You may have heard the advice that unfamiliar USB drives should be avoided at all costs. For many, the salient advice under these circumstances is to simply avoid plugging any unfamiliar device or drive into a computer.

But human curiosity often compels us to look inside drives of unknown provenance, and this is doubly true for journalists whose job is to investigate tips. Concerningly, though, USB drives can be loaded with malicious software that launches when the USB device is connected to a computer. That spells trouble for the security of your machine.

When you need to know what’s on a USB drive handed to you by a potential source, this article offers a few strategies for safely reading files from unfamiliar USB devices.

What’s at stake

First, let’s talk about the threat.

Malicious software contained on USB drives can allow attackers to obtain your passwords, access your files, and irreversibly damage your computer. For instance, recently discovered malware attributed to Chinese groups exfiltrates files, keystrokes, and screenshots from your computer. And state-sponsored hackers from Russia have deployed malware that “promiscuously” infects devices so that they’re permanently in communication with the group’s command-and-control servers.

And it doesn’t end there. Beyond causing harm to your personal computer, unchecked malware could go so far as to take down half the newsroom.

Mitigating unseen dangers

The dangers that lurk on a potentially infected USB drive could very well spring into action the moment a malicious USB device is plugged into your computer. The riskiest USB sticks contain autorun programs that execute before you even have time to interact with the files on the drive. Luckily, device manufacturers are aware of these issues and have introduced early lines of defense.

You can aid these efforts by setting your computer to alert you before it interacts with external devices, including USB drives. If you’re using a Mac with an M1 chip and newer, you can set this up under Settings > Privacy & Security by changing “allow accessories to connect” to “ask for new accessories” in order to keep your device from automatically interfacing with a newly inserted drive. If you use a Windows device, you can disable Autoplay by navigating to Settings > Bluetooth & Devices > Choose AutoPlay Defaults and setting Removable drive to “ask me every time."

This leads to one of the most important pieces of digital security advice we can offer: Keep your operating systems, like macOS or Windows, up to date. Doing so will ensure that known viruses will be identified by your computer and stopped in their tracks. For additional protection, you may elect to use antivirus software.

Handling unfamiliar drives

Gaining insight into the contents of an unfamiliar drive is best handled in an environment that’s wholly separate from the one you use on a daily basis. In this section, we’ll discuss the setup and use of air-gapped devices, how the Tails operating system can help protect your device from absorbing malware, and the use of Chromebooks to review risky drives.

Air-gapped devices

One way forward involves sticking an unfamiliar drive into a (hopefully inexpensive) air-gapped device — one that is by definition unable to connect to the internet. This method works because malware is often written to send your data back to a remote server. Opening a USB drive on a computer that’s not able to access a network means your information won’t be exfiltrated through the internet without your knowledge.

If you are willing and able to reserve a computer specifically for this purpose, it may be worth purchasing one and simply avoid connecting it to the internet. Alternatively, if you have access to an old computer, you can reformat it and reinstall the operating system. Visit Disk Utility to reset a Mac, or use Chromebook Recovery Utility for Chromebooks or the recovery menu on Windows. For maximal security, if you have practical know-how, consider physically removing the wireless hardware.

Keeping your device physically secured is important too. An air-gapped computer can still connect with a local network in ways you might not anticipate, such as being physically connected to the network via Ethernet. Store as few files on the device as possible and pare back on applications to only what is necessary for viewing, redacting, and converting files into safe PDFs.

Tails operating system

Those using a Windows PC or an Apple computer with an Intel chip can take the temporary measure of booting up and using Tails to review possibly infected files. Tails (short for “The Amnesic Incognito Live System”) is an operating system that runs independently from the one you use on a day-to-day basis. Instead of writing to your computer’s hard disk, Tails runs from your computer’s memory. The operating system — and every file you’ve viewed within it — disappears when you end your session. (Tails offers persistent storage, but that’s a story for another time.) Both of these features mean you can safely plug in the questionable USB drive and view the files.

To get started, you’ll need to download a copy of Tails to a clean, recently purchased USB drive (we recommend labeling your Tails drive so as to keep all of these drives straight). To run it, simply shut down your computer and restart using the USB drive with Tails on it.

As a complete operating system, Tails comes along with a Tor browser, an encrypted email client, a local password manager, and other handy software. Crucially to the subject at hand, the Tails OS includes Metadata Cleaner to remove metadata from files, which you may elect to do if preparing the contents of the USB drive for further sharing. If, after making full use of Tails, you’d like to return your USB drive so that it can be read by both Windows and Apple computers, here’s some information that may help.

A couple of caveats: First, Tails cannot protect you from malware if you install it from a computer that’s already been infected. Secondly, Tails does not presently work with newer-model Apple computers with M1 and newer chips.

Chromebooks

For those who can afford a dedicated device, Chromebooks offer an easier alternative for peeking into USB drives. Built on ChromeOS, these devices provide an option outside of Windows and MacOS, which have been the target of many a malware attack.

Indeed, Google claims that its operating system has yet to see evidence of any documented, successful virus attacks. While it may only be a matter of time before malware becomes a bigger issue, using a Chromebook that exists apart from the devices that power your everyday work means that malware that hides out in a USB drive won’t fell your go-to setup. Alternatively, if you do use your Chromebook for purposes other than dealing with tricky USB drives, you can always log in as a guest. Any change that is made by a guest user won’t impact other profiles.

Once you’ve checked out the contents of your drive and have taken steps to sanitize it (see below), use this occasion to reformat the USB drive if possible (also see below) and “powerwash” your Chromebook to return it to factory settings.

Converting files before reading them

Now that you’ve retrieved possibly infected files from the USB drive, it’s time to enhance the safety of those files so that you can review their contents. Dangerzone is ideal for that, transforming potentially dangerous PDFs into safe ones. (Note: Freedom of the Press Foundation currently maintains this project).

Dangerzone works by converting a file into a PDF, then into raw visual data, and then back into a PDF for readability. All of this happens in a sandboxed environment, which means that the document can’t access any networks. If the file is malicious, it can’t communicate with servers maintained by the group behind the malware.

To use Dangerzone, download the software (here is that link again). You’ll also need to download and open a program called Docker Desktop, which allows Dangerzone to be run in isolated space on your operating system. From Dangerzone, follow the prompts to “Select Suspicious Documents'' and convert to a safe PDF. The cleaned-up file will be easy to identify — the word “safe” will be automatically added to the filename and your original files will be automatically placed into a folder marked “unsafe.”

Once you’ve done this, you can use a second, clean USB drive to bring the document back to your typical environment for continued review. You’ve now safely averted disaster and can continue the important work of following up on tips.

Have additional questions about what to do with that USB drive? Our digital security training team is always ready to support journalists in need of assistance with device and file security. Reach out; we look forward to speaking with you.