介绍一款GNU/Linux上跟踪USB设备的取证工具

哆啦安全 2023-01-30 633

描述

usbrip取证工具

usbrip(源自"USB Ripper"，而不是"USB RIP")是一个带有CLI界面的开源取证工具，可以让您在Linux机器上跟踪USB设备(即USB事件历史记录，"已连接"和"已断开连接"事件)。

CLI

usbrip是用Python3编写的软件，它解析Linux日志文件

/var/log/syslog*
或
/var/log/messages*

以构建USB事件历史表。

此类表格可能包含以下列:

"已连接"(日期和时间)，

"用户"，

"VID"(供应商ID)，

"PID"(产品ID)，

"产品"，

"制造商"，

"序列号"，

"端口"和

"断开连接"(日期和时间)。

此外，它还可以：

(1).导出收集的信息作为JSON转储;

(2).生成一个授权(可信)USB设备列表作为JSON(称之为auth.json);

(3).根据以下内容搜索(违规事件)auth.json:show(或生成另一个JSON)USB设备出现在历史记录中并且不会出现在auth.json;

(4).*使用-sflag * 安装时，创建加密存储（7zip存档），以便在crontab调度程序的帮.助下自动备份和累积USB事件;

(5).根据其VID和/或PID搜索有关特定USB设备的其他详细信息。

usbrip安装

快速安装

usbrip可在PyPI下载和安装：

$ pip3 install usbrip

git安装

# 下载
~$ git clone https://github.com/snovvcrash/usbrip.git usbrip && cd usbrip
~/usbrip$


# 安装依赖
~$ sudo apt install python3-venv p7zip-full -y

有两种方法,可以将usbrip安装到系统中：

pip或setup.py。

pip要么setup.py

首先，usbrip是通过pip安装的。这意味着在git克隆了repo之后可以简单地启动pip安装过程，然后在终端的任何地方运行usbrip，如下所示：

~/usbrip$ python3 -m venv venv && source venv/bin/activate
(venv) ~/usbrip$ pip install .


(venv) ~/usbrip$ usbrip -h

或者，如果要在本地解析Python依赖关系(不打扰PyPI)，请使用setup.py

~/usbrip$ python3 -m venv venv && source venv/bin/activate
(venv) ~/usbrip$ python setup.py install


(venv) ~/usbrip$ usbrip -h

注意：

您可能希望在Python虚拟环境处于活动状态时运行安装过程(如上所示)

CLI

usbrip使用

# ---------- BANNER ----------


$ usbrip banner
Get usbrip banner.


# ---------- EVENTS ----------


$ usbrip events history [-t | -l] [-e] [-n ] [-d  [ ...]] [--user  [ ...]] [--vid  [ ...]] [--pid  [ ...]] [--prod  [ ...]] [--manufact  [ ...]] [--serial  [ ...]] [--port  [ ...]] [-c  [ ...]] [-f  [ ...]] [-q] [--debug]
Get USB event history.


$ usbrip events open  [-t | -l] [-e] [-n ] [-d  [ ...]] [--user  [ ...]] [--vid  [ ...]] [--pid  [ ...]] [--prod  [ ...]] [--manufact  [ ...]] [--serial  [ ...]] [--port  [ ...]] [-c  [ ...]] [-f  [ ...]] [-q] [--debug]
Open USB event dump.


$ usbrip events gen_auth  [-a  [ ...]] [-e] [-n ] [-d  [ ...]] [--user  [ ...]] [--vid  [ ...]] [--pid  [ ...]] [--prod  [ ...]] [--manufact  [ ...]] [--serial  [ ...]] [--port  [ ...]] [-f  [ ...]] [-q] [--debug]
Generate a list of trusted (authorized) USB devices.


$ usbrip events violations  [-a  [ ...]] [-t | -l] [-e] [-n ] [-d  [ ...]] [--user  [ ...]] [--vid  [ ...]] [--pid  [ ...]] [--prod  [ ...]] [--manufact  [ ...]] [--serial  [ ...]] [--port  [ ...]] [-c  [ ...]] [-f  [ ...]] [-q] [--debug]
Get USB violation events based on the list of trusted devices.


# ---------- STORAGE ----------


$ usbrip storage list  [-q] [--debug]
List contents of the selected storage (7zip archive). STORAGE_TYPE is "history" or "violations".


$ usbrip storage open  [-t | -l] [-e] [-n ] [-d  [ ...]] [--user  [ ...]] [--vid  [ ...]] [--pid  [ ...]] [--prod  [ ...]] [--manufact  [ ...]] [--serial  [ ...]] [--port  [ ...]] [-c  [ ...]] [-q] [--debug]
Open selected storage (7zip archive). Behaves similary to the EVENTS OPEN submodule.


$ usbrip storage update  [-a  [ ...]] [-e] [-n ] [-d  [ ...]] [--user  [ ...]] [--vid  [ ...]] [--pid  [ ...]] [--prod  [ ...]] [--manufact  [ ...]] [--serial  [ ...]] [--port  [ ...]] [--lvl ] [-q] [--debug]
Update storage — add USB events to the existing storage (7zip archive). COMPRESSION_LEVEL is a number in [0..9].


$ usbrip storage create  [-a  [ ...]] [-e] [-n ] [-d  [ ...]] [--user  [ ...]] [--vid  [ ...]] [--pid  [ ...]] [--prod  [ ...]] [--manufact  [ ...]] [--serial  [ ...]] [--port  [ ...]] [--lvl ] [-q] [--debug]
Create storage — create 7zip archive and add USB events to it according to the selected options.


$ usbrip storage passwd  [--lvl ] [-q] [--debug]
Change password of the existing storage.


# ---------- IDs ----------


$ usbrip ids search [--vid ] [--pid ] [--offline] [-q] [--debug]
Get extra details about a specific USB device by its  and/or  from the USB ID database.


$ usbrip ids download [-q] [--debug]
Update (download) the USB ID database.

usbrip的使用示例

显示所有USB设备的事件历史

$ usbrip events history -ql -n 100

显示外部USB设备的事件历史

$ usbrip events history -et -c conn vid pid disconn serial -d "Dec  9" "Dec 10" -f /var/log/syslog.1 /var/log/syslog.2.gz

审核编辑：刘清

打开APP阅读更多精彩内容