Easy USB Memory Stick File Carving with Foremost

Do you have a USB stick that you’d like to inspect? I recently found myself in this position when I found a USB drive in the parking lot of my workplace and, knowing that this was a common attack vector for advanced threats, thought I would carefully inspect what was on it. Here’s the process I followed to carefully find what was on it not only now, but what had been deleted off it in the past.

Insert USB stick into computer in a SAFE manner (using a computer you don't care about or without auto run/mount) for reading and take a look at the files. For me, this meant booting into a LiveCD that would not touch my hard drive. For this, I recommend any of the forensic distributions of Linux – Kali, REMnux, SANS SIFT Kit, etc. I took a look around and all that was listed was some pdf’s and picture files, but I had a feeling there might be something more here, so I went on.

I then took an image of the USB drive using dd. To do this, insert the drive and figure out what which device name it was assigned, this will likely be something like /dev/sda1, sdb1, sdc1 or similar. You can typically do this by typing dmesg and looking at the most recently entries.

In my case, it was sdb1, so I issued the command:

    dd if=/dev/sdb1 of=~/stick.dump bs=8M

Where if= is the path to your image, of= is the path to the file you’d like to write the dump to, and (block size) bs=8M, cause I found a site that suggested this and it seemed to work fine. I don’t think changing this will mess anything up since it is just how much dd attempts to read at once, but it can cause the dump to go slower or faster depending on the device you have. 8MB reads at a time should be fine.

I then used the linux command line utility foremost to automatically detect every file it could find on the image. This tool will go through any disk image and find any files it can using known headers. There are other programs for this too here but foremost comes standard installed in Kali so it’s what I went with.

    foremost -i stick.dump

Time to inspect the findings, once foremost finished, it will create a directory called output where it was run containing separate folders, one for each type of file it found and an audit.txt with a summary of the findings. In my case, it looked like this:

Dive in to all files you are interested in. In my case, I was looking for malware so the exe folder was where I was headed. I ran md5sum on the file to get a fingerprint and ran it through virustotal.com’s database search.

Hey look! What do ya know, I found myself some malware that wasn’t listed in the current files on the USB stick but was previously present. Looks like it’s 4 years old, so this probably wasn’t any kind of targeted attack, but hey, interesting none the less.