GNU/Linux上跟踪USB设备的取证工具

GNU/Linux上跟踪USB设备的取证工具
2023-1-18 00:17:18 Author: 哆啦安全(查看原文) 阅读量:16 收藏

usbrip取证工具

usbrip(源自"USB Ripper"，而不是"USB RIP")是一个带有CLI界面的开源取证工具，可以让您在Linux机器上跟踪USB设备(即USB事件历史记录，"已连接"和"已断开连接"事件)。

usbrip是用Python3编写的软件，它解析Linux日志文件

/var/log/syslog*或/var/log/messages*

以构建USB事件历史表。

此类表格可能包含以下列:

"已连接"(日期和时间)，

"用户"，

"VID"(供应商ID)，

"PID"(产品ID)，

"产品"，

"制造商"，

"序列号"，

"端口"和

"断开连接"(日期和时间)。

此外，它还可以：

(1).导出收集的信息作为JSON转储;

(2).生成一个授权(可信)USB设备列表作为JSON(称之为auth.json);

(3).根据以下内容搜索(违规事件)auth.json:show(或生成另一个JSON)USB设备出现在历史记录中并且不会出现在auth.json;

(4).*使用-sflag * 安装时，创建加密存储（7zip存档），以便在crontab调度程序的帮.助下自动备份和累积USB事件;

(5).根据其VID和/或PID搜索有关特定USB设备的其他详细信息。

usbrip安装

快速安装

usbrip可在PyPI下载和安装：

$ pip3 install usbrip

git安装

# 下载~$ git clone https://github.com/snovvcrash/usbrip.git usbrip && cd usbrip~/usbrip$
# 安装依赖~$ sudo apt install python3-venv p7zip-full -y

有两种方法,可以将usbrip安装到系统中：

pip或setup.py。

`pip`要么`setup.py`

首先，usbrip是通过pip安装的。这意味着在git克隆了repo之后可以简单地启动pip安装过程，然后在终端的任何地方运行usbrip，如下所示：

~/usbrip$ python3 -m venv venv && source venv/bin/activate(venv) ~/usbrip$ pip install .
(venv) ~/usbrip$ usbrip -h

或者，如果要在本地解析Python依赖关系(不打扰PyPI)，请使用setup.py

~/usbrip$ python3 -m venv venv && source venv/bin/activate(venv) ~/usbrip$ python setup.py install
(venv) ~/usbrip$ usbrip -h

注意：

您可能希望在Python虚拟环境处于活动状态时运行安装过程(如上所示)

usbrip使用

# ---------- BANNER ----------
$ usbrip bannerGet usbrip banner.
# ---------- EVENTS ----------
$ usbrip events history [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]Get USB event history.
$ usbrip events open <DUMP.JSON> [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]Open USB event dump.
$ usbrip events gen_auth <OUT_AUTH.JSON> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]Generate a list of trusted (authorized) USB devices.
$ usbrip events violations <IN_AUTH.JSON> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]Get USB violation events based on the list of trusted devices.
# ---------- STORAGE ----------
$ usbrip storage list <STORAGE_TYPE> [-q] [--debug]List contents of the selected storage (7zip archive). STORAGE_TYPE is "history" or "violations".
$ usbrip storage open <STORAGE_TYPE> [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-q] [--debug]Open selected storage (7zip archive). Behaves similary to the EVENTS OPEN submodule.
$ usbrip storage update <STORAGE_TYPE> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]Update storage — add USB events to the existing storage (7zip archive). COMPRESSION_LEVEL is a number in [0..9].
$ usbrip storage create <STORAGE_TYPE> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]Create storage — create 7zip archive and add USB events to it according to the selected options.
$ usbrip storage passwd <STORAGE_TYPE> [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]Change password of the existing storage.
# ---------- IDs ----------
$ usbrip ids search [--vid <VID>] [--pid <PID>] [--offline] [-q] [--debug]Get extra details about a specific USB device by its <VID> and/or <PID> from the USB ID database.
$ usbrip ids download [-q] [--debug]Update (download) the USB ID database.

usbrip的使用示例

显示所有USB设备的事件历史

$ usbrip events history -ql -n 100

显示外部USB设备的事件历史

$ usbrip events history -et -c conn vid pid disconn serial -d "Dec  9" "Dec 10" -f /var/log/syslog.1 /var/log/syslog.2.gz

更多使用及说明请看readme。

点击关注"哆啦安全"视频号