Monday, January 21, 2013

Automating USB Device Identification on Mac OS X

One of the common methods examiners may use during USB analysis on Mac OS X machines (running Snow Leopard or above) is to search the kernel log for "USBMSC" entries to identify USB devices that have been connected to the machine.  BlackBag Technologies has a couple of excellent blog posts here and here describing the logging of USB device information in the kernel log.  The "USBMSC" entries appear to have been moved to the system log in Mac OS X 10.8 (as discussed in this blog post), but the information contained within each entry looks to be unchanged.  An example of the approach an examiner may take in attempting to identify USB devices that have been connected to a Macintosh computer is:
  1. Extract the kernel logs from the file system.
  2. Search the kernel logs for "USBMSC Identifier".
  3. Extract all entries containing "USBMSC Identifier".
  4. Format the entries to make them easier to read/sort (e.g. Excel format).
  5. Search the USB ID public repository for the vendor and product ID associated with each device.
  6. Update each extracted log entry for which the associated vendor and product ID was found within the USB ID public repository. 
Correlating the vendor and product IDs with the USB ID public repository can help to associate a name with the type of device that was connected (e.g. Amazon Kindle, PNY flash drive, etc.).  This process can quickly become tiresome though, especially if there are many log entries for which you must search the USB ID repository.  An examiner performing the same small task over and over again is a good argument for automating that task.  With that in mind, I decided to write a script that would do as much of this for me as possible.  Perl seemed to be a good option to use since it's cross-platform and great with parsing.  And after a bit of coding, testing, and tweaking, I now have a script that takes care of steps 2-6 listed above in a matter of seconds.

The script is capable of parsing either a single kernel log or a directory full of kernel logs, outputting the "USBMSC" log entries in csv format. After using a regular expression to locate the "USBMSC" log entries, the script queries the USB ID public repository and attempts to correlate the vendor and product ID of each entry parsed from the kernel log(s) with a particular device listed in the repository.  The script defaults to checking the online version of the repository, but if you don't have a network connection or want to be able to run the script without querying the online database, you can optionally pass in the path to a local copy of the online database using the "-u" parameter (the text of the file must be in the same format as the online repository).

When you're importing the script's csv file into Excel (or your choice of spreadsheet application), you'll want to be sure and set the formatting of the USBMSC ID, Vendor ID, Product ID, and Device Release columns to text values in order to avoid the application interpreting the values as numbers and removing leading zeroes, etc..

I've only been able to test this script on kernel logs, but it should also work on the system logs from Mountain Lion as the relevant entries appear to be in the same format.  As always, feedback, suggestions, and bug reports are welcome and appreciated.

The script is available for download here.

Console view of usbmsc.pl















Snippet of usbmsc.pl output file after correlation

Resources





5 comments:

  1. Excellent post and great job on the script. Doing this by hand was pretty repetitive...thanks!

    -Sean

    ReplyDelete
  2. Thanks for the great script Jason! I have a link posted to this great blog article now.

    ReplyDelete
  3. Thanks guys, hopefully this script will come in handy for other examiners out there. This process is a pain if it's not automated!

    ReplyDelete
  4. Great post! Looking forward to using the script. The links you put in the post are very helpful too. Collecting archived copies of kernel/system logs was key in a recent case.

    ReplyDelete
  5. Thanks for sharing your script. I had numerous log files carved from unallocated space and the ability to parse through the directory of them was invaluable.

    ReplyDelete