Logger
An easy level challenge about USB PCAP forensics
Challenge Description
A client reported that a PC might have been infected, as it's running slow. We've collected all the evidence from the suspect workstation, and found a suspicious trace of USB traffic. Can you identify the compromised data?
Evidence
keystrokes.pcapng
Solution
The challenge provides us with a PCAP file, so I will open it in Wireshark to analyze it.
We can observe that the protocol in this challenge is USB, which suggests that it could be related to USB or removable device forensics. After doing some quick research on Google, I found a detailed blog about USB PCAP forensics.
In this blog, it shows a method to detect the type of device we are analyzing by examining the DESCRIPTOR Response DEVICE packet. According to this, we can see that packet number 2 is the one we need to examine.
The data in the packet reveals this device is a keyboard
Upon further analysis, I found that some packets contain HID data. This is an array of bytes that represents input from the keyboard. For example, if you type the character 'A', it is transformed into '0x04'.
I also found tool that help to convert HID data to readable message. To use this tool, I need to extract all the HID data from the pcap file. I will use Tshark for this task and the command line will be shown belows
tshark -r ./keystrokes.pcapng -Y 'usbhid.data && usb.data_len == 8' -T fields -e usbhid.data | sed 's/../:&/g2'
After extracting the data from pcap file, we will run the usbkeyboard.py to convert these arrays byte to readable message. The command line is shown below:
usbkeyboard.py keyboards.txt
We could see that the flag was printed out
Flag: HTB{i_C4N_533_yOUr_K3Y2}
Last updated