Got a Mac? Prevent OPSEC leakage by cleaning hidden OS X files from USB drives

Got a Mac, plug in USB drives and use Finder to sort files? Protect your privacy and prevent OPSEC leakage by cleaning 'hidden' OS X data and metadata from USB drives.

CleanMyDrive app
Credit: MacPaw Inc / Mac App Store

If you have a Mac, and if BadUSB or the code released at DerbyCon to make BadUSB work didn’t scare you off from using thumb drives, then you might want to start using a free app like CleanMyDrive. Why? Because OS X has been accused of leaking data and metadata that “really shouldn’t be there” as it copies “hidden” files to USB drives.

F-Secure’s Sean Sullivan related the following “true story” that involves “unknowns.”

Bob uses Linux. Alice uses Mac. Bob gave Alice a file via FAT32 formatted USB drive. Alice inserted the USB drive into her Mac, copied the file, and then gave the USB drive back to Bob. Later, Bob inserted the USB drive into his Linux computer and saw Mac files. Lots and lots of Mac files. And that's typical.


Bob was curious about the function of the files. (And why so many, what do they do?) Being a reverse engineer, Bob naturally examined the files with a hex editor. And that's when he discovered that a file called ".store.db" contained e-mail addresses, subject lines, and in a few cases, the opening sentence of Alice's messages.

Alarmed that such data/metadata was copied to his USB drive, Bob investigated further and found that the information couldn't be seen using a forensic tool designed specifically for viewing such .db files. From a conventional view, ".store.db" appeared to be identical to "store.db". Only a hex editor view revealed the leaked info embedded within .store.db — so it isn't at all obvious with standard forensic tools.

F-Secure examined the thumb drive and confirmed that there “was data in the .store.db file that really shouldn't be there.” Yet without access to Alice, then it was unknown if this leakage was due to the way she configured her Mac, a third-party app, or malware. In the lab, attempts to recreate a Mac copying “bad” files to a USB drive failed.

This is where Reddit’s Netsec entered the picture and several users reported they, too, could see a .DS_Store file copied and hidden on a USB. After running strings to reproduce the issue, Redditer fletom found "names, phone numbers, and emails addresses of several of my friends sitting right there, information I am positive I never put anywhere near this USB key.”

Redditer Legolas-the-elf helpfully explained that the .DS_Store file is “only created if the Finder application is used to browse to the directory, and you change the state of the directory in a way that isn't represented by the filesystem. So for example, if you change the sort order from the default to something else, then Finder will save your preferences for that directory in .DS_Store.”

There are quite a few solutions, such as turning off Spotlight for external volumes. Unfortunately, some of the “fixes” can result in new problems. For example, Nicholas Ptacek told F-Secure that "Mac users can prevent Spotlight from indexing via: System Preferences, Spotlight, Privacy.” However “while disabling Spotlight indexing will prevent a leak of data to USB drives, the configuration will limit functionality on the Mac itself.”

Once upon a time, Microsoft had a similar problem but eliminated it long ago. Oh, Apple, that has to burn. This OS X to USB drive leakage problem has been around for a long time and was addressed by Brian Dickens on the HostileFork blog in 2009; Asepsis was among the suggested solutions as it “prevents creation of .DS_Store files” and “redirects their creation into a special folder.”

Then in a 2012 post titled “Mac droppings,” Dwain Fagerberg suggested solutions such as using the dot_clean command, disabling the creation of .DS_Store files on external volumes, recursively removing .DS_Store files from a friend’s USB drive, and removing the .Trashes folder from a friend’s thumb drive.

To F-Secure, Dr. Jimmy Wall recommended the freebie CleanMyDrive solution from the Mac App Store as it “cleans up your thumb drives, memory cards and external HDDs from needless service junk generated by Windows or OS X.”

Apple Support explained how to prevent .DS_Store file creation over network connections; it was archived and last touched in 2011. Mark Janssen bumped Apple again over the leakage issue and reported, “Apple is aware of the issue and is investigating.” Since the archived “how to” mentioned a “fix” for Mac OS X v10.4 and later, and the first referenced OS X was Tiger that debuted in 2005, it sure seems like Apple’s “investigation” has been going on for a ludicrous amount of years.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon