Paul, :wave:

thanks for the stackexchange link. I´ve read it through and it seems quite interesting.

Greettings from Rosika :slightly_smiling_face:

@Andy2:

Hi Andy, :wave:

so good to see you here again.

Also a very good suggestion. And perhaps more practical for my purposes as the download size (according to DistroWatch.com: Tails ) is 1.1 - 1.2 GB.
That woud give me the possibility to save up and in the end I could download the ISO. :wink:

Good to know. Thanks for the info. :heart:

Thanks a lot for the compliment. :smiley:
I´ll try to stay safe.

@all:

just a bit of a background as far as my original question is concerned:

In the introduction I used the phrase “hypothetical question”, which is true for one part.

But there´s also the real background of the two verbatim USB-sticks I recently ordered from amazon: Verbatim Store ‘n’ Go V3 USB-Stick - 64 GB.

They should´ve been delivered by a certain date but for some undeclared reason amazon couldn´t make it in time and consequently I received an e-mail telling me that delivery would be delayed.
When I finally received the sticks I was wondering about the sending address which was “Amazon Rücksendezentrum” (i.e. something like “Amazon Return Center”) instead of
“Amazon EU SARL”.

I strongly suspect that the sticks were delivered to a wrong location in the first place (hence the delay) and afterwards returned to the “Return Center”. It seems I then got them from there.

Well, I was a bit suspicious at first but when I opened the package I saw the sticks were still in their intact original package.
It may well be I´ve been a bit too paranoid. :blush: :neutral_face:

Thanks to all of you for your help. :heart:

Many greetings.
Rosika :slightly_smiling_face:

1 Like

Hey @Rosika - Not at all - you are just like me - caution; born of experience and research :hugs:
ps Tails+Tor updated every month plus emergency security updates which you must carry out so it can eat into your data allowance - I have 10G for £8 so no problem for this poor pensioner :thinking: :yum: :pleading_face:

1 Like

Yes, its use-case is to mostly mount it live and have already every software you need for forensic investigations ready. So the size is a result of all the pre-installed software it comes with.

However, CAINE releases are compared to other distributions very slow, so if you download this once, this will be the “newest” version for at least a year. Additionally, you don’t always need the newest version anyway. So you can easily survive with the version you download now for a couple of years.

From this perspective, the size shouldn’t be an issue, anymore.

Better be too paranoid, than too lais­sez faire. :wink:

2 Likes

@Andy2:

Hi Andy,

Thanks for the info. That´s good to know. :wink:

I´ll read up on Tails as it seems very interesting indeed.
I already have some experience with tor. I think it´s tor-browser-bundle which I use. It doesn´t have to be installed in a regular apt-like way. It´s convienient for some sensitive research. :smiley:

Many greetings.
Rosika :slightly_smiling_face:

@Akito:

Hi again,

O.K. That´s a good point. Thanks for letting me know. :+1:

Good to know I´m not alone with my “paranoia”. :wink:

So in view of my latest findings (i.e. the fact that the USB sticks are still in their sealed and unscathed packages):
what do you think: should I be able to use them right away or should I take any of the discussed precautions :question: :thinking:

Greetings from pensive Rosika :neutral_face:

1 Like

I think, one should do whatever feels right. If you would feel bad not being safe, then stay safe. Otherwise, just use them.

If someone would be interested in infiltrating your laptop, they would probably choose a different approach, if you are a normal internet and PC user. I would only be extra safe if you work at a place with high security restrictions of any type or if you are an investigative journalist. These are the only scenarios I could think of, which could be the reasons to launch an attack based on someone intercepting your USB storage devices.

1 Like

Hi @Akito:

Thanks so much for your piece of advice. :heart:

That seems quite plausible.
O.K. then, I´ll still have to make up my mind. Well, I often seem to overthink some scenarios. :wink:

My suspiciousness came up when looking at the amazon sender address “Return Center”, something which had never happened before.
But I could shed some light on the matter by doing some research on the web which could confirm my “explanation” as posted here: #9

Nevertheless I still might implement one the proposed soultions.

Thanks again for all this great help. :+1:

Many greetings.
Rosika :slightly_smiling_face:

1 Like

I do not wish to cause any upset and I know @Rosika is smart enough to make her own decisions but this “CAINE 11.0 has been updated 02/Dec/2019 - Is it a dead project…?”
IMHO CAINE is one massive security risk. One has to ask how its constituent bits of software are updated - answer - they are not, let alone the front end.
Tails makes the case for regular updates being of VITAL importance - this applies to all apps or software not just theirs! This is common sense and common knowledge, or should be - even for noobs. Imagine if that other infamous gnu OS Trisquel was updated in this highly dubious lax manner instead of approximately weekly there would be uproar and I for one would not touch it with a bargepole!
It does amaze me that so many people are ignorant of security issues with their mobile smart phones - my pixel running FOSS GrapheneOS was updated to AOS v11 way on back so all other users who are unable to update to v11 face increased risk in both apps and firmware, malware and spyware profiling etc.

No need to reply - we all make our own life choices - Take Care

ps I am now so chilled about security issues in the belief that my wife and I have done as much as we are able - so just need to sit back, update and backup often - no problemo - Asta la Vista :baby:

1 Like

Hi @Andy2:

Oh, thank you so much for the compliment. :blush:
I myself wouldn´t go so far as to proclaim that. But I´m ever so grateful for any advice and help I can get here. This indeed helps me make some hopefully well-founded decisions. :kissing_smiling_eyes:

Well this is certainly true. One cannot argue with that. :+1:

Thanks for your additional comments as well. As always: they are highly appreciated.

Many greetings and keep safe.
Rosika :slightly_smiling_face:

2 Likes

you will only be safer if you work in an area with any type of high security restrictions. I think this is very important and I follow it

Olivia Parcker work time developer

1 Like

Fist of all, I totally agree with @Mina and @Akito in this scenario but I personally pefer to boot from RAM (if you have enough) in such situations to examine any suspicious activity. To do so, I use Extix iso (2.8 gb) like this

it is Debian based simple, fast and it is live version of Deepin 20.1.

For more details, you can check:
https://www.extix.se/?p=772

1 Like

Install a quality antivirus. In general, until you run any file from the flash drive, even if there is a virus on it, it will not get into the computer. Automatic opening of a folder with files on a USB flash drive does not pose a threat, as far as I know.

1 Like