USBTracker - Tool To Track USB Devices Events and Artifacts In a Windows OS

April 05, 2018 , , ,
USBTracker - Tool To Track USB Devices Events and Artifacts In a Windows OS


USBTracker is a quick & dirty coded incident response and forensics Python script to dump USB related information and artifacts from a Windows OS (Vista and later).

Note: USBTracker read some protected log files and needs to be run with administrator permissions. The most simple way to run USBTracker is to launch a CMD or Powershell console with a right click "run as administrator", then execute the script/exe inside it.

If you don't have a python distribution installed on the computer you want to analyze with USBTracker, you can also download an *.exe "compiled" version with PyInstaller of the script from the repository.

It uses a Python module called  Python-evtx. So, don't forget to install it before using the USBTracker.

Usage:

usage: usbtracker.py [-h] [-u | -uu] [-nh] [-df] [-x]

optional arguments:
  -h, --help            show this help message and exit
  -u, --usbstor         Dump USB artifacts from USBSTOR registry
  -uu, --usbstor-verbose
                        Dump USB detailed artifacts from USBSTOR registry.
  -nh, --no-hardwareid  Hide HardwareID value during a USBSTOR detailed
                        artifacts registry dump.
  -df, --driver-frameworks
                        Dump USB artifacts and events from the Windows
                        DriverFrameworks Usermode log.
  -x, --raw-xml-event   Display event results in raw xml (with -df option
                        only).


Download USBTracker

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.