I don't know much about this case but depending on the level of concern, even just plugging the device into a safe, isolated machine and performing an image may be insufficient.
You could imagine a USB device that presented as a harmless file store unless certain conditions were detected, in which case the device could re-present as a keyboard (providing pre-programmed keystrokes) or potentially a bluetooth or wireless network receiver that could log or analyze traffic to a hidden partition.
I think the question of how to safely analyze suspect USB devices, at the level of potential nation-state actors, needs a lot more consideration and probably some custom tooling.
I can't think of many things more fun than coming up with some clever USB descriptor hacks to allow an innocuous drive full of pictures of grandchildren to carefully switch into an HID device when it thinks the coast is clear. I have to imagine there's a lot of little tricks you could implement which would be difficult to trigger in a sandbox and might require dumping the EEPROM (if that's possible).
This sounds like an effective way to stall investigations for months in exchange for a movie plot threat scenario.
"Boss, the electron microscope reverse engineering from that USB stick 6 months ago came back. They said they didn't find anything out of ordinary. The bill is $400k. But I guess we can start analyzing the contents now.".
> I think the question of how to safely analyze suspect USB devices, at the level of potential nation-state actors, needs a lot more consideration and probably some custom tooling.
I would be absolutely shocked if the US’ three letter agencies did not have some form of custom tooling to detect this — especially considering the sophisticated multi-vector I/O exploitation they demonstrated a decade ago with Stuxnet and the Equation Group.
Regardless of your views on his policy, Trump has demonstrated zero respect for opsec — even in a national security context — so I would also not be surprised if those three letter agencies have decided the White House is untrustworthy with its cyber warfare capabilities.
In this case we kind of do. The USB stick was recovered from a woman who was visiting Mar a Lago. Trump conducts government business there a lot, in a break with pretty much all advice. It's an incredibly insecure location.
You could imagine a USB device that presented as a harmless file store unless certain conditions were detected, in which case the device could re-present as a keyboard (providing pre-programmed keystrokes) or potentially a bluetooth or wireless network receiver that could log or analyze traffic to a hidden partition.
I think the question of how to safely analyze suspect USB devices, at the level of potential nation-state actors, needs a lot more consideration and probably some custom tooling.