Forums
Main Category
General (Technical,...
Digital Forensics o...
 
Notifications
Clear all

Digital Forensics of Hardware Key Logger

 
General (Technical, Procedural, Software, Hardware etc.)
6 Posts
5 Users
0 Reactions
2,043 Views
RSS
 itsecstudy
(@itsecstudy)
New Member
Joined: 6 years ago
Posts: 1
Topic starter 11/05/2019 5:22 am  

Hi all,

Firstly apologies if this is in the incorrect forum, it's my first post.

I am creating a theoretical report on digital forensic investigation of a USB hardware keylogger, found attached to a corporate PC.

I need to write about the acquisition process and also analysis to provide a report for incident analysis to understand what happened, and attempt to find out who connected the USB stick. Its a theoretical case so I have some flexibility around the details.

I would like some pointers towards general concepts and analysis of the keylogger and PC. I plan to leverage the registry to look for connected, previously connected devices and then map this back to a user using the GUID found in the user registry hive.

Any general pointers towards verified research or advice would be much appreciated. I have googled already.

Thanks


   
Quote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
11/05/2019 12:46 pm  

A USB hardware keylogger would need to have some storage…

https://dl.acm.org/citation.cfm?id=2307353

https://windowsir.blogspot.com/search?q=usb

HTH


   
ReplyQuote
UnallocatedClusters
 UnallocatedClusters
(@unallocatedclusters)
Honorable Member
Joined: 13 years ago
Posts: 576
12/05/2019 4:34 pm  

First watch this https://m.youtube.com/watch?v=48viMtzQ4rE

Then download and test Nirsoft’s excellent free tools.

Then use Passmark’s OSForensics trial version to image and analyze the Rubber Ducky’s microSD Card.

Finally, watch the first season of Mr. Robot.


   
ReplyQuote
watcher
 watcher
(@watcher)
Estimable Member
Joined: 19 years ago
Posts: 125
12/05/2019 5:03 pm  

First watch this https://m.youtube.com/watch?v=48viMtzQ4rE

Then download and test Nirsoft’s excellent free tools.

Then use Passmark’s OSForensics trial version to image and analyze the Rubber Ducky’s microSD Card.

Finally, watch the first season of Mr. Robot.

Rubber Ducky is not a hardware key logger!


   
ReplyQuote
Passmark
 Passmark
(@passmark)
Reputable Member
Joined: 14 years ago
Posts: 376
13/05/2019 6:15 am  

Process would depend on how the device worked.

e.g. it might be pure hardware and connected in series with a USB keyboard cable to snoop on the data. In which case there might be nothing to investigate on the PC itself.

Or it might be software that runs on the PC, where the key-logger software was just loaded from a USB flash drive. In which case the hardware aspect is rather trivial.


   
ReplyQuote
UnallocatedClusters
 UnallocatedClusters
(@unallocatedclusters)
Honorable Member
Joined: 13 years ago
Posts: 576
14/05/2019 4:12 am  

How to use Active Directory to disable USB drive use https://4sysops.com/archives/how-to-disable-usb-drive-use-in-an-active-directory-domain/

This is a dated article but contains the basic pathway (including command line commands) to restrict USB device usage.

Perhaps including potential security improvements to your threat model might interest people.

My corporate clients also use Symantec or MacAfee software to automatically encrypt all data leaving the network to external storage media.

Free-to-use encryption methods include BitLocker or AccessData's FTK Imager (password encrypted AD1 logical image file) combined with a relatively robust password keeping application/system.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: