USB Key Cleaner
Malware regularly uses USB sticks to infect victims, and the abuse of USB sticks is a common vector of infection. CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick. The code runs on a Raspberry Pi (a small hardware device), which also means it is not required to plug the original USB key into a computer. CIRCLean can be seen as a kind of air gap between the untrusted USB key and your operational computer.
CIRCLean does not require any technical prerequisites of any kind and can be used by anyone. CIRCLean is free software which can be audited and analyzed by third-parties. We also invite all organizations to actively reuse CIRCLean in their own products or contribute to the project.
How To Install
Graphical how-to and pre-built image download.
To prepare the SD card on Windows, you can use Win32DiskImager. On linux/macOS, use dd (see the how-to link for instructions).
The current prebuilt image is based on the 1-11-17 release of Raspbian Jessie Lite. The smallest SD card that Circlean can fit on is currently 4GB.
Why/What
This project aims to be useful when you get/find a USB key that you can’t trust, and you want to look at its contents without taking the risk of plugging it into your computer directly. The official project page can be found at:
[https://www.circl.lu/projects/CIRCLean/]
The Raspberry Pi Foundation has a blog post with more information about an older version of the project and details of the inspiration behind it.
CIRCLean is currently tested to work with USB keys that have FAT32, NTFS, or ext2/3/4 filesystems (ext* filesystems can only be used as source keys, not destination keys). Currently, exFAT is not supported due to lack of support for this format in pmount. The vast majority of USB keys will be FAT32 or NTFS.
The content of the untrusted key will be copied or/and converted to the second (blank) key following these rules (based on the mime type as determined by libmagic):
Direct copy of:
Plain text files (mime type: text/*)
Audio files (mime type: audio/*)
Video files (mime type: video/*)
Example files (mime type: example/*)
Multipart files (mime type: multipart/*)
xml files, after being converted to text files
Octet-stream files
Copied after verification:
Image files after verifying that they are not compression bombs (mime type: image/*)
PDF files, after marking as dangerous if they contain malicious content
msword|vnd.openxmlformats-officedocument.|vnd.ms-|vnd.oasis.opendocument*, after parsing with oletools/olefile and marking as dangerous if the parsing fails.
Copied but marked as dangerous (DANGEROUS_filename_DANGEROUS)
Message files (mime type: message/*)
Model files (mime type: model/*)
x-dosexec (executable)
Compressed files (zip|x-rar|x-bzip2|x-lzip|x-lzma|x-lzop|x-xz|x-compress|x-gzip|x-tar|*compressed):
Archives are unpacked, with the unpacking process stopped after 2 levels of archives to prevent archive bombs.
The above rules are applied recursively to the unpacked files.
Usage
Power off the device and unplug all connections.
Plug the untrusted key in the top left USB slot of the Raspberry Pi.
Plug your own key in the bottom USB slot (or use any of the other slots if there are more than 2). Note: This key should be bigger than the original one because any archives present on the source key will be expanded and copied.
Optional: connect the HDMI cable to a screen to monitor the process.
Connect the power to the micro USB port. Note: Use a 5V, 700mA+ regulated power supply
Wait until you do not see any blinking green light on the board, or if you connected the HDMI cable, check the screen. The process is slow and can take 30-60 minutes depending on how many document conversions take place.
Power off the device and disconnect the drives.
Download