Mac OSX: What is the safest way to access an unknown USB storage?

So you've got yourself a hot agent and want to examine it? This is going to be fun!

First, do not simply plug it in and look around. Even if you were to create a 'sandbox' finder, that would not protect you from potential malware. So how do you actually see the goods? Well you need to perform a forensic examination! Here's what you'll need:

  • A Virtual Machine is crucial so you do not infect your machine. Make sure you configure it so that the VM does not have network access.
  • A forensic imager. I use helix or autopsy suite. FTK imager works well if you have a windows VM.
  • A Write Blocker to protect the integrity of the usb device being examined. This means preventing all writes to the target usb. This keeps a pristine record of the target but also prevents some types of malware from altering themselves on the target usb. Personally I say to use a hardware write blocker because they are more reliable (just go to amazon and find one).

Configure your VM with preferably a linux distro (like helix). Now, you simply attach the write blocker to your pc and set that up. Open your imager program and finally plug in your hot usb stick.

You now take a forensic image of this drive - either directly into RAM (if you have the capacity) or onto another (non-OS) drive. It may take a while depending on how large target is. Once you have the image, you can look through it in any number of ways using that same imager program (FTK makes it super simple).

The whole concept is called incident response and SANS has many good documents on what to do. Here is one. Also, I used this book to learn a lot about forensics. I know a guy taking his CISSP and he also just finished it so it is still relevant.

Good luck and have fun!

In response to your comment, malware can indeed spread without you knowing it once you connect an infected device. The best way to protect against that is to run the examination in a VM with a different OS than the target. The different OS helps in disallowing the malware to run and the VM acts as damage control should the malware break out and run anyway.

The most common and easiest way malware can spread like this would be the 'autoplay' feature but if you actually consider what is happening behind that feature you can see that there are certain things from that external media being loaded into RAM and written to your pc's harddrive (in the form of metadata/logs/etc). All* an attacker has to do is leverage that threat vector. * this is no small feat however :)

It's not all gloom and doom though. All you have to do is toss up a properly configured VM and you've essentially stopped 99.99% of that particular threat.