USBkill Anti-Feds Script
Recently, a simple script has been presented that can help someone to brick a computer in case of emergency. This script was defined as a switch killer, but what is a switch killer?
A switch killer refers to the main characteristic of this script, which turns off a computer by inserting or removing a USB stick from a port. This starts an immediate shutdown. This script is not very helpful for a penetration tester or white hat, but it can save someone in case of emergency.
Learn Digital Forensics
Why USBkill?
Usually when police come to arrest a criminal, the first option for him is to completely wipe the devices that he is using. If he is successful, life for the forensic investigator becomes hard.
During the seizure, police start to analyze the criminal's computer and will use some blocking device to prevent standby or screensaver password using a little USB device called mouse jiggler that emulates keyboard and mouse movements.
The official author's reasons are:
- In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library as happened to Ross). Police commonly use a « mouse jiggler » to keep the screensaver and sleep mode from activating.
- You don't want someone to install backdoors or malware on your computer or to retrieve documents from your computer via USB.
- You want to improve the security of your (Full Disk Encrypted) home or corporate server (e.g. Your Raspberry).
Mouse jigglers aren't banned. You can find them on Amazon for few dollars (http://www.amazon.com/Cru-dataport-Jiggler-Automatic-keyboard-Activity/dp/B00MTZY7Y4/ref=pd_bxgy_pc_text_y/190-3944818-7671348).
How it works?
UsbKill is a simply python script composed by few lines of code and can be downloaded here:
[download]
If we take a look inside, it does no more than a loop control with lsusb waiting trigger event on USB port. If something changes on current state of USB configurations as unplugged or plug USB stick, it shuts down your computer abruptly.
Features:
- Compatibility with Linux, *BSD and OS X
- Shutdown the computer when there is USB activity
- Ability to whitelist a USB device
- Ability to change the check interval (default: 0.5)
- Work perfectly in sleep mode (OS X)
- Low memory consumption
- No dependency except Python
Obviously, it is important to use a full disk encryption and wiping of RAM during the shutdown on your device or computer. Otherwise, this script is totally useless.
How was it born?
The USBkill project was born from a real case happening to Ross Ulbricht, a famous criminal owner of Silk Road. Silk Road was an onion website that sold drugs. The FBI, during the operation to arrest him, applied a smart strategy to catch Ross logged into Silk Road with admin privileges.
The downside
This script is simple but has critical points to improve.
Learn Digital Forensics
- Root privilege for the execution.
- Impossibility to check USB plugged at startup. If we plug in a USB stick at startup it will put into a whitelist.
- Need of full disk encryption, otherwise it will be useless.
- Wiping RAM during shutdown for preventing cold boot attack.
Conclusion
We need to remember that USBkill is not a antiforensic tool as the author disclaims. This tool is a trap for cops that don't know the defense of your computer and has to be used as it is.
In this Series
- USBkill Anti-Feds Script
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics