Police is giving me back my unencrypted cold storage, what now?

Questions
1

Many months ago police seized my hard drives, usb keys, micro sd cards etc.

They were all unencrypted (my mistake, i fell on the stupid “why doing it, i have nothing to hide” catchphrase) they prolly made the bit to bit copy as early as they got ‘em and then a lot of months of no communication with me, days ago i received the call to come get them back in the next days.

I’m aware and afraid they could have add some sort of spyware or malware that as soon as I’m using them, therefore it could infect my mobile devices or pc’s connected to the storage or even my whole internet/wifi connection in order to monitor my activity.

I’d like to meet the middle ground of not losing terabytes of my life memories, hundreds of money of storage but still remain secure.

If anyone has advice on that, or a guide on how to do it safely is welcomed to help. Of course just throwing them away would be the last resort I’d like to avoid.

Thanks in advance.

2

What kinds of data do you have that you want to save?

3

Mmh pretty much everything on them, I’ve got those storages for ages

4

I would probably think to boot something like Tails on an air gapped machine to copy the files and then discard the storage?

1 Like
5

Can you buy a disposable used computer that can run Qubes OS or Tails?

Usually my go-to advice is to copy your files into this airgapped computer. Ensure that it has no network access whatsoever. Use something like DangerZone to convert the files into sanitized PDFs.

6

But are there hidden malwares or spywares that could autorun? Is this a thing?

7

I think the risk of that is why a disposable computer running Qubes or Tails was mentioned. That would help mitigate the risk of malware while converting the files, though it would be difficult to prevent any hypothetical malware from embedding itself in the now sanitized files if it did run successfully. That’s very hypothetical though as the malware would have to have been designed to do that, especially if you airgap the machine and it can’t reach out for additional modules or anything.

1 Like
8

You can perform a malware scan against the files. Detecting firmware malware on the drives would be more problematic.

Use an existing old PC, or obtain one from eBay or a second hand shop if necessary. It will be a one-time use machine that you will use to copy the files, and then dispose of the PC. The PC should have an optical drive. Assuming that this is a large amount of storage, a Blu-ray writer would be best.

Install an OS on the old PC, and the necessary Blu-ray writer software.

Airgap the old PC, and never again connect it to any network.

Connect the recovered drives to the old PC, and write the contents to Blu-ray discs.

On your daily driver PC, verify that you can read the contents of the Blu-ray discs, and scan the files for malware. Do not open any of the files.

Destroy the old PC and the Blu-ray writer, and dispose of them. This hardware should never be used again. It may be infected with firmware malware that you will likely never detect. Consider it tainted/infected.

Wait a year for anti-malware definitions to evolve, and scan the Blu-ray discs for malware, again. If everything looks clean, consider the files safe.

Lesson learned…encrypt EVERYTHING.

9

if he did encrypt before, would that prevent implanting malware, etc

1 Like
10

Firmware malware, no.

His important data files, yes, I would think so.

11

Depends on specifics, but no, not really. They aren’t going to waste a zero day on some nobody. So as long as you don’t cause code execution from whatever you have, it should be alright, with some caveats:

Based on interface, things may be complicated: USB can act as a “rubber ducky”, although that’d be pretty visible. SATA should be ok as long as you don’t accidentally boot off of it. NVMe is complicated, as a PCIe device it can DMA and very well invisibly infect your device unless it has special hardware measures against that stuff. For that you can just buy an external USB enclosure.

However all of this is moot if you just use an air-gapped machine to just copy everything to some other storage. As I said earlier, turning just data into code execution generally needs some software vulnerability, and you’re almost certainly not that interesting to them.

1 Like
12

is it possible to keep original file format jpg, txt, video, whatever or does everything need to be turned into pdf.

1 Like
13

Well…

If it was in police, so there no privacy to loose now.

I think you should go to library (or whatever public network and computer) and run some automated tools. For example convertio.co to convert files to another formats.

Or custom made scripts to put all of them through FFMPEG, Pillow and Libre office convert to convert to safe ones.

If you need to use them after that format drives (optionally with something like DBAN). But I don’t recommend to do so. Better format with DBAN (or DD if you know what are you doing) and sell in commission shop.

For next time purchase 3 SSD, encrypt them (Vera Crypt or LUKS) and store in different locations.

But whatever you do, I recommend to check them on PUBLIC computer.

14

Here is also slightly modified compilation of sanitation scripts into one:

Script 
#!/usr/bin/env python3
import argparse, hashlib, json, os, shutil, subprocess, sys, tempfile
from pathlib import Path
from tqdm import tqdm
from PIL import Image, ImageFile
import magic
from oletools.olevba import VBA_Parser

ImageFile.LOAD_TRUNCATED_IMAGES = True

SAFE_IMAGE_EXTS = {'.jpg', '.jpeg', '.png', '.gif', '.tiff', '.bmp', '.webp'}
VIDEO_EXTS = {'.mp4', '.mov', '.mkv', '.avi', '.webm', '.flv'}
DOC_EXTS = {'.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.odt', '.ods', '.odp', '.rtf', '.txt'}
PDF_EXTS = {'.pdf'}
ARCHIVE_EXTS = {'.zip', '.7z', '.tar', '.gz', '.bz2'}

def sha256(path: Path):
    h=hashlib.sha256()
    with path.open('rb') as f:
        for chunk in iter(lambda: f.read(8192), b''): h.update(chunk)
    return h.hexdigest()

def safe_mkdir(p: Path): p.mkdir(parents=True, exist_ok=True)

def sanitize_image(src: Path, dst: Path, quality=80):
    try:
        with Image.open(src) as im:
            im = im.convert('RGB')
            safe_mkdir(dst.parent)
            out = dst.with_suffix('.jpg')
            im.save(out, 'JPEG', quality=quality, optimize=True)
            return out
    except: return None

def sanitize_video(src: Path, dst: Path):
    safe_mkdir(dst.parent)
    out = dst.with_suffix('.mp4')
    cmd=['ffmpeg','-y','-i',str(src),'-c:v','libx264','-preset','fast','-crf','26','-c:a','aac','-b:a','96k','-map_metadata','-1',str(out)]
    try: subprocess.run(cmd, check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL); return out
    except: return None

def sanitize_pdf(src: Path, dst: Path):
    safe_mkdir(dst.parent)
    out = dst.with_suffix('.pdf')
    try:
        subprocess.run(['gs','-dNOPAUSE','-dBATCH','-sDEVICE=pdfwrite','-dPDFSETTINGS=/printer','-dCompatibilityLevel=1.4','-sOutputFile='+str(out),str(src)], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        return out
    except: return None

def remove_macros_office(src: Path, dst_dir: Path):
    safe_mkdir(dst_dir)
    tmp=dst_dir/('nomacro_'+src.name)
    try:
        if src.suffix.lower() in {'.doc', '.docm', '.docx', '.xls', '.xlsm', '.xlsx', '.ppt', '.pptm', '.pptx'}:
            try:
                vb=VBA_Parser(str(src))
                if vb.detect_vba_macros():
                    # create a macro-free copy by converting to odf then back to desired formats
                    with tempfile.TemporaryDirectory() as td:
                        subprocess.run(['libreoffice','--headless','--convert-to','odt' if src.suffix.lower().startswith('.doc') else ('ods' if src.suffix.lower().startswith('.xls') else 'odp'),'--outdir',td,str(src)], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, timeout=120)
                        for f in Path(td).iterdir():
                            shutil.move(str(f), str(tmp))
                        return tmp if tmp.exists() else None
            except Exception:
                pass
        shutil.copy2(src, tmp)
        return tmp
    except Exception:
        return None

def convert_office(src: Path, dst_dir: Path):
    safe_mkdir(dst_dir)
    base=dst_dir/(src.stem)
    odf=None
    try:
        with tempfile.TemporaryDirectory() as td:
            subprocess.run(['libreoffice','--headless','--convert-to','odt' if src.suffix.lower() in {'.doc','.docx','.rtf','.txt'} else ('ods' if src.suffix.lower() in {'.xls','.xlsx'} else 'odp'),'--outdir',td,str(src)], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, timeout=120)
            for f in Path(td).iterdir():
                odf=dst_dir/f.name
                shutil.move(str(f), str(odf))
    except Exception:
        pass
    try:
        pdf_out=dst_dir/(src.stem+'_sanitized.pdf')
        subprocess.run(['libreoffice','--headless','--convert-to','pdf','--outdir',str(dst_dir),str(src)], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, timeout=120)
        if (dst_dir/(src.stem+'.pdf')).exists():
            sanitize_pdf(dst_dir/(src.stem+'.pdf'), pdf_out)
            return odf, pdf_out if pdf_out.exists() else None
    except Exception:
        pass
    return odf, None

def unpack_archive(src: Path, tempdir: Path):
    try:
        safe_mkdir(tempdir)
        subprocess.run(['7z','x','-y','-o'+str(tempdir),str(src)], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        return True
    except: return False

def pack_zip(srcdir: Path, dstzip: Path):
    safe_mkdir(dstzip.parent)
    shutil.make_archive(str(dstzip.with_suffix('')), 'zip', root_dir=str(srcdir))

def is_executable(mime: str, suf: str):
    low=mime.lower()
    if 'javascript' in low or 'x-sh' in low or suf in {'.exe','.dll','.so','.scr','.bat','.cmd','.ps1'}: return True
    return False

def process_file(src: Path, in_root: Path, out_root: Path, quarantine: Path):
    rel=src.relative_to(in_root)
    out_base=out_root/rel
    rec={'src':str(src),'sha256_src':sha256(src),'action':None,'out':[],'sha256_out':[]}
    try:
        m=magic.from_file(str(src), mime=True)
    except: m=''
    suf=src.suffix.lower()
    if suf in ARCHIVE_EXTS:
        with tempfile.TemporaryDirectory() as td:
            tdpath=Path(td)
            ok=unpack_archive(src, tdpath)
            if not ok:
                q=quarantine/rel
                safe_mkdir(q.parent); shutil.copy2(src,q); rec['action']='archive_failed_quarantine'; rec['out'].append(str(q)); return rec
            for f in tdpath.rglob('*'):
                if f.is_file():
                    process_file(f, tdpath, out_root/rel.stem, quarantine/rel.stem)
            packed=out_root/rel.with_suffix('.zip')
            pack_zip(out_root/rel.stem, packed)
            rec['action']='archive_processed_repacked'
            rec['out'].append(str(packed))
            rec['sha256_out'].append(sha256(packed))
            return rec
    if suf in SAFE_IMAGE_EXTS or m.startswith('image/'):
        s=sanitize_image(src, out_base)
        if s: rec['action']='image_reencoded'; rec['out'].append(str(s)); rec['sha256_out'].append(sha256(s))
        else:
            q=quarantine/rel; safe_mkdir(q.parent); shutil.copy2(src,q); rec['action']='image_quarantined'; rec['out'].append(str(q))
        return rec
    if suf in VIDEO_EXTS or m.startswith('video/'):
        s=sanitize_video(src, out_base)
        if s: rec['action']='video_reencoded'; rec['out'].append(str(s)); rec['sha256_out'].append(sha256(s))
        else:
            q=quarantine/rel; safe_mkdir(q.parent); shutil.copy2(src,q); rec['action']='video_quarantined'; rec['out'].append(str(q))
        return rec
    if suf in PDF_EXTS or m=='application/pdf':
        s=sanitize_pdf(src, out_base)
        if s: rec['action']='pdf_rasterized'; rec['out'].append(str(s)); rec['sha256_out'].append(sha256(s))
        else:
            q=quarantine/rel; safe_mkdir(q.parent); shutil.copy2(src,q); rec['action']='pdf_quarantined'; rec['out'].append(str(q))
        return rec
    if suf in DOC_EXTS or any(k in m for k in ('wordprocessingml','presentation','spreadsheet','msword','vnd.openxmlformats-officedocument')):
        nm=remove_macros_office(src, quarantine/('nomacro'))
        target_src = nm if nm is not None else src
        odf,pdf = convert_office(target_src, out_root/rel.parent)
        if odf:
            rec['action']='office_converted_macros_removed'
            rec['out'].append(str(odf))
            if pdf: rec['out'].append(str(pdf)); rec['sha256_out'].append(sha256(pdf))
        else:
            q=quarantine/rel; safe_mkdir(q.parent); shutil.copy2(src,q); rec['action']='office_quarantined'; rec['out'].append(str(q))
        return rec
    if is_executable(m, suf):
        q=quarantine/rel; safe_mkdir(q.parent); shutil.copy2(src,q); rec['action']='executable_quarantined'; rec['out'].append(str(q)); return rec
    q=quarantine/rel; safe_mkdir(q.parent); shutil.copy2(src,q); rec['action']='unknown_quarantined'; rec['out'].append(str(q)); return rec

def walk_and_process(in_root: Path, out_root: Path, report: Path):
    quarantine=out_root/'QUARANTINE'
    files=[p for p in in_root.rglob('*') if p.is_file()]
    reports=[]
    for f in tqdm(files, desc="Processing", unit="file", ncols=80):
        try:
            reports.append(process_file(f, in_root, out_root, quarantine))
        except Exception as e:
            reports.append({'src':str(f),'action':'error','error':str(e)})
    report.write_text(json.dumps(reports, indent=2))
    return reports

def main():
    p=argparse.ArgumentParser(description='Aggressive sanitization: rasterize PDFs, re-encode media, remove macros, process archives recursively')
    p.add_argument('--path', required=True, help='input folder')
    p.add_argument('--output', required=True, help='output folder')
    p.add_argument('--report', default='report.json', help='report file name (json)')
    args=p.parse_args()
    inp=Path(args.path).resolve()
    out=Path(args.output).resolve()
    safe_mkdir(out)
    if not inp.exists(): print('Input does not exist'); sys.exit(1)
    print('Starting aggressive sanitization. Originals are not deleted. Keep backups.')
    walk_and_process(inp, out, out/args.report)
    print('Done. Report:', out/args.report)

if __name__=='__main__': main()

To use run following commands:

Commands 
sudo apt update && sudo apt install -y ffmpeg libreoffice-writer libreoffice-calc libreoffice-impress ghostscript qpdf p7zip-full zip unzip libmagic1


sudo python3 -m pip install pillow python-magic tqdm oletools

If any errors:

sudo apt install -y libmagic1
python3 -m pip install --user python-magic tqdm pillow

This script reduces common risks (strips metadata, re-encodes media, converts docs via LibreOffice, sanitizes PDFs) . It will recursively scan specified folder for videos, images, and documents.

To start using it:

Commands 
nano sanitize.py

Then paste script into it

And

python3 sanitize.py --path /home/user/flash_drive --output /home/user/sanitized_output --report report.json