Digital Forensics o...
 
Notifications
Clear all

Digital Forensics of Hardware Key Logger

6 Posts
5 Users
0 Likes
943 Views
(@itsecstudy)
Posts: 1
New Member
Topic starter
 

Hi all,

Firstly apologies if this is in the incorrect forum, it's my first post.

I am creating a theoretical report on digital forensic investigation of a USB hardware keylogger, found attached to a corporate PC.

I need to write about the acquisition process and also analysis to provide a report for incident analysis to understand what happened, and attempt to find out who connected the USB stick. Its a theoretical case so I have some flexibility around the details.

I would like some pointers towards general concepts and analysis of the keylogger and PC. I plan to leverage the registry to look for connected, previously connected devices and then map this back to a user using the GUID found in the user registry hive.

Any general pointers towards verified research or advice would be much appreciated. I have googled already.

Thanks

 
Posted : 11/05/2019 4:22 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

A USB hardware keylogger would need to have some storage…

https://dl.acm.org/citation.cfm?id=2307353

https://windowsir.blogspot.com/search?q=usb

HTH

 
Posted : 11/05/2019 11:46 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

First watch this https://m.youtube.com/watch?v=48viMtzQ4rE

Then download and test Nirsoft’s excellent free tools.

Then use Passmark’s OSForensics trial version to image and analyze the Rubber Ducky’s microSD Card.

Finally, watch the first season of Mr. Robot.

 
Posted : 12/05/2019 3:34 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

First watch this https://m.youtube.com/watch?v=48viMtzQ4rE

Then download and test Nirsoft’s excellent free tools.

Then use Passmark’s OSForensics trial version to image and analyze the Rubber Ducky’s microSD Card.

Finally, watch the first season of Mr. Robot.

Rubber Ducky is not a hardware key logger!

 
Posted : 12/05/2019 4:03 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

Process would depend on how the device worked.

e.g. it might be pure hardware and connected in series with a USB keyboard cable to snoop on the data. In which case there might be nothing to investigate on the PC itself.

Or it might be software that runs on the PC, where the key-logger software was just loaded from a USB flash drive. In which case the hardware aspect is rather trivial.

 
Posted : 13/05/2019 5:15 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

How to use Active Directory to disable USB drive use https://4sysops.com/archives/how-to-disable-usb-drive-use-in-an-active-directory-domain/

This is a dated article but contains the basic pathway (including command line commands) to restrict USB device usage.

Perhaps including potential security improvements to your threat model might interest people.

My corporate clients also use Symantec or MacAfee software to automatically encrypt all data leaving the network to external storage media.

Free-to-use encryption methods include BitLocker or AccessData's FTK Imager (password encrypted AD1 logical image file) combined with a relatively robust password keeping application/system.

 
Posted : 14/05/2019 3:12 am
Share: