usbrip (derived from “USB Ripper”, not “USB R.I.P.” 😯) is an open source forensics tool with CLI interface that lets you keep track of USB device artifacts (a.k.a. USB event history: “Connected” and “Disconnected” events) on Linux machines.
usbrip is a small piece of software written in pure Python 3 (using some external modules though, see Dependencies/PIP) which parses Linux log files (/var/log/syslog* or /var/log/messages* depending on the distro) for constructing USB event history tables. Such tables may contain the following columns: “Connected” (date & time), “User”, “VID” (vendor ID), “PID” (product ID), “Product”, “Manufacturer”, “Serial Number”, “Port” and “Disconnected” (date & time).
Besides, it also can:
- export gathered information as a JSON dump (and open such dumps, of course (: );
- generate a list of authorized (trusted) USB devices as a JSON (call it auth.json);
- search for “violation events” based on the auth.json: show (or generate another JSON with) USB devices that do appear in history and do NOT appear in the auth.json;
- [when installed] create crypted storages (7zip archives) to automatically back up and accumulate USB events with the help of crontab utility;
- search for additional details about a specific USB device based on its VID and/or PID.
git clone https://github.com/snovvcrash/usbrip.git
python3 -m pip install -r requirements.txt
- if you are using the crontab scheduling, you want to configure the cron job with sudo crontab -e in order to force the storage update submodule run as root as well as protect the passwords of the USB event storages.
- when using -s option during installation, make sure that system logs do contain at least one external USB device entry. It is a necessary condition for usbrip to successfully create the list of trusted devices (and as a result, successfully create the violations storage).
The uninstall.sh script removes all the installation artifacts from your system.
To get a list of module names use:
$ python3 usbrip.py -h
To get a list of submodule names for a specific module use:
$ python3 usbrip.py <module> -h
To get a list of all switches for a specific submodule use:
$ python3 usbrip.py <module> <submodule> -h
If this tool has been useful for you, feel free to buy the author a coffee ☕️
Copyright (W) 2018 Sam Freeside