How to safely find out what’s on a mysterious USB device

That flash drive might've been free, but if it's got malware, it's going to cost you.

Companies like to hand out USB drives like candy. At media functions, for example, these flash storage devices contain product photos, press information, and details about businesses that hope the journalists who receive them will cover their latest offering.

While convenient, there’s a lot that could go wrong. A public relations team member, for example, could have unknowingly transferred malware to the device when uploading its content.

Or, perhaps a more unscrupulous employee or contractor actively sought to turn the drive into a spy device—a Trojan horse of sorts—that carries tiny bits of executable code. Once inserted into one of your PC’s ports, it could automatically download an app, prompt you to download one, or run malware that could steal or destroy data on your computer.

And then there’s the USB drive itself. Each uses firmware, which could be modified to serve as a keylogger—a device that records each keystroke on your machine once it’s installed. Other exploits capture or modify files as they leave the device, acting as a man-in-the-middle and leaving you vulnerable even when sending encrypted files.

Needless to say, each time I’m handed one of these devices, I cringe at the thought of actually having to open it.

But, there are a number of ways you can open them safely.

Use an air-gapped PC

woman using laptop while sitting on a log in the wilderness in the winter
You don’t have to bring your laptop into the wilderness to make sure there’s no internet connection, but if you want to, well, you do you. Nathan Dumlao via Unsplash

In days past, malware existed solely to make your life miserable, a sort of “Achievement Unlocked” badge of honor for hackers looking to create chaos. Now, these malicious applications act more like parasites that snoop on your most sensitive data while trying to remain undetected.

Since it’s hard—but not impossible—for a device to transmit data to a bad actor while offline, modern malware almost always requires an internet connection.

That means the easiest, and most secure, option for opening devices of dubious origin is to plug them into an air-gapped PC. That is to say, a computer that isn’t—and may have never been—connected to the internet. These machines are stripped of any extraneous applications and used solely for functions requiring the highest levels of security. They don’t contain photos or any other types of files that could be compromised.

In a worst-case scenario, the offline computer serves as a burner phone, of sorts. If the USB was infected, your PC may be ruined, but you won’t have lost anything of vital importance.

Chromebooks are a good choice for this, as they don’t run either of the two most popular operating systems. While that means malware isn’t as common for these devices, that’s not to say it doesn’t exist. Air-gapped Chromebooks should still remain disconnected from the internet after the initial setup process, and even then you shouldn’t set them up using your real Google account.

But what about PCs that connect to the internet? For a computer you’d still like to use regularly, there are two alternatives. Let’s look at those now.

Run Linux from a clean USB

a woman using a computer and a phone with a USB device nearby
If you think you’ve got your hands full trying to run Linux off a USB drive, don’t worry, there’s a lot of help on the internet. William Iven on Unsplash

Most popular Linux “brands,” or distributions, can be run directly from a USB device. Since these are open source, the code is freely available for everyone to adapt and build upon. As such, many users have created entirely new ways to use Linux, complete with different focus areas (like security or ease-of-use) and aesthetics.

You can run most of these “distros” from a USB stick, or drive, without ever installing it on your primary PC. It’s a computer on a stick, in essence.

To do this, get a clean USB drive, preferably a new one directly from the manufacturer. Before you begin, be sure to reformat it to wipe any existing data so you can start clean.

Then, download your favorite distro (I like Ubuntu). From there, follow the installation guide to get the operating system working on your USB device. Ubuntu, for example, has easy-to-follow guides for doing this on both Windows and macOS.

If you run into problems, Ubuntu has one of the largest Linux communities of any distro, so you should be able to get help for just about any issue you run into.

Once installed, you can run Linux inside a sort of virtual environment on your PC. Simply put, it’s running a secondary operating system inside your primary one. When you open a shady USB inside Linux, nothing on it will be able to escape and infect your primary operating system. And if you run into problems, you can pull the plug on the whole thing, so to speak, by ejecting the drive.

Create an operating system inside a virtual environment

man using laptop on a table
This is the easiest solution, so you absolutely won’t need three hands for it. Bench Accounting via Unsplash

To be clear, this is the least secure of all the methods here, but it’s also one of the easiest. As with all things related to cybersecurity, it’s a delicate balancing act between safety and convenience. And running a virtual environment inside your operating system is certainly a convenient, semi-secure way to explore the contents of a USB device from an unknown source.

If you’re using macOS, you’ve got Parallels, which lets you run Windows, Linux, or even another version of macOS inside your existing operating system. It offers an excellent “convergence mode” that makes Windows or Linux more Mac-like by customizing things like button positions and menu options.

But as good as Parallels is, it’s not cheap, and it doesn’t work outside of the Apple ecosystem. So we’re going to focus instead on the most popular option for cross-platform usage: VirtualBox.

VirtualBox is free, and available for Windows, Mac, and Linux. One important item of note is that you’ll need a Windows or macOS license if you intend to use one of them inside your virtual environment, also known as a “sandbox.” Linux, however, is free.

Once downloaded, just run the installer and follow the on-screen prompts. VirtualBox has a bit of a learning curve, but the documentation—complete with an installation and troubleshooting guide—is excellent. And if you get stuck, there’s always the instructions.

While none of these three methods are foolproof, each offers a quantum leap in security over just plugging an unknown device into one of your USB slots. So go ahead and open up that USB stick and rest assured that you’re taking the necessary precautions to prevent a nasty intrusion that could cost you dearly.