Document Type

Article

Publication Date

8-14-2021

Subject: LCSH

Computer storage devices, Information storage and retrieval systems--Memory, Network computers

Disciplines

Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security

Abstract

To explore the memory forensic artifacts generated by USB-based attack platforms, we analyzed two of the most popular commercially available devices, Hak5's USB Rubber Ducky and Bash Bunny. We present two open source Volatility plugins, usbhunt and dhcphunt, which extract artifacts generated by these USB attacks from Windows 10 system memory images. Such artifacts include driver-related diagnostic events, unique device identifiers, and DHCP client logs. Our tools are capable of extracting metadata-rich Windows diagnostic events generated by any USB device. The device identifiers presented in this work may also be used to definitively detect device usage. Likewise, the DHCP logs we carve from memory may be useful in the forensic analysis of other network-connected peripherals. We also quantify how long these artifacts remain recoverable in memory. Our experiments demonstrated that some Indicators of Compromise (IOCs) remain in memory for at least 24 h.

Comments

Article published in Forensic Science International: Digital Investigation, volume 37, Supplement, July 2021.

DOI

10.1016/j.fsidi.2021.301190

Publisher Citation

Tyler Thomas, Mathew Piscitelli, Bhavik Ashok Nahar, Ibrahim Baggili, Duck Hunt: Memory forensics of USB attack platforms, Forensic Science International: Digital Investigation, Volume 37, Supplement, 2021, 301190, ISSN 2666-2817, https://doi.org/10.1016/j.fsidi.2021.301190. (https://www.sciencedirect.com/science/article/pii/S2666281721000986)

Download

Check your library

Share

COinS