Williams said the best way to forensically examine a suspect USB drive is by plugging the device into an isolated Linux-based computer that doesnโt automatically mount the drive to the operating system.
โWe would then create a forensic image of the USB and extract any malware for analysis in the lab,โ he said. โWhile there is still a very small risk that the malware targets Linux, thatโs not the normal case.โ
That's an ok start, but you not only want to prevent it from auto-mounting the filesystem, you want it to not even auto-configure any USB HIDs presented to the OS. And even then that may not be enough if there are flaws deep in the usb stack that are being exploited. Ideally you'd have an analyzer in the middle that records everything and allows analysis later, think Wireshark or Fiddler.
My null hypothesis on reading this article is that the Secret Service did exactly what Mr "NSA Hacker" Williams suggested onto an isolated linux laptop -- and in fact this was sophisticated enough malware to start attacking it when it wasn't even mounted. So the agent shut it down and sent it all off to a better equipped lab.
Which is actually pretty sane procedure.
I think techcrunch here is trying to sell us on the idea that we're all smarter than the stupid secret service in order to get clicks through manufactured outrage.
Or the USBNinja that crams that functionality into a cable identical to major vendors, and is triggerable up to 100m away via Bluetooth....
https://lab401.com/products/usbninja
Why? At least around here both of those sectors are still dominated by Windows with very few exceptions. Plus, in the specific incident, we're talking about a ressort. The likelihood of that having valuable targets for data exfiltration running anything other would be slim to none (with maybe the exception of the odd router, wifi AP or similar that you'd have to know details off beforehand to attack).
Also keep in mind that the most likely accessible targets would be end user type machines, in that area I'd understand if you carry something exploiting a Mac but Linux? That's just virtual dead weight.
I'm honestly surprised by the statement you quoted. You don't plug a random piece of evidence into your PC, not even for analysis, not even on a pseudo-isolated thing. From what I've seen in the private space you'd at least use something like a Logicube Talon/Falcon or similar device that is certified for forensic use and get an image of that storage medium, then you'd analyse that image.
edit: looks like their products have another name nowadays, basically something that's forensically sound and allows you to create storage images
Are there any open-source or commercial systems that do anything close to this? Does there exist such a forensically sound OS that should be used?
The best I've found for disk imaging is using Windows Enterprise (or similar, stripped down) with SafeBlock, but that seems less than ideal. I'd love to find a *nix alternative.
An out of the box Linux installation with a few changes should be enough. Though you should probably use a hardened distribution. The above poster basically listed the final steps. Go to the kernel and build a white list of valid USB devices (the machine's keyboard and mouse) to prevent it from talking to a "keyboard" you plug in. Turn off auto-mounting features, record traffic so you can double check. And keep the machine physically airgaped.
โWe would then create a forensic image of the USB and extract any malware for analysis in the lab,โ he said. โWhile there is still a very small risk that the malware targets Linux, thatโs not the normal case.โ
That's an ok start, but you not only want to prevent it from auto-mounting the filesystem, you want it to not even auto-configure any USB HIDs presented to the OS. And even then that may not be enough if there are flaws deep in the usb stack that are being exploited. Ideally you'd have an analyzer in the middle that records everything and allows analysis later, think Wireshark or Fiddler.