USB Rubber Ducky Forensics (Part 1)


I randomly came up with this idea watching a Hak5 episode, this one specially. The episode is about a device called a Rubber Ducky ( keystroke injection attack tool), and stealing files from a computer. How does this tie to the forensic world, well stealing Intellectual Property (IP).

The USB Rubbery Ducky could be used by a disgruntle employee looking to steal various files from a computer. A perfect example is an employee leaving their terminal open and not locking it when they leave their desk, this could allow enough time to plug in the USB Rubber Ducky to steal the files.

So what am I interested in, what artifacts does the USB Rubber Ducky leave when plugged into the computer and running the following scripts from the above episode. Looking at the Ducky script; simply explained this is what it is doing. The first script is the Ducky script that will run GUI r, this will trigger the run box, from here it will run powershell where the d.cmd triggering the e.cmd and i.vbs. Within e.cmd it is setup to take PDF documents from the user’s document folder.

2. LAB

Knowing the above I setup a fresh install of Windows 10, put a few demo pdf in the document folder of the user. After having the Rubbery Ducky scripted and test ran I plugged it into the computer to steal the files. Unplugging the Ducky and confirming the files where stolen with another computer I then imaged the test computer using FTK Imager lite. With the computer imaged to a .dd image it is now time to investigate.

3. Investigation

Paid Forensic Software
So I am going so start with a new tool created from Magnet Forensics called Axiom. This program will basically take the Image of the computer from above and parse the data into categories for investigation. This is more of a paid software route. After running the image of the computer through Axiom its time to do some poking around.

The above is a screen shot of the Axiom software after processing the windows artifacts of the computer. Some things to note during the examination.


The Timestamps of the PDFs copied over from using the USB Rubber Ducky script where not updated. Shown in the image to the left.




The following are USB artifacts left behind from the USB Rubber Ducky.

A user would be able to find signs of the Rubber Ducky.



The following are prefetch files found on the computer after the USB Rubbery Ducky is plugged in. More on prefetch files can be found here. As you can see Powershell, CMD, XCOPY, and CSCRIPT can be found here.
With in the ducky script you will find “start /b /wait powershell.exe”, ” xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst%” and “cscript %~d0\i.vbs %~d0\e.cmd” I also notice REG.EXE and I believe it could be triggered by this line “REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f”


Windows Event Logs

Looking at 2000+ events in the timeframe of when the USB Rubbery Ducky was plugged in I noticed the following Powershell event.

The following is the event data which will match with the d.cmd file on the USB Rubber Ducky.




Event found with the payload script





4. Conclusion
If this was an IP Theft case I would assume an investigate would flag the USB possibly. Googling friendly name Ducky Storage USB Device you will see the results of the hakshop where it is sold, and a few payloads some including stealing files. I would also isolate the timeframe of when the drive was plugged in and look at the activity of the computer as show above.

From the simple investigation, and artifacts found above I was able to find the following:
1. A user plugged in a flash drive called ATMEL Ducky Storage USB Device.

2. Soon after the flash drive was inserted the following PF where created for the following .EXE Powershell, Cscript, CMD, Reg, and Xcopy. Some items of interest.

3. Knowing Powershell was possibly ran looking at the event log you will find the following run

powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')


.((gwmi win32_volume -f 'label=''_''').Name+'d.cmd')

With some google searching of the above you will come to this page, where you may start to want to aim your investigation towards theft of files.

Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained

I will love to investigate this in more details. When I have more free time I would like to run the image through Log2Timeline or Plaso to get into a more detail analysis of the activity. Also Sift work is free to use and includes log2timeline.

Hopefully part 2 is soon.