Countering the USB Kill Switch

From Anti-Anti-Forensics, to Surprise, Surprise!

$ whoami

• Ali Hadi, Professor @Champlain College

• Research Fellow @Leahy Center for Digital Investigations
• Co-Founder and Research Director @Cyber5W
• 21+ Technical Certificates
• Interested in: DFIR, Adversary Emulation, and Offensive Security
• Have a question? @binaryz0ne
Outline

● Case Background
○ What is USB Kill Switch
○ Related Stories/Projects
○ How USB Kill Switch (USK) Works
○ How to Counter USK
● Case Studies
○ Linux USB Forensics
○ System Shutdown
○ Shutdown + Secure Delete
○ Surprise, Surprise: You Can Run, But We'll Find You!!!
● Findings
● References
Case Background
Not USBKILL…

[1]

“The USBKill is a device that stress tests hardware. When plugged in power
is taken from a USB-Port, multiplied, and discharged into the data-lines,
typically disabling an unprotected device”[1] .
usbkill → The USB Kill Switch (UKS)

A software which can be used for anti-forensics

“USBKill is anti-forensic software distributed
via GitHub, written in Python for the BSD,
Linux, and OS X operating systems. It is
designed to serve as a kill switch if the
computer on which it is installed should fall
under the control of individuals or entities
against the desires of the owner. It is free
software, available under the GNU General
Public License [2]”. [2]
Related Stories...

• The Rise & Fall of Silk Road, https://www.wired.com/2015/05/silk-road-2/

• The FBI staged a lovers' fight to catch the kingpin of the web's biggest
illegal drug marketplace, https://www.businessinsider.com/ross-ulbricht-
will-be-sentenced-soon--heres-how-he-was-arrested-2015-5?r=US&IR=T

• Police can demand fingerprints but not passcodes to unlock phones,

rules judge, https://nakedsecurity.sophos.com/2014/11/03/police-can-
demand-fingerprints-but-not-passcodes-to-unlock-phones-rules-judge/
How to Counter UKS?

● The key is understanding:

[4]
○ how it works (UKS behavior)
○ files associated with it (e.g. configuration files)

● By default, config is located by default under /etc named usbkill.ini

UKS Behaviour

The default behavior of the UKS is to shutdown the system.

However, the software is customizable,

which means you can define what is to be
done or executed before shut down [2, 3, 4].

[5]
UKS Whitelisting ...

It keeps a whitelist of devices that are

to connect to the USB ports of the
computer.

If a device connects to the computer

that is out of the whitelist, it will take
actions to protect the device, such as
device locking, hard drive encryption,
or data wiping [2].
UKS for USB Leakage Prevention

Can also be used to protect your

computer by preventing the invisible
malware or spyware and preventing
unauthorized (or hidden) file copying [1].

[*]
Related Projects
1. BusKill: set a udev rule that will be
triggered, if the USB drive is removed.
The rules can be set to lock, shutdown,
or self-destruct of the Laptop [5].
2. Silk Guardian: is an anti-
forensic Linux Kernel
Module (LKM) kill-switch
that waits for a change on
your usb ports then deletes
precious files and turns off
your computer [6].
usbkill.ini Configuration

Scrolling through
the usbkill.ini
configuration file

Our focus:
• remove_file_cmd
• files_to_remove
• folders_to_remove
• Custom settings
Case Studies
Case Studie(s)

1. Linux USB Forensics

2. Shutdown System
3. Shutdown + Secure Delete + Custom config
4. Surprise, Surprise: You Can Run, But We'll Find You!!!

Note(s):
● UKS log file is excluded from investigation
● System used was Kubuntu 20.04

[7]
Linux USB Forensics
Investigating USBs on Linux Systems
 How Linux Identifies a USB Device

The USB host controller is responsible for detecting a valid USB device in
both hardware and kernel spaces of the Linux system regardless of a USB
device driver existence:
● Associated host controller driver translates the low-level information of the
physical layer into higher level info specific for the USB protocol

● Information is moved to the generic USB core layer in the kernel space

● Detected device is viewed in the user space according to the available drivers,
interfaces, and applications (different and dependent on the Linux distro)

● To learn more, check “Linux Device Drivers for your Girl Friend” ☺
USB Subsystem in Linux
USB Artifacts of Interest

Main information to look for:

● Serial Numbers
● Manufacturers
● Vendor ID (VID)
● Product ID (PID)
● Date and Time of Connection/Removal
 USB Artifacts on Linux vs. Windows
Artifact Linux Windows

Date & time of connection /proc and log files: Setupapi.dev.log, USBSTOR (Windows Registry)
● syslog (Debian based)
● messages (Redhat based)
Vendor ID (VID) USB (SYSTEM)
● debug.log
Vendor Name ● dmesg USBSTOR (SYSTEM)
● kern.log
Product ID (PID) ● Journals USB (SYSTEM)

Product Name USBSTOR (SYSTEM)

Manufacturer MountedDevices

Serial Number USBSTOR (SYSTEM)

Date & time of disconnection USBSTOR (SYSTEM)

MountedDevices (SYSTEM), MountPoints2

Others
(NTUSER.DAT), FriendlyName (SOFTWARE), etc
 USB Subsystem in Linux
/proc/bus/usb/devices

Multiple lines of output, where each letter represents parts of the USB
device specification:

T: Topology S = String descriptors

B: Bandwidth C = Configuration descriptor information
D: Device descriptor information I = Interface descriptor information
P: Product ID information E = Endpoint descriptor information
 USB Subsystem in Linux
● Every valid USB device has one or more configuration, the config is like a
profile and Linux only supports one config for each device.
● Each configuration of a device has one or more interfaces. The interface
defines the functionality that device provides. For every independent
functionality, there is an associated interface.
● For example, a multi-function device (MFD) USB printer that has features of
printing, scanning, and faxing, most likely have at least three interfaces, one
for each functionality.
● There may be a USB device driver for each interface or one driver for all
interfaces.
 USB Subsystem in Linux
● Each interface is associated with one or more endpoints. The endpoint
serves like a pipe, that transmits information to/from the device the
interface, based on the provided functionality.

● Based on the type of the transmitted information, the endpoint type may be:
○ Control: transfer control information, e.g., query information about the device.
○ Interrupt: fast transfer of small data, generally, up to 8 bytes. Examples are serial
ports and HIDs.
○ Bulk: slow transfer of relatively big data, e.g., transfer of data for mass storage
devices.
○ Isochronous: transfer of big data, such as audio and video.
 USB Subsystem in Linux

All endpoints' types can be an in or out direction, determining the direction of

the data transfer.

The in indicates the data transfer from the USB device to the machine, while
out indicates data transfer from the host machine to the USB device.

However, the control endpoint is bi-directional.

 USB Subsystem in Linux
E: Ad=xx(s) Atr=xx(ssss) MxPS=dddd Ivl=dddss
| | | | |__Interval (max) between transfers
| | | |__EndpointMaxPacketSize
| | |__Attributes(EndpointType)
| |__EndpointAddress(I=In,O=Out)
|__Endpoint tag

● The Endpoints in the screenshot indicates in and out directions respectively.

There addresses (in hex) are 0x81 the first and the second 0x02.
● The MxPs, defines the size of data that can be transferred in a single go.
 USB Subsystem in Linux

T refers to the USB device position within the USB tree, represented by
<usb bus number, usb tree level, usb port>

D refers to the device descriptor, including its version, class/category, and

the number of available configurations for this device.

According to the number of configurations there would be C lines, however,

in most cases, one line.
 USB Subsystem in Linux
C:* #Ifs=dd Cfg#=dd Atr=xx MPwr=dddmA
| | | | | |__MaxPower in mA
| | | | |__Attributes
| | | |__ConfiguratioNumber
| | |__NumberOfInterfaces (determines how many “I” lines there will be)
| |__ "*" indicates the active configuration (others are " ")
|__Config info tag

C refers to the configuration descriptor and includes number of interfaces under this
configuration, the configuration index, device attributes, and maximum power for this
configuration.
.
 USB Subsystem in Linux
I:* If#=dd Alt=dd #EPs=dd Cls=xx(sssss) Sub=xx Prot=xx Driver=ssss
|| | | | | | | |__Driver name or "(none)"
|| | | | | | |
|| | | | | | |__InterfaceProtocol
|| | | | | |__InterfaceSubClass
|| | | | |__InterfaceClass
|| | | |__NumberOfEndpoints (determine number of “E” lines)
|| | |__AlternateSettingNumber
| | |__InterfaceNumber
| |__ "*" indicates the active altsetting (others are " ")
|__Interface info tag
 USB Subsystem in Linux

● The “Driver=…” entry indicates the interface to driver mapping

● If the value is “(none)”, this indicates that there is no associated driver.
 USB Subsystem in Linux

P: Vendor=xxxx ProdID=xxxx Rev=xx.xx

| | | |__Product revision number
| | |__Product ID code
| |__Vendor ID code
|__Device tag #2
 USB Subsystem in Linux
S: Manufacturer=ssss
| |__The device manufacturer name, read from the device.
|
S: Product=ssss
| |__The device product description, read from the device.
|
S: SerialNumber=ssss
| |__The device serial Number, read from the device.
|
|__String info tag
USB Device Artifacts
on Linux

lsusb

After the word “ID”, the numbers

pair represents the Vendor ID and
Product ID. These numbers can be
checked online.
DeviceHunt

Check the Vendor ID and

Product ID (aka Device ID)
https://devicehunt.com/
 Search for Vendor ID
/var/log/syslog

2. grep usb-storage /var/log/syslog -A10 -B5 --color

 USB Device Artifacts on Linux
usb-devices shellscript

4. usb-devices | less: Print the details of a USB device

USB Device Artifacts on Linux
/sys/bus/usb/devices/
 USB Device Artifacts on Linux
cat /sys/kernel/debug/usb/devices

Kernel 2.6.31+
● cat /sys/kernel/debug/usb/devices
Usbrip
sudo -H python3 -m pip install --upgrade usbrip

[12,13]
System Shutdown
aka poweroff
Case #1: Shutdown System

Understand how normal shutdowns happen and what goes with it, then
compare with how an unexpected shutdown event

During a normal shutdown, the system will:

1. Stop the file system journal
2. Stop processes and services
3. Unmount the file system
4. Log that the system is shutting down/rebooting regardless whether it was due to
Power key being pressed by the user, a failure in hardware, temperature, or
even shutting down in order

Most of those events will not happen during an abnormal shutdown event!!
Case #1:
Shutdown
System

Normal
shutdown
Case #1:
Shutdown
System

Normal
reboot
Case #1: Shutdown System
boot.log file

After starting the system, we shall

see a clean check of the file
system and the date it was
powered back on!
Seats!
• “A seat consists of all hardware devices assigned to a specific workplace.”

• The system will log “New seat seat0” which indicates that the login manager started
successfully on the system

• When the system service starts, it will create the default seat which is seat0

• If a successful shutdown/reboot happened, then there will be an entry indicating that and
will see a seat being created after that once the system powers up again

• We can use journalctl for this:

$ journalctl -D /var/log/journal/ SEAT_ID=seat0
 New Seats: Shutdown vs Rebooting System

Shutdown

Rebooting
Booting with No Previous Shutdown!

We can see the system is booting, but there was no shutdown routine
before, only a USB being recognized by the system

No Shutdown!

Kernel Booting
Shutdown + Secure Delete (srm)
Subtitle
Case #2: Shutdown + Secure Delete

• Shutdown is the default activity that UKS does, so we’ll check the rest

• srm command syntax used

• Folders to be removed
Case #2: Shutdown + Secure Delete

man srm
Case #2: Shutdown + Secure Delete
usbkill running as seen in file system timeline activity (fls+mactime)

Another output (log2timeline)

All results have been filtered for brevity

USB is Plugged into the System
srm in action
files getting wiped
Custom Kill Commands…

UKS could be configured for custom activity, below was done for testing
purposes.

Script could include anything…

More srm activity!

“Documents” directory getting re-created with the “IwasHere” file inside.

Welcome to “Plasma Desktop”
cross-device working environment
 Surprise, Surprise …
You Can Run, But We'll Find You!!!

Using srm will truly wipe the files and render it nearly impossible to recover
(at least until time of this presentation). But we can depend on other artifacts
to see what existed!

The world of Plasma:

• Search Indexes
• KDE Caches
• our team covered GNOME during SANS DFIR 2020
• Recently used file activity
• Thumbnails
• Etc
Baloo: Search Index
~/.local/share/baloo/index

• Baloo is not an application, but a daemon to index files.

• “Baloo is the file indexing and file search framework for KDE Plasma,
with a focus on providing a very small memory footprint along with with
extremely fast searching.” -- KDE Community
Baloo
~/.local/share/baloo/index

Unknown file format

Name of files
Dolphin Properties:
~/.local/share/dolphin/view_properties/global/.directory
Dolphin is the
main KDE file
manager

View Config
1 = Detailed
2 = Compact
Dolphin Properties:
~/.local/share/dolphin/view_properties/global/.directory

- Inspecting content of .directory

KActivities: kactivitymanagerd

- Core components for the KDE Activity concept

- Used to track what activities the user is doing while interacting with the
system. This is to provide the user with a better user experience while
interacting with the system resources

- Kactivitymanagerd daemon running in background

- Artifacts could be found in an SQLite database file

KActivities Database: Resource Events
~/.local/share/kactivitymanagerd/resources/database

Loading the
database into a
SQLite Browser

DB Browser for SQLite

tool is used here…
KActivities Database: Resource Info
~/.local/share/kactivitymanagerd/resources/database

Accessing and
searching within
the ResourceInfo
table…
KActivities - Even More!
~/.local/share/kactivitymanagerd/resources/database

Accessing other
tables in the
database…

Decoding epoch
timestamps:
 RecentDocuments
~/.local/share/RecentDocuments

- Beware of live access!

Kate
~/.cache/kate/anonymous.katesession

This is not just about images ;)

Thumbnails
~/.cache/thumbnails/normal
Final Notes
Final Notes
• USB Info, Shutdown|Poweroff, Reboot:
● /var/log/syslog (or messages depending on the distro used)
● /var/log/kern.log
● /var/log/dmesg
● /var/log/boot.log
● /var/log/auth.log
● All of above → /var/log/journal

• Check for other artifacts:

• File system activity
• Plasma Desktop

• Generating super timelines with log2timeline for ext4 is not working correctly!
• Could be the versions used, therefore validation is important...
Special Thanks!

● Dr. Mariam Khader for working on the USB research with me and
making sure these slides are pretty and organized!

● Madi Brumbelow for making sure my brain is still operating correctly by

double validating my x^?? timeline validations :)

● Andrew Rathbun for the inspiration and sharing his recipe in creating
cool GIFs for presentations!
QUESTIONS?
Reference(s)
1. https://usbkill.com/
2. https://en.wikipedia.org/wiki/USBKill
3. https://nakedsecurity.sophos.com/2015/05/08/the-usbkill-anti-forensics-tool-it-doesnt-do-quite-what-it-
says-on-the-tin/
4. https://gizmodo.com/simple-code-turns-any-usb-drive-into-a-kill-switch-for-1702203343
5. https://gbhackers.com/buskill/
6. https://github.com/NateBrune/silk-guardian
7. https://github.com/hephaest0s/usbkill
8. https://wiki.debian.org/DeviceDatabase/USB
9. https://www.kernel.org/doc/Documentation/usb/proc_usb_info.txt
10. http://www.linux-usb.org/USBMon/dissertation/USB-dissertation.htm#_Toc515810844
11. Linux Device Drivers for your Girl Friend,
https://sysplay.github.io/books/LinuxDrivers/book/Content/Part12.html
12. https://github.com/snovvcrash/usbrip
13. 13Cubed: “Linux Forensics! First Look at usbrip”, https://www.youtube.com/watch?v=DP4ScSp_2yE
14. https://ostechnix.com/show-usb-devices-event-history-using-usbrip-in-linux/
Reference(s) - Figures

1. https://usbkill.com/
2. https://en.wikipedia.org/wiki/USBKill#/media/File:USBKill_logo.png
3. https://netzpolitik.org/2021/emotet-darf-das-bka-schadsoftware-auf-infizierten-rechnern-manipulieren/
4. https://dribbble.com/shots/1069396-Flick-My-Toggle
5. https://giphy.com/gifs/tumblr-fuzzyghost-system-shutdown-LPU3Ahx6wGsRCDVgV0
6. https://giphy.com/gifs/tumblr-fuzzyghost-unauthorized-access-lvQe7YwEEJoaIluvs6
7. https://icon-icons.com/icon/start-here-kde/103878
Welcome to Journalctl...
query the systemd journal

$ journalctl --list-boots
$ journalctl -b <journal-id> SYSLOG_PID=1
$ journalctl -b <journal-id> --system _COMM=systemd
$ journalctl -D /var/log/journal/ _COMM=systemd
$ journalctl -D /var/log/journal/ _KERNEL_SUBSYSTEM=usb
$ journalctl -D /var/log/journal/ SEAT_ID=seat0
$ journalctl -D /var/log/journal/ _UDEV_DEVNODE=/dev/bus/usb/001/001
$ journalctl -D /var/log/journal/ _KERNEL_DEVICE=+usb4
$ journalctl -D /var/log/journal/ --since 2021-04-20 --until 2021-04-21
Welcome to Journalctl...

$ journalctl -D /var/log/journal/ UNIT=umount.target

$ journalctl -D /var/log/journal/ UNIT=session-3.scope
$ journalctl -D /var/log/journal/ UNIT=poweroff.target
$ journalctl -D /var/log/journal/ UNIT=reboot.target
$ journalctl -D /var/log/journal/ UNIT=shutdown.target
$ journalctl -D /var/log/journal/ UNIT=systemd-fsckd.service
$ journalctl -D /var/log/journal/ UNIT=systemd-journal-flush.service -b0
$ journalctl -D /var/log/journal/ UNIT=systemd-poweroff.service
$ journalctl -D /var/log/journal/ UNIT=umount.target
$ journalctl -D /var/log/journal/ USER_ID=user1