usbrip: tracking history of USB events on GNU/Linux


usbrip (derived from “USB Ripper”, not “USB R.I.P.” 😯) is an open source forensics tool with CLI interface that lets you keep track of USB device artifacts (a.k.a. USB event history: “Connected” and “Disconnected” events) on Linux machines.


usbrip is a small piece of software written in pure Python 3 (using some external modules though, see Dependencies/PIP) which parses Linux log files (/var/log/syslog* or /var/log/messages* depending on the distro) for constructing USB event history tables. Such tables may contain the following columns: “Connected” (date & time), “User”, “VID” (vendor ID), “PID” (product ID), “Product”, “Manufacturer”, “Serial Number”, “Port” and “Disconnected” (date & time).

Besides, it also can:

  • export gathered information as a JSON dump (and open such dumps, of course (: );
  • generate a list of authorized (trusted) USB devices as a JSON (call it auth.json);
  • search for “violation events” based on the auth.json: show (or generate another JSON with) USB devices that do appear in history and do NOT appear in the auth.json;
  • [when installed] create crypted storages (7zip archives) to automatically back up and accumulate USB events with the help of crontab utility;
  • search for additional details about a specific USB device based on its VID and/or PID.


git clone
cd usbrip
python3 -m pip install -r requirements.txt


  • if you are using the crontab scheduling, you want to configure the cron job with sudo crontab -e in order to force the storage update submodule run as root as well as protect the passwords of the USB event storages.
  • when using -s option during installation, make sure that system logs do contain at least one external USB device entry. It is a necessary condition for usbrip to successfully create the list of trusted devices (and as a result, successfully create the violations storage).

The script removes all the installation artifacts from your system.


To get a list of module names use:

$ python3 -h

To get a list of submodule names for a specific module use:

$ python3 <module> -h

To get a list of all switches for a specific submodule use:

$ python3 <module> <submodule> -h

If this tool has been useful for you, feel free to buy the author a coffee ☕️


Copyright (W) 2018 Sam Freeside