Difference between revisions of "USB"

From ForensicsWiki
Jump to: navigation, search
(Added History of Past Devices)
m
Line 6: Line 6:
 
{{main|USB History Viewing}}
 
{{main|USB History Viewing}}
 
Microsoft [[Windows]] operating systems are known to record information about each USB device when it is connected. Such information can be used by an examiner to show that a person had possession of a USB device, a device was used on a machine, or that data exfiltration was conducted, for example.
 
Microsoft [[Windows]] operating systems are known to record information about each USB device when it is connected. Such information can be used by an examiner to show that a person had possession of a USB device, a device was used on a machine, or that data exfiltration was conducted, for example.
 +
 +
=USB Monitoring Tools=
 +
;Windows:
 +
* [[usbsnoop]
 +
;Linux
 +
* enable CONFIG_USB_STORAGE_DEBUG and monitor syslog
 +
* [[usbmon]]
 +
* Turn on [[usbfs_snoop]] and monitor syslog and the kernel buffer ring.
  
 
[[Category:Hardware]]
 
[[Category:Hardware]]

Revision as of 19:20, 30 April 2008

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

USB is an acronym for the Universal Serial Bus, a method for attaching a wide variety of devices to a host system. USB provides for hot-swap of devices, and network-like communications that allow for additional ports to be added to a system by way of internal or external hubs, often mitigating the need to physically open a host system in order to add more device capacity.

History of Past Devices

Main article USB History Viewing

Microsoft Windows operating systems are known to record information about each USB device when it is connected. Such information can be used by an examiner to show that a person had possession of a USB device, a device was used on a machine, or that data exfiltration was conducted, for example.

USB Monitoring Tools

Windows
  • [[usbsnoop]
Linux
  • enable CONFIG_USB_STORAGE_DEBUG and monitor syslog
  • usbmon
  • Turn on usbfs_snoop and monitor syslog and the kernel buffer ring.
Retrieved from "http://forensicswiki.org/index.php?title=USB&oldid=7021"