home > Internet > Linux forensics in the form of USB device connection history tracking. Linux forensics in the face of tracking the history of connecting USB devices Viewing connected usb devices linux

Linux forensics in the form of USB device connection history tracking. Linux forensics in the face of tracking the history of connecting USB devices Viewing connected usb devices linux

As part of an immersion in one of the disciplines (in the process of studying in the specialty of Compbez), I worked on one entertaining project that I would not want to just bury in the depths of the Univer folder on an external hard drive.

This project is called

usbrip

and is a small console open source utility for Linux forensics, namely for working with the connection history of USB devices. The program is written in pure Python 3 (using some third-party modules) and does not require dependencies other than the Python 3.x interpreter and a few lines from

requirements.txt

Resolved in one line with pip3.

In this post I will describe some of the features of this software and leave a short manual with a link to the download source.

$ python3 usbrip.py ids download

Links and postscript

You can pick up the utility from

Github

All dependencies for launch and correct operation are specified in

requirements.txt

Thank you for attention!

P.S.

yes, banner style and information messages inspired by the project

sqlmap

When you connect a USB flash drive or any other USB device to your computer, a set of files is created that you can use to access them. When you work in file manager everything is simple enough, but once it comes to the console, things get a lot more difficult.

It is important for every beginner to be able to identify connected devices, be it usb flash drives, SD cards or hard drives so as not to write something to the wrong place or not to format the wrong disk. In this article, we will look at several ways to view usb devices and Linux connected to the computer.

In the operating room Linux system a special management philosophy is used. All objects, including devices, are considered files. When a device is connected to the system, a file is created for it in the /dev/ directory.

Usually, after you have connected any USB flash drive or other storage device to the system with the desktop environment installed, the device is automatically mounted to the /media/username/devicelabel/ folder, and then you can access the files from the device in this folder. However, there are situations when you need to manually mount the USB and then this option will not help.

All device files are located in the /dev/ directory. Here you can find sda, hda files which are HDD, as well as sda1 or hda1 files that allow you to access disk partitions. We have already discussed this in detail in the article. You can list all devices in the /dev/ directory with the command:

Now it remains to understand which of these device files belong to USB devices and which devices exactly.

How to see Linux USB devices

To know more detailed information about each device connected to your system and see a list of linux devices, you can use the df command. It is used to view free space on disk:

By the total size and space occupied, you can determine which device is your flash drive, but this way to view linux devices is not very convenient and it only works with an already mounted flash drive, there are several more that give more accurate information.

The lsblk command lists all block devices connected to your computer. The utility displays not only their size, but also the type (disk / partition) as well as the major and minor number of the device. Here it is already a little easier to find a flash drive, we see two disks, and if the first one with a size of 698 gigabytes is a hard drive, then the second one is definitely a flash drive:

There is another way, this is the fdisk utility. It allows you to view the partition table on all block devices connected to the computer. But the utility must be run as superuser:

Also, you can find out about the connected USB device by looking at the dmesg kernel message queue. It stores information about all operations that occur in the kernel. Including the name of the flash drive just connected to the computer will be displayed here. To view kernel messages, run:

To see which of the sd devices are USB, use the following command:

ls -l /dev/disk/by-id/usb*

As part of an immersion in one of the disciplines (in the process of studying in the specialty of computer security), I worked on one entertaining project that I would not want to just bury in the bowels of the Univer folder on an external hard drive.

This project is called usbrip and is a small console open source utility for Linux forensics, namely for working with the connection history of USB devices. The program is written in pure Python 3 (using some third-party modules) and does not require dependencies other than the Python 3.x interpreter and a couple of lines from requirements.txt, resolvable in one line with pip.

In this post I will describe some of the features of this software and leave a short manual with a link to the download source.

Taken! (... in the sense of Cut!)

Note. The functionality described in the article is relevant for the version of the utility. Per latest version with a lot of new goodies, I propose to go to the repository.

Screenshots

Getting connection history of removable USB devices:

Finding additional information about a USB device by model ID (PID "y):

Description

As you know, GNU / Linux based operating systems are very sensitive to logging various kinds of events, and connecting / disconnecting USB devices is no exception. Together with one of the points of the UNIX philosophy about "text streams as universal interfaces", information about the artifacts of such events (with varying degrees of detail), depending on the distribution, can be found in one or more of the following text files:

/var/log/kern.log*;
/var/log/syslog*;
/var/log/messages*;
/var/log/dmesg*;
/var/log/daemon.log*.

FORENSIC-PROOF even shows us this picture (a bit incomplete, but never mind):

For its work, usbrip finds universal for all Linux builds based on Debian (Ubuntu, Linux Mint etc.) and RPM (CentOS, Fedora, openSUSE, etc.), log files, namely /var/log/syslog* or /var/log/messages* , parses them in search of necessary information and turns the found traces of USB device connections into beautiful signs (or lists - whatever you like).

usbrip can also:

create lists of authorized (trusted) devices in the form of JSON files;
search for "offending events" based on the list of trusted devices: such events (USB connection/disconnection) involving USB devices not marked as trusted;
search Additional information about a USB device by its VID (Vendor ID) and/or PID (Product ID).

Reference

Get a list of available modules:

$ python3 usbrip.py -h
Get a list of available submodules for a specific module:

$ python3 usbrip.py<модуль>-h
Get a list of available options for a specific submodule:

$ python3 usbrip.py<модуль> <подмодуль>-h

Syntax

$ python3 usbrip.py banner Display the utility banner. $ python3 usbrip.py events history [-q] [-t | -l] [-e] [-n NUM OF EVENTS] [-d DATE [DATE...]] [-c COLUMN [COLUMN...]] [-f LOGFILE [LOGFILE...]] View USB connection history . $ python3 usbrip.py events gen_auth<ВЫХОДНОЙ_ФАЙЛ.JSON>[-a TRAIL [TRAIL...]] [-q] [-e] [-n NUMBER OF EVENTS] [-d DATE [DATE...]] [-f LOG_FILE [LOG_FILE...]] Generating a list of authorized ( trusted) USB devices. $ python3 usbrip.py events violations<ВХОДНОЙ_ФАЙЛ.JSON>[-a TRAIL [TRAIL...]] [-q] [-t | -l] [-e] [-n NUM OF EVENTS] [-d DATE [DATE...]] [-c COLUMN [COLUMN...]] [-f LOGFILE [LOGFILE...]] Search for "offending events " based on the list of trusted devices. $ python3 usbrip.py ids search [-q] [ --vid VID] [--pid PID] [--offline] Search for additional information about the device by its VID and/or PID in the database of identifiers. $ python3 usbrip.py ids download [-q] Update (download) the local database of USB device ids.

Options

Options supported by submodules "events history", "events gen_auth", "events violations", "ids search", "ids download": -q, --quiet omit banner output, informational (green) messages, and don't ask questions in progress ################################################ ###################################### Options supported by "events history", "events gen_auth" submodules ", "events violations": -e, --external look only for removable USB devices (that have detach information) -n NUMBER OF EVENTS, --number NUMBER OF EVENTS number of recent events to print -d DATE [DATE. ..], --date DATE [DATE...] list of dates by which events will be filtered when searching -f LOG_FILE [LOG_FILE...], --file LOG_FILE [LOG_FILE...] list of log files ( if not specified, event history will be searched by default log files: /var/log/syslog* or /var/log/messages* depending on OS version) ############# ######### ################################################### ############# Options supported by the "events history", "events violations" submodules: -t, --table generate table output (if the terminal window is not large enough to display the table correctly, the output will be automatically generated as a list; when specifying the -t flag, the output will be generated as a table forcibly) -l, --list generate output as a list -c COLUMN [COLUMN...], --column COLUMN [COLUMN...] list of columns to be used when constructing a table (only effective when generating output in the form of a table); allowed keys: "conn", "user", "vid", "pid", "prod", "manufact", "serial", "port", "disconn". ################################################### ################################### Options supported by "events gen_auth", "events violations" submodules: - a TRAIL [TRAIL...], --attribute TRAIL [TRAIL...] list of attributes that will be used when building the list of authorized devices (and also when searching for "violating events" in the case of the "events violations" submodule); allowed keys: "vid", "pid", "prod", "manufact", "serial". ################################################### ################################### Options supported by "ids search", "ids download" submodules: - -vid VID vendor ID or USB device manufacturer ID (typically 4 hex digits) --vid PID product ID or USB device model ID (typically 4 hex digits) --offline if specified, search for additional information about the USB device in the database data of identifiers will be produced without its (base) update

Examples of using

Show the connection history of all USB devices, omitting the banner, informational (green) messages, and not asking questions during execution (-q, --quite), generating the output as a list (-l, --list), including in 100 latest found events (-n NUMBER OF EVENTS, --number NUMBER OF EVENTS):
$ python3 usbrip.py events history -ql -n 100
Show connection history of removable USB devices (-e, --external), generating output in the form of a table with fields (columns) "Connected", "VID", "PID", "Disconnected" and "Serial Number" (-c COLUMN [COLUMN...], --column COLUMN [COLUMN...]), filtering the search by dates (-d DATE [DATE...], --date DATE [DATE...]), while taking the information from external log files (-f LOG_FILE [LOG_FILE...], --file LOG_FILE [LOG_FILE...]):
$ python3 usbrip.py events history -et -c conn vid pid disconn serial -d "Dec 9" "Dec 10" -f /var/log/syslog.1 /var/log/syslog.2.gz
Build a connection history table of all USB devices and redirect the output to a file for further analysis. In the event that the output stream is not standard stdout ("|" or ">" for example), the output will not contain special. characters responsible for the color of the font in the terminal, so the text file will not be littered with unreadable characters. It should also be noted that usbrip uses some UNICODE constants, so it would be a good idea to immediately convert the encoding of the generated file to UTF-8 for their correct display (for example, using encov), and also use Windows-style newlines for better portability ( for example with awk):
$ python3 usbrip.py history events -t | awk "( sub("$", "\r"); print )" > usbrip.txt && enconv -x UTF8 usbrip.txt
Note: get rid of special characters responsible for the color is also possible if the output has already been sent to stdout. To do this, you need to copy the received data into a new usbrip.txt file and add one more awk instruction:
$ awk "( sub("$", "\r"); gsub("\\x1B\\[*[ -/]*[@-~]", ""); print )" usbrip.txt && enconv -x UTF8 usbrip.txt
Create a list of trusted devices in the form of a JSON file (trusted/auth.json) containing the "VID" and "PID" fields of the first three devices connected on September 26th:
$ python3 usbrip.py events gen_auth trusted/auth.json -a vid pid -n 3 -d "Sep 26"
Find “violating events” among the connection history of removable USB devices based on the list of trusted devices (trusted/auth.json) by the “PID” field and generate the output in the form of a table with the “Connected”, “VID” and “PID” fields:
$ python3 usbrip.py events violations trusted/auth.json -a pid -et -c conn vid pid
Find additional information about a USB device based on its VID and PID:
$ python3 usbrip.py ids search --vid 0781 --pid 5580
Download/Update USB Device ID Database (source):
$ python3 usbrip.py ids download

Links and postscript

You can pick up the utility from Github, all dependencies for launch and correct operation are listed in requirements.txt.

Thank you for attention!

P.S. yes, the style of the banner and informational messages is inspired by the project sqlmap (*^.^*)

UPD 06/13/2018. There was an investigation of a real (?) case involving my utility from a person with Codeby (he was in shock, to be honest).

You have connected a USB flash drive or a keyboard or mouse to your Linux PC. But nothing happens.

What's the matter? Why is your Linux PC not detecting the device? Is it Linux, or has your USB device stopped working?

USB not working in Ubuntu?

Disk drives, memory card readers, phones, media players, and media peripherals… they are all useful, but if there is a problem with your system's USB port or drivers, they won't work. This can be especially frustrating if you're using a Bluetooth keyboard or mouse (with a USB dongle), as it means digging out USB wired alternatives.

However, it may not be a dead port. It is possible that the USB device you are using is defective and cannot be detected.

Troubleshooting USB problems can be a daunting task, but these faults are not impossible to diagnose and make the necessary corrections.

There are five steps to follow to troubleshoot USB issues in Linux:

Make sure the USB port is detected
Carry out the necessary repairs in the port
Fix or repair USB devices
Reload operating system linux
Confirm the presence of device drivers

Let's take a look at each one in turn and learn how to work with USB contraptions in Linux.

1. Is your device detected by Linux?

The first thing to check when inserting your USB device into your Linux computer is its detection. USB device detection is usually not verbal or audible (in Deepin Linux it is not) as it is in Windows or macOS, which means you often have to check that the device has been captured by the operating system.

Fortunately, it's easy.

First, unplug the USB devices you are requesting. Then open a terminal window and enter the command » list USB:

The dmesg command will list the connected USB devices on your system. It will also include non-USB hardware and unfortunately provides a huge amount of information. To counter this you can try:

It's like a cross between the dmesg and lsusb commands, listing connected USB hardware with enough information to identify them.

So the USB you plugged in is listed here? If not, then the port may be damaged or there is a problem with the device. Similarly, the device may not be compatible with Linux.

2. How to check the USB port

If the USB device does not appear, it may be due to a problem with the USB port.

The best way to check this is to simply use a different USB port on your computer. If the USB hardware is now detected, then you know that you have a problem with one of the USB ports.

If no other USB port is available, you need to try the USB device on another PC or laptop. However, this may not be ideal, as you can alternatively use a Windows or macOS computer, and in this case, some USB devices cannot be used with Linux. So it will be difficult to determine what exactly is causing the problems, whether it is a USB device or a USB port.

For best results, where possible, stick to Linux-compatible hardware when troubleshooting USB devices.

3. Fix broken USB hardware

If your USB hardware is faulty, you have two options: fix it or return it.

The fix usually involves checking the USB port as well as the device that is currently not working. Fixes will almost always be centered around USB cable and port on your computer. USB cables can usually be replaced, but USB ports can be repaired.

USB Hardware Physical Check - a good idea. The cables must be strong, without any breaks, the metal section is securely fastened.

USB ports, meanwhile, should be tested with the PC turned off and unplugged from the power outlet. Check that the ports are secure, wobbly USB ports are a sign of equipment wear.

If the USB port becomes loose, you can solder it back in place. Of course, you should already know how to solder, never try DIY work (do it yourself) without prior experience.

Also, check for dust and dirt in the USB ports, especially on the back of the computer where dust collects regularly. Dust is the enemy of the PC, so it's worth keeping your system in a dust-free environment. Dust can find its way into your PC via USB ports, take the time to keep these ports clean. Use compressed air to disperse dust and dirt.

Can you return your USB device? If it's new, then probably. The problem is that if it's not explicitly marked as running Linux, then the store is unlikely to accept returns.

4. Reboot Linux to Fix USB Port

In some cases—for example, if you're using a laptop—power issues can affect its ability to detect USB devices. The autosuspend option is intended to reduce the power consumption of Linux laptops, but it can be counterproductive.

So what can you do?

First check if autosuspend is causing the issue. You can do this by restarting your computer. If the USB device is working, then that USB port is receiving power.

The next step is to make sure it doesn't happen again. Next tricks command line are for Ubuntu 18.10, so check the correct procedure on your preferred Linux distribution.

Open a terminal window and type:

cat /sys/module/usbcore/parameters/autosuspend

Here, look for:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

USB - Universal Serial Bus (Universal Serial Bus) was developed by a consortium of companies with the goal of providing a single, simple bus for connecting peripherals.

The USB design allows devices to connect on the fly using standard jacks. USB devices include: keyboards, mice, printers, scanners, hard drives, flash drives, cameras, modems, network adapters and columns, and their list is constantly growing.

Linux's support for USB devices is fairly comprehensive, but some devices require special drivers, while others, primarily printers and scanners, may not be supported or only partially supported.

Computer systems may contain one or more controllers or hubs for USB connections devices or another (external) hub. The hub can support up to 7 devices, which, in turn, can have additional hubs. Hub inside system block called root hub (root hub). Each such star topology can support up to 127 hubs or devices.

talking USB port, we are referring to the computer's USB capability and connection socket, not the internal port address used by the device.

Layering USB systems allows the host to determine the characteristics of a USB device, including class, manufacturer name, device name, voltage requirements, speed, USB support level, and other features.

USB device support module in Linux

USB devices are currently fully supported on Linux. Most of the changes showed up in the 2.6 kernel branch, although there was some support even in the 2.2 kernels. Linux supports both USB 2.0 and earlier specifications. Due to the nature of USB, hot-plugging, support is usually provided through kernel modules that can be loaded or unloaded as needed.

The lspci command allows you to display USB devices:

[email protected]:~:# lspci | grep -i usb 00:03.0 USB Controller: Silicon Integrated Systems USB 1.1 Controller (rev 0f) 00:03.1 USB Controller: Silicon Integrated Systems USB 1.1 Controller (rev 0f) 00:03.3 USB Controller: Silicon Integrated Systems USB 2.0 Controller

The command output shows that there are 3 USB controllers in the system.

Using the lsmod command, you can display the loaded USB modules:

Display connected USB devices

A summary of currently connected USB devices is contained in the file /proc/bus/usb/devices . You can get it out with the following command:

[email protected]:~:# cat /proc/bus/usb/devices T: Bus=03 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 3 B: Alloc= 0/900 us (0 %), #Int= 0, #Iso= 0 D: Ver= 1.10 Cls=09(hub) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0001 Rev= 2.06 S: Manufacturer =Linux 2.6.29.6 ohci_hcd S: Product=OHCI Host Controller S: SerialNumber=0000:00:03.1 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 # EPs= 1 Cls=09(hub) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 2 Ivl=255ms T: Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 3 B: Alloc= 28/900 us (3%), #Int= 2, #Iso= 0 D: Ver= 1.10 Cls=09(hub) Sub =00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0001 Rev= 2.06 S: Manufacturer=Linux 2.6.29.6 ohci_hcd S: Product=OHCI Host Controller S: SerialNumber=0000:00:03.0 C: * #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub) Sub=00 Prot=00 Driver=hub E: Ad=81( I) Atr=03(Int.) MxPS= 2 Ivl=255ms T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=1.5 MxCh= 0 D: Ver= 2.00 C ls=00(>ifc) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=045e ProdID=00db Rev= 1.73 S: Manufacturer=Microsoft S: Product=Natural� Ergonomic Keyboard 4000 C:* #Ifs = 2 Cfg#= 1 Atr=a0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=03(HID) Sub=01 Prot=01 Driver=usbhid E: Ad=81(I) Atr =03(Int.) MxPS= 8 Ivl=10ms I:* If#= 1 Alt= 0 #EPs= 1 Cls=03(HID) Sub=00 Prot=00 Driver=usbhid E: Ad=82(I) Atr =03(Int.) MxPS= 8 Ivl=10ms T: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=480 MxCh= 6 B: Alloc= 0/800 us (0% ), #Int= 0, #Iso= 0 D: Ver= 2.00 Cls=09(hub) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0002 Rev= 2.06 S: Manufacturer= Linux 2.6.29.6 ehci_hcd S: Product=EHCI Host Controller S: SerialNumber=0000:00:03.3 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs = 1 Cls=09(hub) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=256ms

In the listing, Spd=480 is for USB 2.0 and Spd=12 is for USB 1.1 devices. Next in the list, you can see that 1 USB device is currently connected to the system - Microsoft Natural Ergonomic Keyboard 400 (Spd=1.5).

On this keyboard, of course, I type this text.

The USB device connection hierarchy can be seen with the lsusb command with the -t option:

[email protected]:~:# lsusb -t Bus# 3 `-Dev# 1 Vendor 0x1d6b Product 0x0001 Bus# 2 `-Dev# 1 Vendor 0x1d6b Product 0x0001 `-Dev# 2 Vendor 0x045e Product 0x00db Bus# 1 `-Dev# 1 Vendor 0x1d6b product 0x0002

The output of information about a specific USB device can be obtained with the following command:

[email protected]:~:# lsusb -vd 0x045e:0x00db Bus 002 Device 002: ID 045e:00db Microsoft Corp. Natural Ergonomic Keyboard 4000 V1.0 Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x045e Microsoft Corp. idProduct 0x00db Natural Ergonomic Keyboard 4000 V1.0 bcdDevice 1.73 iManufacturer 1 Microsoft iProduct 2 Natural� Ergonomic Keyboard 4000 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 59 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 3 Human Interface Device bInterfaceSubClass 1 Boot Interface Subclass bInterfaceProtocol 1 Keyboard iInterface 0 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 10 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 3 Hu man Interface Device bInterfaceSubClass 0 No Subclass bInterfaceProtocol 0 None iInterface 0 ** UNRECOGNIZED: 09 21 11 01 00 01 22 56 00 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMax0PacketSize 0 1x 8 bytes bInterval 10 Device Status: 0x0000 (Bus Powered)