Jump to content

Forensic Side of the rubber ducky


krew7900

Recommended Posts

Wrote a blog on some of the artifacts left behind when using the USB Rubber Ducky with the following installed.

I wanted to see if someone where to try to steal files with the USB Rubber Ducky how would it look to a forensics investigator who receives the computer. I did a quick 30 minute investigation and would love to dig down deeper with various other tools, but for now here is a simple write up.

This is my first blog entry and if I can find time do this with other devices such as the lan turtle ect. Let me know what you think and if you find it helpful or interesting. 

Forensic look into the Rubber Ducky

Edited by krew7900
Link to comment
Share on other sites

It's interesting, and you've brought some key events (no pun intended) to our attention when it comes to what is left behind giving some nice examples, but I think it could be written a bit better. You seem to jump around the place a lot in the middle of paragraphs, as if you've just thought of something as you were writing it and quickly added it in a "rush-of-the-moment".

In some parts it sounds like you're trying to attack Hak5 (you probably aren't, but in some places it does look like it..).

In regards to what the Ducky leaves behind, there will more than likely be Windows Event logs and things like that HOWEVER there are ways to delete those entries and edit the registry, as shown by some payloads written up on the Github. However these do require Admin privileges so it's not too hard to stop - don't give your employees Admin access.

Link to comment
Share on other sites

On 7/28/2017 at 1:32 AM, Dave-ee Jones said:

It's interesting, and you've brought some key events (no pun intended) to our attention when it comes to what is left behind giving some nice examples, but I think it could be written a bit better. You seem to jump around the place a lot in the middle of paragraphs, as if you've just thought of something as you were writing it and quickly added it in a "rush-of-the-moment".

In some parts it sounds like you're trying to attack Hak5 (you probably aren't, but in some places it does look like it..).

In regards to what the Ducky leaves behind, there will more than likely be Windows Event logs and things like that HOWEVER there are ways to delete those entries and edit the registry, as shown by some payloads written up on the Github. However these do require Admin privileges so it's not too hard to stop - don't give your employees Admin access.

Thanks for the feedback.
Yea not the best writer I'll admit hence why I needed to try to do something that will get me writing more.

I'll attempt to clean it up, and I did rush but wanted to motivate myself to get it out and I had some free time to write it.

I did a quick investigation would love to dig down deeper and hopefully will. 

Link to comment
Share on other sites

19 hours ago, krew7900 said:

Thanks for the feedback.
Yea not the best writer I'll admit hence why I needed to try to do something that will get me writing more.

I'll attempt to clean it up, and I did rush but wanted to motivate myself to get it out and I had some free time to write it.

I did a quick investigation would love to dig down deeper and hopefully will. 

Ah, that's a good idea. :)

Sounds like you have some kind of plan, haha. Good luck!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...