Introduction

This post walks through a digital forensics challenge where a slow-running PC is suspected to be infected. The goal is to analyze USB traffic from a .pcap file (packet capture file) using Wireshark and extract potential evidence.

HackTheBox Logger Description

A client reported that a PC might have been infected, as it’s running slow. We’ve collected all the evidence from the suspect workstation, and found a suspicious trace of USB traffic. Can you identify the compromised data?

USB Packet Analysis in Wireshark

1. Capturing USB Traffic in Wireshark

Before you analyze, you need to capture USB traffic:

Windows Users

🔹 Windows does not allow direct USB capture in Wireshark.
🔹 Instead, use USBPcap (a Wireshark plugin) to capture USB packets.

1️⃣ Download & Install USBPcap.
2️⃣ Select your USB device in USBPcapCMD and start capturing.
3️⃣ Open the captured .pcap file in Wireshark.

Linux Users

Linux supports native USB traffic capture via usbmon:

1️⃣ Enable usbmon (if not already installed):

sudo modprobe usbmon

2️⃣ Find your USB interface:

ls /sys/kernel/debug/usb/usbmon

3️⃣ Capture USB traffic and save it:

sudo tshark -i usbmonX -w usb_capture.pcap

(Replace X with your actual USB interface number.)

4️⃣ Open usb_capture.pcap in Wireshark.

2. Filtering USB Traffic in Wireshark

Once the USB packets are loaded into Wireshark, filter them:

Basic USB Filters

🔹 Show only USB traffic

usb

🔹 Find specific USB device traffic

usb.device_address == 4

🔹 See USB control transfers (device configuration, driver initialization)

usb.transfer_type == 0x02

🔹 Show USB keystroke traffic

usb.transfer_type == 0x03

3. Analyzing USB Keystrokes (Keyboard Traffic)

If you suspect a USB keyboard is being logged:

1️⃣ Filter for URB_INTERRUPT packets (which handle keystrokes):

usb.capdata

2️⃣ Expand Leftover Capture Data to see raw keystrokes.
3️⃣ Convert raw data into actual keypresses (use Python tools like ctf_usb_keyboard_parser).

4. Extracting USB Data & Files

If a USB flash drive was plugged in, you can reconstruct the data:

1️⃣ Use “File → Export Objects → USB” in Wireshark.
2️⃣ Save any detected files or raw data.
3️⃣ Use tools like foremost to carve out deleted files:

foremost -t all -i usb_capture.pcap -o recovered_files

5. Detecting Malicious USB Devices

Signs of a rogue USB device:
Keystroke injection (e.g., Rubber Ducky attacks)
Suspicious device enumeration (a keyboard acting like a storage device!)
Unusual USB control transfers (a USB pretending to be something else)

HackTheBox Logger Walkthrough

1️⃣ Understanding the Case

  • A client reports a slow PC, suspecting malware or a security breach.
  • Investigators collect a packet capture (PCAP) file from the workstation.

2️⃣ Analyzing the .pcap file in Wireshark

  • The file contains USB traffic, rather than typical TCP, UDP, HTTP, or DNS packets.
  • The presence of URB_INTERRUPT packets suggests the capture of keystrokes.
  • This means a USB keyboard or a wireless dongle is involved.

3️⃣ Extracting Keystrokes from USB Traffic

  • Since TCP stream following doesn’t work for USB traffic, the video demonstrates:
    Filtering only the USB keystroke packets.
    Exporting these packets from Wireshark.
    ✅ Using TShark (Wireshark’s CLI tool) to create a readable text file.

4️⃣ Decoding the Keystrokes with a Python Tool

The output reveals a flag or sensitive data typed on the keyboard.
Lack of monitoring for suspicious authentication attempts

A Python tool (ctf_usb_keyboard_parser) is used to convert raw USB keystrokes into human-readable text.

Video Walkthrough

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles