krew7900 Posted July 28, 2017 Share Posted July 28, 2017 (edited) Wrote a blog on some of the artifacts left behind when using the USB Rubber Ducky with the following installed. I wanted to see if someone where to try to steal files with the USB Rubber Ducky how would it look to a forensics investigator who receives the computer. I did a quick 30 minute investigation and would love to dig down deeper with various other tools, but for now here is a simple write up. This is my first blog entry and if I can find time do this with other devices such as the lan turtle ect. Let me know what you think and if you find it helpful or interesting. Forensic look into the Rubber Ducky Edited July 28, 2017 by krew7900 Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 28, 2017 Share Posted July 28, 2017 It's interesting, and you've brought some key events (no pun intended) to our attention when it comes to what is left behind giving some nice examples, but I think it could be written a bit better. You seem to jump around the place a lot in the middle of paragraphs, as if you've just thought of something as you were writing it and quickly added it in a "rush-of-the-moment". In some parts it sounds like you're trying to attack Hak5 (you probably aren't, but in some places it does look like it..). In regards to what the Ducky leaves behind, there will more than likely be Windows Event logs and things like that HOWEVER there are ways to delete those entries and edit the registry, as shown by some payloads written up on the Github. However these do require Admin privileges so it's not too hard to stop - don't give your employees Admin access. Quote Link to comment Share on other sites More sharing options...
krew7900 Posted July 30, 2017 Author Share Posted July 30, 2017 On 7/28/2017 at 1:32 AM, Dave-ee Jones said: It's interesting, and you've brought some key events (no pun intended) to our attention when it comes to what is left behind giving some nice examples, but I think it could be written a bit better. You seem to jump around the place a lot in the middle of paragraphs, as if you've just thought of something as you were writing it and quickly added it in a "rush-of-the-moment". In some parts it sounds like you're trying to attack Hak5 (you probably aren't, but in some places it does look like it..). In regards to what the Ducky leaves behind, there will more than likely be Windows Event logs and things like that HOWEVER there are ways to delete those entries and edit the registry, as shown by some payloads written up on the Github. However these do require Admin privileges so it's not too hard to stop - don't give your employees Admin access. Thanks for the feedback. Yea not the best writer I'll admit hence why I needed to try to do something that will get me writing more. I'll attempt to clean it up, and I did rush but wanted to motivate myself to get it out and I had some free time to write it. I did a quick investigation would love to dig down deeper and hopefully will. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 30, 2017 Share Posted July 30, 2017 19 hours ago, krew7900 said: Thanks for the feedback. Yea not the best writer I'll admit hence why I needed to try to do something that will get me writing more. I'll attempt to clean it up, and I did rush but wanted to motivate myself to get it out and I had some free time to write it. I did a quick investigation would love to dig down deeper and hopefully will. Ah, that's a good idea. :) Sounds like you have some kind of plan, haha. Good luck! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.