Hello,
I would ask you about how could I do a peripheral devices forensic analysis. If a malware can get persistence infecting a monitor, keyboard or mouse, how could analyse this?
Thanks
Â
Analysis of logs from peripheral devices could throw some light on the protocol used for transmission, IP address details. Further analysis of Process logs in the affected systems could throw some light in the process or application exploited by the malware.Â
If there is no first hand evidence for a particular activity in host logs or from sniffing the device's communication, you'd usually go for a comparison of internal storage with known good samples. It also helps to get as much vendor knowledge as possible, obtain and reverse engineer firmware, updaters, device drivers...
Anything with software / firmware could potentially host malware and more advanced keyboards and mice certainly have firmware in them.
In practice however devices like keyboard and mice are programmed in the factory as the PCB is being made (Printed Circuit Board). A device like a JTAG programmer is often used for programming and the only way to update the programming is with physical access to the PCB and the right tools. There are some exceptions to this however, where firmware updates can take place in the field. Here is an example of open source keyboard firmware.
you'd usually go for a comparison of internal storage with known good samples
+1