{"id":29121039,"url":"https://github.com/sirwilliamwallace/usb-forensic-analysis","last_synced_at":"2026-04-30T03:34:08.718Z","repository":{"id":301792396,"uuid":"1010312163","full_name":"sirwilliamwallace/USB-Forensic-Analysis","owner":"sirwilliamwallace","description":"Digital forensic investigation using Kali Linux on Raspberry Pi to analyze malicious USB payloads (ZIP bombs).","archived":false,"fork":false,"pushed_at":"2025-06-28T20:41:47.000Z","size":15,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-06-28T21:29:21.012Z","etag":null,"topics":["cybersecurity","digital-forensics","forensics-tools","kali-linux","malware-analysis","raspberry-pi","tailscale","usb-analysis","zip-bomb"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sirwilliamwallace.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-28T19:57:25.000Z","updated_at":"2025-06-28T20:41:49.000Z","dependencies_parsed_at":"2025-06-28T21:40:26.024Z","dependency_job_id":null,"html_url":"https://github.com/sirwilliamwallace/USB-Forensic-Analysis","commit_stats":null,"previous_names":["sirwilliamwallace/usb-forensic-analysis"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/sirwilliamwallace/USB-Forensic-Analysis","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sirwilliamwallace%2FUSB-Forensic-Analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sirwilliamwallace%2FUSB-Forensic-Analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sirwilliamwallace%2FUSB-Forensic-Analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sirwilliamwallace%2FUSB-Forensic-Analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sirwilliamwallace","download_url":"https://codeload.github.com/sirwilliamwallace/USB-Forensic-Analysis/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sirwilliamwallace%2FUSB-Forensic-Analysis/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262622816,"owners_count":23338694,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","digital-forensics","forensics-tools","kali-linux","malware-analysis","raspberry-pi","tailscale","usb-analysis","zip-bomb"],"created_at":"2025-06-29T16:00:15.764Z","updated_at":"2026-04-30T03:34:03.686Z","avatar_url":"https://github.com/sirwilliamwallace.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Digital Forensics Investigation – USB Analysis on Raspberry Pi\n\n## Related Article\n\nI wrote a detailed guide on setting up the Raspberry Pi with Kali Linux and securing it via Tailscale, which was used in this forensic investigation:\n\n**➡️ [How to Install Kali Linux on a Raspberry Pi and Access It Securely (Tailscale Version)](https://medium.com/@mrnumberx/how-to-install-kali-linux-on-a-raspberry-pi-and-access-it-securely-tailscale-version-1a663d64ec74)**  \nPublished on *Medium* by Amirhossein Shekooh\n\n---\n\n## Overview\n\nThis project documents a full **digital forensic analysis** of a suspicious 2GB USB flash drive, conducted as part of a university module in Digital Forensics. Using a **Raspberry Pi 4** configured with **Kali Linux** and remote-secured via **Tailscale**, I followed a professional-grade investigation workflow including evidence imaging, hashing, file carving, and advanced analysis of hidden malicious payloads (ZIP bombs).\n\n---\n\n## Tools \u0026 Technologies\n\n- Kali Linux on Raspberry Pi 4 (custom SSH-only setup)\n- FTK Imager (image creation + MD5 \u0026 SHA-1 verification)\n- Foremost (file carving)\n- Binwalk \u0026 Strings (advanced ZIP analysis)\n- Tailscale (secure remote access)\n\n---\n\n## Key Steps\n\n### 1. Write-Blocked Imaging\n\n- USB was imaged using FTK Imager v4.7.3 with a USB write blocker.\n- MD5 \u0026 SHA-1 hashes were created and verified to ensure integrity.\n\n![image](https://github.com/user-attachments/assets/34afe317-4dc4-40db-ad6b-4f116d270f15)\n\n```plaintext\nMD5: 958eaee85ace515af653944635913209\nSHA-1: a641ff2f1b66fa37b9605f8aa0cf6a033fd02e06\n```\n\n### 2. Secure Analysis Environment\n\n- Raspberry Pi 4 running Kali Linux configured with `USER` as sole user.\n- Remote SSH access is locked to the examiner's device via Tailscale.\n\n---\n\n### 3. File Carving \u0026 Threat Discovery\n\n- Image file `usb-raw-img.dd.001` analysed using Foremost.\n- Two ZIP files were carved: both later flagged as corrupted/malicious.\n![image](https://github.com/user-attachments/assets/19405016-296d-4782-84b3-6372483d9b9e)\n![image](https://github.com/user-attachments/assets/171cf585-b73c-4583-8250-21913b694592)\n\n```bash\nforemost -i usb-raw-img.dd.001 -o recovered_files\n```\n### 4. Safe Static Analysis\n\n- Binwalk, Strings, and Zipinfo were used to examine ZIP files without extracting them.\n\n- Found patterns of repeated JPEGs and text files: indicators of ZIP bombs\n\n![image](https://github.com/user-attachments/assets/bb9b51ad-141b-4203-a73f-da94fbcb0c37)\n\nZIP info:\n![image](https://github.com/user-attachments/assets/a08736cd-db33-416f-9c42-c122ff0c5c7c)\n\nBinwalk:\n![image](https://github.com/user-attachments/assets/76543919-149e-4f2f-9451-2d48098ef467)\n\n## Legal \u0026 Ethical Considerations\n- All actions complied with GDPR, data integrity, and chain-of-custody protocols.\n\n- Confidential or suspicious data was not stored on personal machines.\n\n- Tailscale ensured an isolated forensic analysis environment.\n\n### Key findings\n![image](https://github.com/user-attachments/assets/67b473ea-16ce-47d7-a5c4-de250375cbda)\n\n- ZIP bombs were embedded with repetitive, oversized, corrupted files.\n\n- Designed to crash systems or delay forensic work.\n\n- Proper isolation and safe tools mitigated risks successfully.\n\n## Licence\nThis project is licensed under the MIT License – see the [LICENSE](./LICENSE) file for details.\n\n## Author\n**Amirhossein Shekooh**\nBSc Cybersecurity\nFeel free to explore the report or reach out for discussion or collaboration.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsirwilliamwallace%2Fusb-forensic-analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsirwilliamwallace%2Fusb-forensic-analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsirwilliamwallace%2Fusb-forensic-analysis/lists"}