# Unknown USB Stick ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F8jOVaYJxhBVjhnX40tn4%2Funknown_usb.jpg?alt=media\&token=76409f29-60f1-490d-a7c9-66116b27081b) ### 1. Introduction * An unknown USB Stick was found at the desk of an employee of your company. * The employee and his coworkers found the USB Stick to be suspicious, since when the worker plugged it into his computer, nothing showed up. * Another analyst has already created an image of the found stick using dd and made it available to you: {% file src="" %} Your Task: * Describe how you retrieved the flag. * Describe why nothing showed up on when the USB Stick was inserted by the employee. * Describe what has likely happened to the USB Stick. * Make a provable statement on whether the USB Stick is likely malicious or not. * Make a statement on how the employee who found the USB Stick should remediate the situation and how he should handle similar situations in the future. * State why or why not file carving is useful in this scenario. BONUS: There is a really simple way in order to just retrieve the flag from the image. Can you describe it? ### 2. Analysis `unzip usbimage.zip` `file usbdisk.dd` Try to mount the image file `mkdir analysis` `mount -o loop,ro usbstick.dd /home/hacker/forensic/analysis` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FrpfIlp1wcjWiARW8VVmF%2Fusb_01.png?alt=media\&token=6be6cfaa-83af-49bf-82ae-7146ecd88375) I couldn't mount the image file yet. It seems that tere is no partition on the image file. Try to restore partition with testdisk: `testdisk usbstick.dd` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FXu9o2GnWqTK0v0AYQXLN%2Ftestdisk_01.png?alt=media\&token=7094a596-3d69-484c-a07c-bf809c0b5b0b) Testdisk did discover a FAT32 partition! Write changes to image file:

`mount -o loop,ro usbstick.dd /home/hacker/forensic/analysis` Get still an error. Let's try fdisk to get the start sector: `fdisk -l`

Try to remount image file: `mount usbstick.dd analysis/ -o ro,offset=$((2048*512))` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FjZUIKxvtKBWBPrWrAX1U%2Fusb_03.png?alt=media\&token=9e0c589f-ec23-4633-ae48-cb0c0b512b89) ### 3. Retrieve the flag `cat ThisIsTheFile.txt`

As an alternative we can also use the command strings: `strings usbstick.dd`

### 4. Mitigation and some thoughts Start an awareness campaign for your employees. Never trust an orphaned USB Stick even it’s a gift from santa claus!!!

I wasn't able to locate maliscious files on the image file! It rather look that the USB stick was erased with a quick format. There are a lot of `0000 0000 0000` sectors. (See image below) `hexeditor usbstick.dd` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FLT01yo8UuPhaw1T6j5sb%2Fhex01.png?alt=media\&token=d660c7fe-f551-41f2-b2bf-0a80fdb541f9) Filecarving with tools like [photorec](https://www.cgsecurity.org/wiki/PhotoRec), [foremost](https://cas-cyber.gitbook.io/cas-cybersecurity/forensic-exercises/disk-forensics/filecarving-with-foremost), [scalpel](https://cas-cyber.gitbook.io/cas-cybersecurity/forensic-exercises/disk-forensics/filecarving-with-scalpel) or [bulk extractor](https://cas-cyber.gitbook.io/cas-cybersecurity/forensic-exercises/disk-forensics/bulk-extractor) are always a good choice if the partition isn't readable anymore!