Unknown USB Stick

1. Introduction

An unknown USB Stick was found at the desk of an employee of your company.
The employee and his coworkers found the USB Stick to be suspicious, since when the worker plugged it into his computer, nothing showed up.
Another analyst has already created an image of the found stick using dd and made it available to you:

2MB

UsbStickImage.zip

2. Analysis

unzip usbimage.zip

file usbdisk.dd

Try to mount the image file

mkdir analysis

mount -o loop,ro usbstick.dd /home/hacker/forensic/analysis

I couldn't mount the image file yet. It seems that tere is no partition on the image file.

Try to restore partition with testdisk:

testdisk usbstick.dd

Testdisk did discover a FAT32 partition! Write changes to image file:

mount -o loop,ro usbstick.dd /home/hacker/forensic/analysis

Get still an error. Let's try fdisk to get the start sector:

fdisk -l

Try to remount image file:

mount usbstick.dd analysis/ -o ro,offset=$((2048*512))

3. Retrieve the flag

cat ThisIsTheFile.txt

As an alternative we can also use the command strings:

strings usbstick.dd

4. Mitigation and some thoughts

Start an awareness campaign for your employees. Never trust an orphaned USB Stick even it’s a gift from santa claus!!!

I wasn't able to locate maliscious files on the image file! It rather look that the USB stick was erased with a quick format. There are a lot of 0000 0000 0000 sectors. (See image below)

hexeditor usbstick.dd

Filecarving with tools like photorec, foremost, scalpel or bulk extractor are always a good choice if the partition isn't readable anymore!

PreviousMount disk image (raw)NextUSB Stick Filecarving

Last updated 2 years ago