usbrip: tracking history of USB events on GNU/Linux

usbrip

usbrip (derived from “USB Ripper”, not “USB R.I.P.” 😯) is an open source forensics tool with CLI interface that lets you keep track of USB device artifacts (a.k.a. USB event history: “Connected” and “Disconnected” events) on Linux machines.

usbrip

usbrip is a small piece of software written in pure Python 3 (using some external modules though, see Dependencies/PIP) which parses Linux log files (/var/log/syslog* or /var/log/messages* depending on the distro) for constructing USB event history tables. Such tables may contain the following columns: “Connected” (date & time), “User”, “VID” (vendor ID), “PID” (product ID), “Product”, “Manufacturer”, “Serial Number”, “Port” and “Disconnected” (date & time).

Besides, it also can:

  • export gathered information as a JSON dump (and open such dumps, of course (: );
  • generate a list of authorized (trusted) USB devices as a JSON (call it auth.json);
  • search for “violation events” based on the auth.json: show (or generate another JSON with) USB devices that do appear in history and do NOT appear in the auth.json;
  • [when installed] create crypted storages (7zip archives) to automatically back up and accumulate USB events with the help of crontab utility;
  • search for additional details about a specific USB device based on its VID and/or PID.

Install

git clone https://github.com/snovvcrash/usbrip.git
cd usbrip
python3 -m pip install -r requirements.txt
./install.sh

Warning:

  • if you are using the crontab scheduling, you want to configure the cron job with sudo crontab -e in order to force the storage update submodule run as root as well as protect the passwords of the USB event storages.
  • when using -s option during installation, make sure that system logs do contain at least one external USB device entry. It is a necessary condition for usbrip to successfully create the list of trusted devices (and as a result, successfully create the violations storage).

The uninstall.sh script removes all the installation artifacts from your system.

Use

To get a list of module names use:

$ python3 usbrip.py -h

To get a list of submodule names for a specific module use:

$ python3 usbrip.py <module> -h

To get a list of all switches for a specific submodule use:

$ python3 usbrip.py <module> <submodule> -h

If this tool has been useful for you, feel free to buy the author a coffee ☕️

Coffee

Copyright (W) 2018 Sam Freeside

Source: https://github.com/snovvcrash/

Share