USB Forensics and Pentesting

This course will cover USB in detail with an emphasis on understanding USB Mass Storage devices (also known as flash drives or thumb drives).By the end of this course students will know how to sniff USB traffic using open source tools, be able to write-block USB mass storage devices using software and microcontroller-based hardware, be able to impersonate other USB devices, and understand how to make forensic duplicates of USB mass storage devices.  Along the way students will also learn how to use microcontrollers and Udev rules.
A non-exhaustive list of topics includes:

  • USB basics
    • USB hardware
    • USB versions
    • Connection process
  • USB classes
    • HID
    • Mass storage
    • Others
  • USB endpoints
    • Interupt
    • Bulk
    • Isochronous
    • Control
  • Descriptors
    • Device
    • Interface
    • Configuration
    • Endpoint
    • String
  • Mass Storage Basics
    • Presentation (SCSI hard drive)
    • NAND flash limitations
    • Communication
      • Command Block Wrappers
      • Data transport phase
      • Command Status Wrappers
  • Making forensic images and duplicates
    • FTDI Vincullum II microcontroller
    • Simple compact duplicator
      • Reading sectors
      • Main processing loops
      • Hardware implementation
      • Programming the hardware
      • Improving performance
    • More user friendly duplicator
    • Adding an LCD screen
  • USB Write blocking
    • Motivation
    • Software write blocker
    • Hardware write blocker
    • Mitigation of BadUSB and similar threats
  • USB Impersonation
    • Motivation
    • High level design
    • Timers
    • Descriptor request handler
    • GPIO (buttons and displays)
      • Software
      • Hardware
      • Buttons
      • LEDs
      • LCDs
  • Leveraging Open Source
    • lsusb
    • understanding Linux USB busses
    • dmesg
    • sniffing USB traffic
      • usbmon
      • WireShark
        • Viewing descriptors in WireShark
  • Dealing with Windows-only devices
  • Using udev rules



USB Forensics and Pentesting Course Videos

Dr. Philip Polstra

Dr. Philip Polstra (Dr. Phil) has been involved with technology since an early age. He and one of his brothers cleaned out their savings to purchase a TI-99/4a computer in the early 80’s, much to the chagrin of his parents. He has been tinkering with computers and electronics ever since. Phil is an internationally recognized hardware hacker and information security expert. He has made repeat appearances at several of the top conferences worldwide. Here are just a few of the conferences he has spoken at: DEFCON (six times in four years), Blackhat, 44CON, GrrCON, BruCon, ForenSecure, SecTOR, c0c0n, Shakacon, B-sides Detroit, and B-sides Iowa. His work on developing small affordable hacking devices is documented in the book “Hacking and Penetration Testing with Low Power Devices”. He is also known for his work on USB hacking and forensics. Phil has published several articles on USB-related topics.

Phil is an Associate Professor in the department of Math, Computer Science, and Statistics at Bloomsburg University of Pennsylvania where he teaches Digital Forensics. His current research focus is on developing ultra-low-power hacking hardware. Phil also performs security penetration tests and forensic investigations on a consulting basis. His book “Linux Forensics” is considered a must have by a number of people in the forensics and information security community.

In addition to in-person training, consulting, presenting at conferences, and running conference workshops, Phil has also produced hundreds of instructional videos. His video courses are available at, PluralSight, O’Reilly,, and elsewhere.

When not teaching, Phil enjoys spending time with his family, tinkering with electronics, attending infosec conferences, experimenting with software defined radio (SDR) and various aviation activities. Phil is an accomplished aviator with a dozen ratings, all of which are current. Phil’s ratings include Commercial Pilot, Flight Instructor, Airframe and Powerplant Mechanic, Aircraft Inspector, and Avionics Technician. His flight hours are measured in the thousands and he has been known to build aircraft.

Books Authored by Philip

Linux Forensics     (5 Stars on

Linux Forensics will guide you step by step through the process of investigating a computer running Linux. Everything you need to know from the moment you receive the call from someone who thinks they have been attacked until the final report is written is covered in this book. All of the tools discussed in this book are free and most are also open source.

Hacking and Penetration Testing with Low Power Devices     (4.5 Stars on

Hacking and Penetration Testing with Low Power Devices shows you how to perform penetration tests using small, low-powered devices that are easily hidden and may be battery-powered. It shows how to use an army of devices, costing less than you might spend on a laptop, from distances of a mile or more. The book shows you how to use devices running a version of The Deck, a full-featured penetration testing and forensics Linux distribution, and can run for days or weeks on batteries due to their low power consumption. Author Philip Polstra shows how to use various configurations, including a device the size of a deck of cards that can easily be attached to the back of a computer.