Document Type


Publication Date


Subject: LCSH

Computer storage devices, Information storage and retrieval systems--Memory, Network computers


Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security


To explore the memory forensic artifacts generated by USB-based attack platforms, we analyzed two of the most popular commercially available devices, Hak5's USB Rubber Ducky and Bash Bunny. We present two open source Volatility plugins, usbhunt and dhcphunt, which extract artifacts generated by these USB attacks from Windows 10 system memory images. Such artifacts include driver-related diagnostic events, unique device identifiers, and DHCP client logs. Our tools are capable of extracting metadata-rich Windows diagnostic events generated by any USB device. The device identifiers presented in this work may also be used to definitively detect device usage. Likewise, the DHCP logs we carve from memory may be useful in the forensic analysis of other network-connected peripherals. We also quantify how long these artifacts remain recoverable in memory. Our experiments demonstrated that some Indicators of Compromise (IOCs) remain in memory for at least 24 h.


Article published in Forensic Science International: Digital Investigation, volume 37, Supplement, July 2021.



Publisher Citation

Tyler Thomas, Mathew Piscitelli, Bhavik Ashok Nahar, Ibrahim Baggili, Duck Hunt: Memory forensics of USB attack platforms, Forensic Science International: Digital Investigation, Volume 37, Supplement, 2021, 301190, ISSN 2666-2817, (

Check your library