Computer storage devices, Information storage and retrieval systems--Memory, Network computers
Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security
To explore the memory forensic artifacts generated by USB-based attack platforms, we analyzed two of the most popular commercially available devices, Hak5's USB Rubber Ducky and Bash Bunny. We present two open source Volatility plugins, usbhunt and dhcphunt, which extract artifacts generated by these USB attacks from Windows 10 system memory images. Such artifacts include driver-related diagnostic events, unique device identifiers, and DHCP client logs. Our tools are capable of extracting metadata-rich Windows diagnostic events generated by any USB device. The device identifiers presented in this work may also be used to definitively detect device usage. Likewise, the DHCP logs we carve from memory may be useful in the forensic analysis of other network-connected peripherals. We also quantify how long these artifacts remain recoverable in memory. Our experiments demonstrated that some Indicators of Compromise (IOCs) remain in memory for at least 24 h.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Thomas, Tyler; Piscitelli, Mathew; Nahar, Bhavik Ashok; and Baggili, Ibrahim, "Duck Hunt: Memory Forensics of USB Attack Platforms" (2021). Electrical & Computer Engineering and Computer Science Faculty Publications. 98.
Tyler Thomas, Mathew Piscitelli, Bhavik Ashok Nahar, Ibrahim Baggili, Duck Hunt: Memory forensics of USB attack platforms, Forensic Science International: Digital Investigation, Volume 37, Supplement, 2021, 301190, ISSN 2666-2817, https://doi.org/10.1016/j.fsidi.2021.301190. (https://www.sciencedirect.com/science/article/pii/S2666281721000986)