First USB Flash Drive. Now what?

Discussion in 'other software & services' started by innerpeace, Dec 6, 2008.

Thread Status:
Not open for further replies.
  1. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi. I just got my first USB flash drive and I'm not sure where to start. It's a 4GB OCZ Rally2 drive that is formatted as FAT32. Should I format it to NTFS? I have XP home and the other computers I would use it with would also be XP.

    How should I keep it secure? I had another thread with a couple of good suggestions about write protecting the drive. While good suggestions, it seems a little complicated to me as I don't have a U3 drive or XP Pro. Would Drive Sentry be easier and effective? Or should I just disable autorun.inf on my machine and scan the drive before accessing it?

    Do you all use a front end for your drives like portableapps.com or pstart? Could I still use either manually if I disabled autorun? Also, shouldn't a HIPS program alert to an autorun malware when I plug my drive into my computer?

    Sorry for all the newbie questions. I'm in new territory here and I don't trust the other 2 computers that I might be plugging into.

    Thanks,
    innerpeace
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,
    You can start pstart.exe just like any other app - double-click on it.
    Trust-wise, you should disable autorun and maybe scan the device before using it...
    Mrk
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, innerpeace,

    My flash drive isn't the U3 type either, so I'm not worried about an autorun.inf file doing anything if it happens to get installed when my drive is in another computer.

    I look at the drive's contents before I leave the other computer, and when I return to my own computer. I've never found anything on it that I haven't put there myself.

    I keep only word processing and picture files on it, so I've left it as FAT32. I haven't worried about any special means of securing it.

    regards,

    rich
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,907
    Location:
    U.S.A.
  5. markymoo

    markymoo Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    1,212
    Location:
    England
    Most who have a U3 drive always end up permanently removing it to reclaim the space after the novelty of it wears off. PStart is fast and small. There is big collections of USB software that use PStart. There is far more tools than you will ever need. I suggest just having a small essential collection and having alot of the extra space keep empty and is really handy for copying files to computers, saving data and storing media etc so you dont have to rely on CD,DVD's.
     
    Last edited: Dec 6, 2008
  6. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    My .02.
    Do not like proprietary software so U3 got removed without prejudice from the one drive that did have it.

    Do not like autorun so it is disabled on all my drives via gpedit.

    Since you have just the one drive (for now) in the event you ever deal with a Win 98 machine or older I would leave it fat 32. Can not remember if ME is fat or ntfs. But I do know ntfs can read fat just not the other way around.

    Thought they came by default formatted in fat. :rolleyes:

    Have 9 flash drives. Each with a different purpose\content. The one I take when doing house calls\troubleshooting for Friends & Family is fat 32. Still know some people running the older OS`s so while fat 32 does have some limitations, in my case at least it is the best way for me to go.

    Have fun and enjoy the new toy. They can be addicting. I see more of them in your future. ;)
     
  7. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I carry a USB flash drive with me at all times. (Sad isn't it? :) )

    I have some of my personal files on it; portable programs to do basic photo editing, encryption, and more; programs to clear up PC problems (both portable and installable versions); links to things of interest to me on the web; my encrypted password databases and on and on. At this point, I have over 4.5 GB of stuff!

    Because I have important stuff on the drive, I back it up at home if I have made changes. (My backup app of choice is the excellent GoodSync.)

    Since you asked, I have left my drive as FAT32. It was easy (no changes!) and I couldn't see any significant reasons to make the change. I do know that with FAT32 there would few if any permission problems in my daily use. (I make use of a Limited User account on my PCs.)

    I agree with markymoo very strongly. U3 stinks! I just keep mine as a typical drive. No start/program manager.

    A final note... Since I use my drive on several PCs, I was concerned about it getting infected. So a thing I have recently done to my drives (all of them) is to add a folder at the root level named autorun.inf (yes, the same name as the file that typically kicks off an autorun sequence.) The attributes of the folder is Read Only, Hidden, System and Archive. It's my understanding that the existance of this folder blocks the creation of an autorun.inf file. See this thread for more info http://www.dslreports.com/forum/r21468233-Disabling-Autorun-in-XP (I just cleaned up a worm infection from a friend's USB drive. It had two unwanted guests at the root level. An executable named Start.exe and an autorun.inf file to run Start.exe. If this drive would have already had the autorun.inf folder, it might have had the Start.exe file dropped on it but no autorun.inf file to activate the exe.)
     
  8. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Many thanks to everyone for your help and links to other discussions. All of your advice is great and I picked up at least one useful bit from every post :thumb:.

    I will leave the drive FAT32 and will probably go with pstart because it's smaller. I will look further into disabling autorun on all drives but I want to understand it more so I can reverse the changes later. I looked at the link HAN provided as well as a couple other at dslreports. The "Flash Drive Disinfector" was flagged by my Avira which is probably a FP. What exactly does it do and/or how can I do it manually?

    Cheers,
    innerpeace
     
  9. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    innerpeace: The guy at dslreports giving the advice that includes Flash Drive Disinfector is Bill Castner. When it comes malware and how to deal with it, he is very knowledgeable. He would never recommend anything harmful (he responds to the Avira false positive on page 2 of that dslreports thread.) That same reply gives a brief overview of what Flash Drive Disinfector does.

    Essentially, it removes some of the more common autorun-based files that lead to infections. Along with that, it adds a new folder named autorun.inf (with the attributes of Hidden, System, Read only and Archive) to the flash drive's root folder. This prevents any malware from later adding an autorun.inf file to the drive. Files named autorun.inf are what malware use to spread themselves via USB drives from one computer to another. (I have tested this. With the folder autorun.inf in place (and the attributes set properly), Windows will just not allow the creation of a new autorun.inf file.)

    If you don't want to run the Flash Drive Disinfector, you can manually still create the autorun.inf folder and set it's attributes to the recommended settings.
    To do so, navigate to the root folder of your flash drive. Then create a new folder and name it
    autorun.inf
    Next, open a command window and type
    attrib +h +s +a +r E:\autorun.inf
    and hit enter. (Substitute the drive letter of your flash drive if it's not E.)
    If the command is successful and the cursor returns back to your cmd prompt, you can then type
    exit
    and hit enter to return to regular Windows
    Once this folder is in place, and the attributes set, you will have much better protection against USB infections.

    One thought related to autorun infections... As noted above, I agree that autorun (and probably autoplay) should be turned off on PCs. The problem is that if you use your USB flash drive on other computers, having autorun/autoplay turned off on your PC doesn't do anything to keep your flash drive from being infected on the other PCs. This is why I'm advocating the use of the method Bill Castner mentions. (Too bad USB most drives no longer have a write protect switch on them like some drives did a few years ago. All you had to do then was slide the switch and you had instant protection.)

    **EDIT**
    The attached photo shows the root folder of my Sony USB flash drive (with the autorun.inf folder.)
     

    Attached Files:

    Last edited: Dec 7, 2008
  10. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thank you HAN for the explanation :).

    I have a quick question. I noticed that Bill didn't include the "-a" archive attribute to reverse the changes. Is that normal or was it a mistake? Here is what he wrote in the link:
     
  11. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I'm not sure. He may have made a little boo boo. The "a" attribute is used for tracking the archive status of files/folders. In this situation, it's likely that it's not absolutely critical that it be there. The reason I was proposing it is because it's in the Flash Disinfector.cmd file (which is inside the Flash_Disinfector.exe download.) The line where the attributes are changed says
    attrib.exe +h +r +s +a "%%g\autorun.inf"
    So I figured, might as well follow the creator, right? Certainly, setting the "a" attribute won't hurt anything...
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I took U3 off and kept the filesystem as FAT32. I used FileVerifier++ to digitally fingerprint the .exe, .ocx, .dll, .sys, .msi, and .com files on the USB stick. I also made a self-extracting .exe archive of the FileVerifier++ folder, and renamed it to a file extension that would not normally be associated with executables (so that viruses might perhaps skip it), such as .exb or .exeb. If I am concerned that a virus may have changed the USB stick programs, the first thing to do when putting the USB stick in a computer is copy the self-extracting FileVerifier++ archive to a new file, rename the copy as .exe, run it to extract the FileVerifier++ folder, then run FileVerifier++ to check the desired USB stick programs for integrity.
     
    Last edited: Dec 9, 2008
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You can also make an archive of the USB stick programs, so that in case of infection (or corruption) you can extract clean program versions. Rename the archive with an extension that disguises it, such as .zipb or .zib. Place a self-extracting .exe archive of a portable archiver such as 7-Zip on the USB stick, again renamed as .exeb or .exb or similar to lessen the chance of infection. If you need to extract clean copies, make a copy of the 7-Zip.exb file (or whatever you named it), then rename the copy as .exe, run the self-extracting .exe, and then run the newly extracted 7-Zip. You can hopefully open the non-standard named archive of programs in the archiver program without renaming it. (Test once to make sure it works.)
     
  14. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I was just a little concerned about if I needed the "a" attribute when reversing the change should I ever need to.

    Thanks! I feel much better with the folder on my flash drive.

    MrBrian, Thanks for the tips. Archiving the USB apps sounds like a great idea. I'll also have a look at FileVerifier++ as well as some of the tools you mentioned in your 'tool list' post.
     
  15. Cloak

    Cloak Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    8
    Hi,

    How can we protect ourselves from threats that automatically load onto the flash drive? Computers with restricted privileges leave you with the inability to disable autorun and there's no way to treat the virus across the whole network (restricted privileges)

    What protective measurements can you take? :doubt:
     
  16. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    The addition of the autorun.inf folder as detailed above should do the trick.
     
  17. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    i think the biggest problem with a flash drive is an issue that no one has discussed. What happens when you lose it - which you will. It might not happen often, but it will happen.

    I use truecrypt to encrypt the whole thing. I don't care a whole lot about the value of a lost drive, but I don't want to worry about what might have been confidential for me or my employer.
     
  18. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Good point! I don't encrypt the entire drive but I do encrypt individual files that are more of a personal nature. Certainly, viruses aren't the only risk...
     
  19. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    If your drive is found by an honest/curious newbie, this program may work.
    http://www.raymond.cc/blog/archives...or-lost-usb-flash-drive-returned-back-to-you/
     
  20. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Hello Innerpeace, easter.

    My fortunes have run this way, i learned not to format my drives with FAT for XP and not format my USB Pen with NTFS. Mine is likely (maybe not) a single personal error experience but i recently bought "another" USB Pen and for giggles decided to formatt it to NTFS and it ended up corrupting some of the files i was storing on it not running from it, since i prefer to prolong the life of my USB Pen's by simply using them as storage devices. It was time consuming running CHKDSK to correct the errors and salvage most my good apps, losing only a very few but since it's been reformatted back to factory FAT i haven't had that problem again, neither problems with my drive's recognizing it immediately unlike with NTFS.

    Same with when i formatted a XP drive with FAT, then it wasn't long before something escaped and wreaked havoc on it, since reformatting back to NTFS, that drive isn't been disrupted since.

    Go Figure, right?

    Happy you're in the USB Pen group now and pleased with it. Thanks to your post i even picked up some tips here to keep it protected from that autorun.inf issue that's circulating and such.

    EASTER
     
  22. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    EASTER,

    Thanks for sharing your experience. It seems unanimous that leaving the drive as FAT is the way to go. If it ain't broke, don't try to fix it :D. I also received a new mp3 player which can use an optional MicroSD card for more storage. It was formatted as FAT, but I had to format as FAT32 for it to work correctly. I love all these new toys!

    Your right about the autorun.inf tip. I've read about it here at Wilder's but didn't understand anything about it. Thanks to HAN and the others, we now have another small layer to defend ourselves :thumb:.
     
Loading...
Thread Status:
Not open for further replies.