Security: Connecting A Potentially Infected Hard Drive To Linux
I heard this question from time to time online, and it’s not an overly complicated answer, but I wanted to at least talk about this. So you have a a potentially infected drive from Windows or another system. What happens next? Can you hook it up and be sure all will be well? Read on for more…
As the saying still goes, Linux has zero viruses in the wild right now. That does not mean there are not what they call “proof of concept” viruses out there, but most of anything requires the user to still pull the trigger. At some point we have to stop blaming the system, and wonder why were installing super_cool_root_kit.run from a random github repo or some strange site. While Linux is very secure, you still must be vigilant. If you wish to be more secure than most, pick a distribution that regular reports security vulnerabilities via their distribution quickly, such as Fedora, and use official software repositories. The common pitfall on windows is software that runs automatically on download, media attachment, or insertion to a media drive. Linux does not do this, and I suspect never will by default.
The best way to really go about this is to mount the suspect drive as a read-only drive. How do I do that? With one simple command in the Terminal:
mount -o noexec /dev/sdc1 /media/mointpoint
This effectively mounts the device sitting at /dev/sdc1 only in a read-only status, meaning the OS will block any execution of a binary/run file etc. The safest approach I use is a Live CD of your favorite distribution, which if malware does have some sort of diabolical scheme, it will not by default have admin access to the system. Once you reboot, the live CD environment is wiped clean, unless you set some key files in persisted storage on a flash drive. The Live CD runs its own “instance” of the distribution disc you put in your media drive, not your live system. Be careful about mounting any system centric drives with rw access in this situation.
From there, you can analyze the situation with scan tools, or copy only what you need, being suspect of anything that you do not recognize. Be careful, despite GNU\Linux being inherently secure. You never know if that file you copied back is in fact infected, which may do damage again if put back on Windows.
Questions or comments? Leave them below.