8

As from the subject, I want to see what's inside. I am seriously interested in finding the owner if possible and returning them, but I am worried it could be an attempt at social engineering. I own a MacBook Pro Intel with OS X v10.6 (Snow Leopard). It is a very important install.

What would you do in my situation if you want to see the content without risks? Any proposal is welcome.

I decided not to plug them in, and I brought them to the hotel reception. They will forward it to the police.

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
Stefano Borini
  • 2,294
  • 6
  • 34
  • 49
  • Of course, you don't know for sure it's a drive to start with. Even if the casing tells you it's a drive, it *could* be just any kind of device. – Arjan Oct 31 '09 at 12:18
  • what's a drive? I always called them like this. – Stefano Borini Oct 31 '09 at 12:34
  • He means that while it looks like a USB stick (or usb drive, usb key, usb dongle, memory stick, memory key, file tube (no, really), or one of any other hundreds of possible names because it wasn't standardized), it could actually be something else entirely, designed to LOOK like a USB stick - however I don't think it could do any damage by itself. – Phoshi Oct 31 '09 at 12:42
  • For example, a bluetooth USB dongle or a proprietary wireless mouse receiver could easily look like a USB flash drive. (No harm there, of course.) But to truly fool someone into social engineering, whatever is printed on the casing is not necessarily true. For starters, I would print 10GB USB 2.0 on a 128MB USB 1.0 flash drive if I wanted someone to pick it up... ;-) – Arjan Oct 31 '09 at 13:00
  • They were the real thing. also, pretty large. – Stefano Borini Oct 31 '09 at 13:02
  • Ah! Now we'll never know what's inside :P – Phoshi Oct 31 '09 at 13:07
  • Before I picked it up I did not know either, still I was living fine. – Stefano Borini Oct 31 '09 at 13:56
  • 1
    Now my only hope is that it goes back to his legitimate owner. I did my part – Stefano Borini Oct 31 '09 at 13:57
  • *They were the real thing. also, pretty large.* -- aha, so you *did* plug them in after all. Or how would you know...? ;-) – Arjan Oct 31 '09 at 14:16
  • Because the size in GB was written over them, and the brand was quite known – Stefano Borini Oct 31 '09 at 15:22
  • I'm complication things, but my point was: when afraid of social engineering, then why trust the casing of the device you found? (But unless you are working at some nuclear power plant, or secret government agency, or for a company that has very powerful and evil competitors, of course chances are zero you "accidentally" found something that *looks* like a flash drive but in fact is a computer chip that tries to do other things...) – Arjan Oct 31 '09 at 17:00
  • 1
    @Arjan: since Stefano didn't replied after your last comment, can we assume you were right about his job (that is, he is working at some nuclear power plant, or secret government agency, or for a company that has very powerful and evil competitors)? :D – dag729 Jun 09 '10 at 09:28
  • *> For starters, I would print 10GB USB 2.0 on a 128MB USB 1.0 flash drive if I wanted someone to pick it up... ;-)*   I would be more likely to pick up the smaller one. You can get a large drive for peanuts these days, but a nice, small flash-drive to use as a simple DOS boot disk or to put my mother’s 10 MP3s which take up only ~80MB on is harder to come by (especially for a reasonable price—read <$1-2). – Synetech Nov 18 '12 at 03:47
  • @davidpostill this question is 7 years old. The linked duplicate is from yesterday. It's the other one being duplicate of this one, not the other way around. – Stefano Borini May 06 '17 at 15:11
  • @StefanoBorini An older question can be a duplicate of a newer one if the newer question has better answers. See [Should I vote to close a duplicate question, even though it's much newer, and has more up to date answers?](//meta.stackexchange.com/a/147651) – DavidPostill May 06 '17 at 15:51
  • @StefanoBorini, I like some of the answers here better, but the other thread deals with an important consideration not covered here, the potential for a "killer USB". It's worth directing readers to the other thread based on coverage of that issue. – fixer1234 May 06 '17 at 18:03
  • @DavidPostill this makes no sense, for three reasons: 1. the new question should have never got to the point there are better answers, because it's the question to be duplicated, and it should have been closed even before getting answers. 2. if the answers are better, they should be part of this question, not that one. 3. my question can be edited and expanded to cover any additional cases. – Stefano Borini May 08 '17 at 13:37
  • @StefanoBorini If you disagree the correct place for this discussion in on [meta] not in comments. – DavidPostill May 08 '17 at 13:38
  • The correct place is to delete this answer. Contributing to you guys is like getting punched in the face. – Stefano Borini May 08 '17 at 14:15
  • 2
    Please do not vandalize your posts. Once you've posted a question, you have licensed the content to the Super User community at large (under the CC-by-SA license). If you would like to disassociate this post from your account, see [What is the proper route for a disassociation request](https://meta.stackoverflow.com/questions/323395)? – CalvT May 08 '17 at 14:20
  • @calvt so what's the point of a delete button if I can't delete anything? – Stefano Borini May 08 '17 at 16:30
  • @StefanoBorini, why are you so concerned about the direction of the duplicate? True, you posted a question earlier, but age isn't always the best basis for linking, and the direction doesn't reflect on your post or affect past or future voting. Killer USBs weren't even a thing when you asked your question. With technology questions, it's often good to try to attract new, current answers after many years. Sometimes it's a tough decision for the community as to which is the best direction for the chain of threads. (cont'd) – fixer1234 May 08 '17 at 16:47
  • I answered on the newer post to deal specifically with killer USBs, but I cited this thread in my answer, which may direct additional traffic here. To answer your question about the delete button, you can delete your own question before other people are affected. Once people have taken the time to answer, it isn't fair to those authors or readers to delete the question. You've created a community resource. The question and answers are fine and have attracted a lot of upvotes for yourself and other authors. Why would you want to delete the thread? – fixer1234 May 08 '17 at 16:53
  • @StefanoBorini If you'd clicked the delete button, you wouldn't have vandalized your post. Vandalizing your post is when you replace a post's contents (including, say, the body) with gibberish. Deleting is only allowed when other people haven't contributed things that you'd be making worthless if you deleted. – Nic May 08 '17 at 17:24
  • @fixer1234 I am not concerned with the direction of the duplicate. I am tired of contributing to a mechanism where every contribute eventually gets rewarded with a punch to the face. – Stefano Borini May 09 '17 at 06:45

5 Answers5

18

Disconnect from network. Boot from CD. Do not mount HDD.

Plug in USB drives, mount them and poke around.

Tamara Wijsman
  • 57,083
  • 27
  • 185
  • 256
briealeida
  • 494
  • 2
  • 14
  • that was my idea too, however... Linux for intel mac is a pain. If I boot OSX install cd, the HDD gets mounted in any case. – Stefano Borini Oct 31 '09 at 10:27
  • is it? I've often run ubuntu livecd countless times with no problems, no hdd mounted. osx install cd of course is another matter, plus it's definitely not linux. care to detail your problems? – ptor Oct 31 '09 at 14:14
  • kernel panics at boot. apic troubles. tried many solutions as proposed on the net, with no result. – Stefano Borini Nov 01 '09 at 12:24
11

Why look at the content? I can understand that you are curious, but the content of those drives is none of your business. If you lost a drive, would you want others to look at the content?

Leave some notes in the area where you found them or bring them to the lost property office if you have one.

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
innaM
  • 10,192
  • 5
  • 42
  • 52
  • 4
    Here is Tokyo. I don't know how to write, I don't know where I was, I don't know how to put a post it note in the middle of the street. If I find a wallet, I would look for personal documents. Why shouldn't I do the same for a lost drive ? – Stefano Borini Oct 31 '09 at 10:12
  • 7
    And if I lost my drive, it would contain an encrypted image, with a clear text file containing my email address. – Stefano Borini Oct 31 '09 at 10:13
  • 2
    Further to this - in the rarest circumstance of the drives actually being of some importance (e.g. government / military), even attempting to access them could wind you up in a whole heap of trouble. – Ian Oct 31 '09 at 10:46
  • 2
    So chances are it's all Japanese after you plug it in... If you can't read that, and given iAn's comment, I guess dropping it off at some police station is all your Scout's Duty can do then? – Arjan Oct 31 '09 at 11:25
  • Because I speak no japanese and they 99.9% speak no english. I was hoping that the usb stick contains what I said it's on mine "if found please send mail to " and then an encrypted file, but maybe I'm a dreamer. – Stefano Borini Oct 31 '09 at 12:28
  • I know plenty of dreams that I can guarantee are a Very Bad Idea (TM) – Stefano Borini Oct 31 '09 at 12:53
4

It could be full of nanites that are going to crawl into your computer and turn it into the master computer for the super-secret Tristan da Cuhna nuclear program. :)

All kidding aside, with the possibility that it could have some form of malware, government secrets, terrorist documents, data used in identity theft, illegal pornography, or child pornography your best bet is to turn it over to law enforcement in whatever jurisdiction you found it in with as much information about where you found it as possible. Leave it to them to figure out what to do with the USB stick.

Mike Chess
  • 6,413
  • 2
  • 19
  • 18
1

Just open it! OS X doesn't have any form of AutoRun, and (unlike Firewire) USB does not allow Direct Memory Access attacks. So looking through the USB stick and not executing anything would be perfectly safe.

Synetech
  • 68,243
  • 36
  • 223
  • 356
Phoshi
  • 23,233
  • 2
  • 61
  • 81
  • 1
    The op states USB *drive*, I suppose it could be some sort of starship engine, in which case *plug it in faster* :P – Phoshi Oct 31 '09 at 11:09
  • I've no idea, been a windows/linux guy all my life, but it sounds plausable to me. – Phoshi Oct 31 '09 at 11:10
  • Unless my Google-Fu is failing me, there's no USB DMA vulnerabilities on a Mac. So, cleaned up my comments a bit (and added a link to Firewire vulnerabilities as a reference). – Arjan Oct 31 '09 at 12:16
  • That's indeed my worry. That plugging specially crafted stuff could compromise my security. I know that mac is not windows, but you never know. – Stefano Borini Oct 31 '09 at 12:30
  • Aye. If it *is* a social engineering thing, the attacker would most likely aim the device at Windows machines, partially because there are more people using them, and partially because you're more likely to get somebody who would plug in a USB drive without thinking, triggering the trap. I think you'd be safe, but, of course, it never hurts to be careful with these things. – Phoshi Oct 31 '09 at 12:52
  • Just be careful you don't get complacent and somehow end up triggering rootkit.{exe,app,sh}: One rootkit, triple OS. And because everyone knows that linux and mac don't have viruses, it's safer to do it. And therefore an easier target. (You call yourself a fanboi, Kevin? You're a sorry excuse for one) – Kevin M Nov 01 '09 at 04:31
  • It'd still have to execute, Kev, which wouldn't happen if you were just poking around. – Phoshi Nov 01 '09 at 10:35
1

If booting to a LiveCD is not an easy option, do you have any virtualization software? You could create a virtual machine and connect the device to that isolated machine. I've done that in the past using VMWare Workstation. You could probably download an eval copy of VMWare Workstation, which allows sharing of USB devices.

I would be careful that you know the USB device is going to be connected to the VM and not the host. I've done this enough in the past that I was comfortable knowing that the device would be connected to the VM and not my host machine.

To be safer, make sure the VM OS does not have any sensitive information or connectivity to sensitive information (i.e. network connectivity or other sharing with the host).

Edit: I've actually done this too. Turns out the drive contained the person's entire work portfolio. I was able to track down her contact information from the content on the device. She was so relieved when I returned the device to her. It was a very attractive drive too. I asked her if she knew where I could get one, but she got it as a gift in Korea, so she didn't know where I could find one. It was very similar to the Pico USB flash on Thinkgeek, except that the pins weren't exposed.

Jason R. Coombs
  • 2,062
  • 2
  • 16
  • 19