Had a wonderful weekend. Saturday night we were at a brewery hosting a reggae band that we like. They had a guest vocalist sit in for the first set, a guy visiting from Jamaica. We had a great time, the Jamaican dude ended up hanging out with us.
As we were leaving, he handed me something that I put in my pocket. I found out later it was a thumb drive. I assume it has music on it, but ???.
Is there a safe way to explore the drive and see if it is indeed music?
Stick it in a usb socket and use explorer ?
Stick it in the usb port on a tv - they can usually identify and play pictures and videos.
There isn’t a lot you can do to for sure protect the computer you look at it with, except to immediately scan with antivirus software. But with untrusted media, one important thing you can do is air gap the computer you plug it into. That is, while you are scanning and looking at the contents, keep that computer disconnected from your networks. That way, if there is something malicious on it, it won’t be spread to your other devices, or spread or report back over the internet.
I was trying to be safe from malicious stuff, maybe I was overdoing it.
So, right after posting the question, I showed the drive to an employee. She has a rental car while her car is being repaired, and she said we could try it in the car. It is music, and the one song we listened to was pretty cool.
No it isn’t music. It includes music. It may well have malware too.
I don’t think it’s likely to be malware, but if you were corporate/government-level serious about IT security you would not think the car “test” proved anything.
There’s not really a good way for a layman to safely evaluate a USB stick. I know I no longer have nearly the tools or expertise and I used to be in a closely allied business.
So ultimately you’re taking a gamble. Some musician at some random musical event is probably not targeting you. But his USB stick is as clean as the hygiene of every machine it ever got stuck into and every machine that machine ever shared a USB stick with. Net of scans, malware cleanings, etc.
I guess when you have the IT equivalent with unprotected sex with a Hooker, In a rental car was probably best 
Thumbdrives are not safe. Even if the artist who gave it to you is completely trustworthy, the source of the drive may not be.
I feel bad even thinking about malware. The dude was cool, we shared drinks and weed. 
@Dorjan : omg, made my morning
I’d boot my old PowerPC MacOS 9 box from a bootable CD, unmount the internal HD, then plug in the thumb drive. See what’s on it, what files (filenames and extensions) and also open them in a plain text editor and look at the strings. The likelihood of malware on that thing that can infect that hardware when the OS is on a read-only device is vanishingly small.
I have a spare HD with Windows on it that I use for occasions such as this. If anything bad ends up being on the flash drive, I could wipe the drive clean and reinstall Windows. First I’d make sure no other drives are plugged into the mobo.
You cannot know what the drive really is without disassembling it and examining the components, but for a moderate level of safety you can use the aforementioned dedicated air-gapped, non-networked computer to extract the files (possibly into a sandboxed environment; not sure this will completely mitigate all malicious USB threats though). Then examine them, check that they are indeed music files.
Now the exercise is to transfer the presumably checked music files off the “dirty” computer—modulated audio, QR codes, whatever. You could also use a known-to-be-a-USB-drive-and-not-malicious-hardware drive; in your scenario it may not be too unsafe to just use it to move the MP3 files or whatever.
Yeah. Basically you need a read-only armored and totally isolated machine to boot up, inspect the stick, then shut down the machine. But you need to inspect far more thsn just the files you see in explorer. Lots of ways to hide exploits from the file system. Some sticks in effect have their own OS & drivers.
Even then there are USB driver exploit bugs that can root your mobo for good. Again that’s KGB-level stuff, but it exists.
The fact the musician is cool doesn’t mean the service who dupes his sticks doesn’t have an organized cybercrime connection. Or just an unnoticed cybercrime infection that they’re merrily and completely unwittingly spreading far & wide.
Ref the unprotected sex metaphor, there isn’t, but sure ought to be, an effective condom. As to IT venereal diseases, abstinence really is the only highly reliable infection shield.
Important note: There are some seriously malicious “USB drives” out there.
The worst are those the are designed to short out things, destroying at least the USB port if not the motherboard. You can protect yourself from these using a self-powered USB hub that has safety mechanisms to protect the MB from the hub no matter what. Of course this is a specialized hub that you might have to adapt from a regular hub yourself and the danger is this hub might get destroyed and you’re out of that.
The worst in terms of malware are ones that fake being a keyboard and perhaps mouse. OSes like MS-Windows will automatically accept such connections and the drive starts delivering a bunch of text to command windows that rapidly appear and get minimized so you might not notice it. They then start messing with your computer, installing malware, etc. The worst of these type include a WiFi chip and create their own connection with which to download more payloads or upload your data.(This connection bypasses anti-Malware software on the computer.) The best way to prevent problems with this type of fake thumb drive is to never plug in a non-100% trustworthy drive.
If you know you stuff you can take the cover off the thumb drive and check what types of chips are present. But since so many of these are no-name Chinese with useless chip IDs, or worse, fake chip IDs, you may not learn anything usable.
My solution to the OP: Destroy it Smash it up. Break it. Throw it out.
Many Linux distributions have a Live boot component - try before you install essentially. Barring that, use a computer you don’t care about - or a friend’s computer.
With friends like that…
I attended an event at a security company a few weeks ago. I created a saved credential in Chrome, they then plugged in a USB key into the laptop that blocked access to read or write files but the key was modified to act as a keyboard device that opened up a command prompt and dumped the code for a virus that pulled a payload down from the internet. 60 seconds later, my password was displayed on the command-and-control computer.
This thread depresses me.
If you wanted to get the music off the drive, I don’t know how safe it would be moving the files themselves, but depending on the configuration of ports there might be an audio out that you could use to record the audio while it’s playing on another device, with the only risk being that inherent to playing the audio on the other machine. Is playing an unknown audio stream safe? Does the audio out literally only transmit audio data for another electronic device to pick up as audio? I don’t know for sure, but it would be a bit safer than transferring the file itself. If you think the risk to hook the computers up by any cable is too great, you’ll have to just play the audio out of the speakers and try to record it that way. Clearly there would be a degradation in quality in doing so, but that way you’d be sure that there’s only be audio getting out of the computer.
Unless they can put code into subsonic frequencies…
As ftg mentioned above, malware isn’t the only hazard potential from an unknown USB device.
Of course a benign audio file, like a WAV file, can contain a steganographically encoded malicious payload, but usually you already need to be running some malware to decode and execute it, unless there is some exploit you are referring to involving embedded tags or metadata that gets parsed by an exploitable media player.