Intercept. Isolate. Observe.
When a USB drive is plugged into a Linux machine, Quartzine intercepts the event before the OS mounts anything — and asks what you want to do with it.
- Mount normally → standard OS behavior
- Mount with VM → a disposable VM receives the drive, opens it, navigates it like a real user would.
Designed for malware analysis labs that handle physically untrusted media.
USB plugged in
│
├─ udev intercepts (before udisks2 mounts)
│
├─ Mount normally? ──────────────── normal OS behavior
│
└─ Analyze(mount with VM)?
│
├─ Clean VM snapshot spun up
├─ USB passed through to VM
├─ VM opens and navigates the drive
├─ eBPF + network tap observe everything
├─ Report generated
└─ VM destroyed. Nothing persists.
| Layer | Tools |
|---|---|
| USB detection | udev rules, pyudev |
| VM orchestration | Python, QEMU/KVM |
| Host observation | eBPF, bpftrace |
| Network simulation | INetSim, tcpdump |
- Linux x86_64 with KVM support
- Python 3.10+
Clone the repository by executing:
git clone https://github.com/Mathos6/Quartzine
OR
git clone git@github.com:Mathos6/Quartzine.git
Then, run:
chmod +x Quartzine/configd/install.sh
sudo ./Quartzine/configd/install.sh
Early development. Not ready for production use.
Planned milestones:
- udev interception + user prompt
- QEMU snapshot lifecycle management
- USB passthrough to VM
- eBPF observation layer
- Network isolation + INetSim integration
- JSON report generation
- Anti-evasion VM hardening
Caution
The project may not function yet in your hardware because the systemd service is not fully written yet
GNU General Public License v3.0 — see LICENSE for details.