{"id":13540180,"url":"https://github.com/snovvcrash/usbrip","last_synced_at":"2026-01-14T08:47:20.413Z","repository":{"id":43409880,"uuid":"126223631","full_name":"snovvcrash/usbrip","owner":"snovvcrash","description":"Tracking history of USB events on GNU/Linux","archived":true,"fork":false,"pushed_at":"2022-10-03T15:56:42.000Z","size":1186,"stargazers_count":1168,"open_issues_count":6,"forks_count":112,"subscribers_count":30,"default_branch":"master","last_synced_at":"2025-10-20T03:41:27.488Z","etag":null,"topics":["forensics","security","usb-devices","usb-events","usb-history"],"latest_commit_sha":null,"homepage":"https://habr.com/ru/post/352254/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snovvcrash.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-03-21T18:29:54.000Z","updated_at":"2025-10-08T20:21:10.000Z","dependencies_parsed_at":"2022-07-08T21:31:24.813Z","dependency_job_id":null,"html_url":"https://github.com/snovvcrash/usbrip","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/snovvcrash/usbrip","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snovvcrash%2Fusbrip","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snovvcrash%2Fusbrip/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snovvcrash%2Fusbrip/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snovvcrash%2Fusbrip/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snovvcrash","download_url":"https://codeload.github.com/snovvcrash/usbrip/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snovvcrash%2Fusbrip/sbom","scorecard":{"id":834837,"data":{"date":"2025-08-11","repo":{"name":"github.com/snovvcrash/usbrip","commit":"5093c84b2c6c0e7c6ce7f2235b6a32d5cb094ed3"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.7,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":0,"reason":"Found 1/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating ubuntu to ubuntu@sha256:7c06e91f61fa88c08cc74f7e1b7c69ae24910d745357e0dfe1d2c0322aaf20f9","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2017-74"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 1 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T18:43:22.700Z","repository_id":43409880,"created_at":"2025-08-23T18:43:22.701Z","updated_at":"2025-08-23T18:43:22.701Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28414693,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T08:38:59.149Z","status":"ssl_error","status_checked_at":"2026-01-14T08:38:43.588Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forensics","security","usb-devices","usb-events","usb-history"],"created_at":"2024-08-01T09:01:42.261Z","updated_at":"2026-01-14T08:47:20.371Z","avatar_url":"https://github.com/snovvcrash.png","language":"Python","funding_links":[],"categories":["Python","\u003ca id=\"ecb63dfb62722feb6d43a9506515b4e3\"\u003e\u003c/a\u003e新添加","\u003ca id=\"e1fc1d87056438f82268742dc2ba08f5\"\u003e\u003c/a\u003e事件响应\u0026\u0026取证\u0026\u0026内存取证\u0026\u0026数字取证","Forensics"],"sub_categories":["\u003ca id=\"1fc5d3621bb13d878f337c8031396484\"\u003e\u003c/a\u003e取证\u0026\u0026Forensics\u0026\u0026数字取证\u0026\u0026内存取证","Steganography"],"readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"#\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/23141800/56420194-b9551e80-62a5-11e9-8508-fc0f4a398042.png\" alt=\"logo.png\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n----------\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/snovvcrash/usbrip/blob/master/usbrip/__init__.py#L24\"\u003e\u003cimg src=\"https://img.shields.io/badge/version-2.2.2%E2%80%901-success.svg\" alt=\"version.svg\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.python.org/downloads/\"\u003e\u003cimg src=\"https://img.shields.io/badge/python-3.6-3776ab.svg?logo=python\u0026logoColor=white\" alt=\"python.svg\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://raw.githubusercontent.com/snovvcrash/usbrip/master/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-GPLv3-blue.svg\" alt=\"license.svg\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://repology.org/project/usbrip/versions\"\u003e\u003cimg src=\"https://repology.org/badge/version-for-repo/blackarch/usbrip.svg?header=BlackArch\" alt=\"blackarch.svg\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://emojipedia.org/growing-heart/\"\u003e\u003cimg src=\"https://img.shields.io/badge/built%20with-%F0%9F%92%97%F0%9F%92%97%F0%9F%92%97-lightgrey.svg\" alt=\"built-with-love.svg\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n**usbrip** (inherited from \"USB Ripper\", not \"USB R.I.P.\") is a simple forensics tool with command line interface that lets you keep track of USB device artifacts (i.e., USB event history) on Linux machines.\n\nTable of Contents:\n\n* [**Description**](#description)\n* [**Quick Start**](#quick-start)\n* [**Showcase**](#showcase)\n* [**System Log Structure**](#system-log-structure)\n* [**Dependencies**](#dependencies)\n  - [deb](#deb)\n  - [pip](#pip)\n* [**Manual installation**](#manual-installation)\n  - [Git Clone](#git-clone)\n  - [`install.sh`](#installsh)\n    * [Paths](#paths)\n    * [Cron](#cron)\n    * [`uninstall.sh`](#uninstallsh)\n* [**Usage**](#usage)\n  - [Synopsis](#synopsis)\n  - [Help](#help)\n* [**Examples**](#examples)\n* [**Credits \u0026 References**](#credits--references)\n* [**Stargazers Chart**](#stargazers-chart)\n* [**Post Scriptum**](#post-scriptum)\n\nDescription\n==========\n\n**usbrip** is a small piece of software which analyzes Linux log data: journalctl output or contents of `/var/log/syslog*` (or `/var/log/messages*`) files. Based on the collected data usbrip can build USB event history tables with the following columns:\n\n* Connected (date \u0026 time)\n* Host\n* VID (vendor ID)\n* PID (product ID)\n* Product\n* Manufacturer\n* Serial Number\n* Port\n* Disconnected (date \u0026 time)\n\nBesides, it also can:\n\n* Export collected data as a JSON dump for later use.\n* Generate a list of authorized (trusted) USB devices as a JSON file (call it auth.json).\n* Search for \"violation events\" based on auth.json: discover USB devices that do appear in history **and** do NOT appear in the auth.json file.\n* *\\*when installed with `-s` flag\\** Create protected storages (7-Zip archives) to automatically backup and accumulate USB events with the help of cron scheduler.\n* Search additional details about a specific USB device based on its VID and/or PID.\n\nQuick Start\n==========\n\n**Way 1.** Install with pip:\n\n```console\n~$ sudo -H python3 -m pip install -U usbrip\n~$ usbrip -h\n```\n\n**Way 2.** Install bleeding-edge with [`install.sh`](#manual-installation) (recommended, extra features available):\n\n```console\n~$ sudo apt install python3-venv p7zip-full -y\n~$ git clone https://github.com/snovvcrash/usbrip \u0026\u0026 cd usbrip\n~/usbrip$ sudo -H installers/install.sh\n~/usbrip$ cd\n~$ usbrip -h\n```\n\nShowcase\n==========\n\n![showcase.png](https://user-images.githubusercontent.com/23141800/86020391-89201880-ba30-11ea-902d-9d17feb6e79b.png)\n\n[**Docker**](https://hub.docker.com/r/snovvcrash/usbrip) (\\*DEMO ONLY!\\*)\n\n```console\n~$ docker run --rm -it snovvcrash/usbrip\n```\n\nSystem Log Structure\n==========\n\nusbrip supports two types of timestamps to parse within system log files:\n\n1. **Non-modified** – standard syslog structure for GNU/Linux ([`\"%b %d %H:%M:%S\"`](http://strftime.org/), ex. `\"Jan  1 00:00:00\"`). This type of timestamp does not provide the information about the year.\n2. **Modified** (recommended) – better syslog structure which provides high precision timestamps including years ([`\"%Y-%m-%dT%H:%M:%S.%f%z\"`](http://strftime.org/), ex. `\"1970-01-01T00:00:00.000000-00:00\"`).\n\nIf you do have `journalctl` installed, then there's nothing to worry about as it can convert timestamps on the fly. Otherwise, the desired syslog structure can be achieved by setting `RSYSLOG_FileFormat` format in rsyslog configuration.\n\n1. Comment out the following line in `/etc/rsyslog.conf`:\n\n```console\n$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat\n```\n\n2. Add custom `.conf` file for usbrip:\n\n```console\n~$ echo '$ActionFileDefaultTemplate RSYSLOG_FileFormat' | sudo tee /etc/rsyslog.d/usbrip.conf\n```\n\n3. *\\*optional\\** Delete existing log files:\n\n```console\n~$ sudo rm -f /var/log/syslog* /var/log/messages*\n```\n\n4. Restart the service:\n\n```console\n~$ sudo systemctl restart rsyslog\n```\n\nFirstly, usbrip will check if there is a chance to dump system events using journalctl as the most portable option. If not – it will search for and parse `/var/log/syslog*` or `/var/log/messages*` system log files.\n\nDependencies\n==========\n\n## deb\n\n* python3.6 interpreter (or newer)\n* python3-venv\n* p7zip-full (used by `storage` module)\n\n## pip\n\n* [terminaltables](https://github.com/Robpol86/terminaltables)\n* [termcolor](https://pypi.org/project/termcolor)\n* [tqdm](https://github.com/tqdm/tqdm)\n\nManual installation\n==========\n\n## Git Clone\n\nFor simplicity, lets agree that all the commands where `~/usbrip$` prefix is appeared are executed in the `~/usbrip` directory which is created as a result of a git clone:\n\n```console\n~$ git clone https://github.com/snovvcrash/usbrip\n~$ cd usbrip\n~/usbrip$ pwd\n```\n\n## `install.sh`\n\nBesides installing with pip, usbrip can also be installed with custom [`installers/install.sh`](https://github.com/snovvcrash/usbrip/blob/master/installers/install.sh) script.\n\nWhen using `install.sh` some extra features become available:\n\n* The virtual environment is created automatically.\n* You can use the `storage` module – set a cron job to backup USB events on a schedule (example of a cron job can be found in [`usbrip/cron/usbrip.cron`](https://github.com/snovvcrash/usbrip/blob/master/usbrip/cron/usbrip.cron)).\n\n:warning: **Warning:** if you are using cron scheduling, you want to configure the crontab with `sudo crontab -e` in order to force the `storage update` submodule run as root. The storage passwords are kept in `/var/opt/usbrip/usbrip.ini` and accessible by root only by default.\n\nTo install usbrip with `install.sh` use:\n\n```console\n~/usbrip$ sudo -H installers/install.sh [-l/--local] [-s/--storages]\n~/usbrip$ cd\n~$ usbrip -h\n```\n\n* When `-l` switch is enabled, Python dependencies are resolved from local `.tar` packages ([3rdPartyTools](https://github.com/snovvcrash/usbrip/tree/master/3rdPartyTools) directory) instead of PyPI.\n* When `-s` switch is enabled, not only the usbrip project is installed but also the list of trusted USB devices, history and violations storages are created.\n\nAfter the installation completes feel free to remove the `~/usbrip` directory.\n\n### Paths\n\nWhen installed with `install.sh`, usbrip uses the following paths:\n\n* `/opt/usbrip/` – project's main directory.\n* `/var/opt/usbrip/log/` – usbrip cron logs.\n* `/var/opt/usbrip/storage/` – USB event storages (`history.7z` and `violations.7z`, created during the installation process).\n* `/var/opt/usbrip/trusted/` – lists of trusted USB devices (`auth.json`, created during the installation process).\n* `/var/opt/usbrip/usbrip.ini` – usbrip configuration file (contains passwords for 7-Zip storages).\n* `/usr/local/bin/usbrip` – symlink to the `/opt/usbrip/venv/bin/usbrip` script.\n\n### Cron\n\nCron jobs can be set as follows:\n\n```console\n~/usbrip$ sudo crontab -l \u003e tmpcron \u0026\u0026 echo \"\" \u003e\u003e tmpcron\n~/usbrip$ cat usbrip/cron/usbrip.cron | tee -a tmpcron\n~/usbrip$ sudo crontab tmpcron\n~/usbrip$ rm tmpcron\n```\n\n### `uninstall.sh`\n\nThe [`installers/uninstall.sh`](https://github.com/snovvcrash/usbrip/blob/master/installers/uninstall.sh) script removes usbrip and all the installation artifacts from your system.\n\nTo uninstall usbrip use:\n\n```console\n~/usbrip$ sudo installers/uninstall.sh [-a/--all]\n```\n\n* When `-a` switch is enabled, not only the usbrip project directory is deleted but also all the storages and usbrip logs are deleted too.\n\nDon't forget to remove the cron job if you had set up one.\n\nUsage\n==========\n\n## Synopsis\n\n```console\n# ---------- BANNER ----------\n\n~$ usbrip banner\nGet usbrip banner.\n\n# ---------- EVENTS ----------\n\n~$ usbrip events history [-t | -l] [-e] [-n \u003cNUMBER_OF_EVENTS\u003e] [-d \u003cDATE\u003e [\u003cDATE\u003e ...]] [--host \u003cHOST\u003e [\u003cHOST\u003e ...]] [--vid \u003cVID\u003e [\u003cVID\u003e ...]] [--pid \u003cPID\u003e [\u003cPID\u003e ...]] [--prod \u003cPROD\u003e [\u003cPROD\u003e ...]] [--manufact \u003cMANUFACT\u003e [\u003cMANUFACT\u003e ...]] [--serial \u003cSERIAL\u003e [\u003cSERIAL\u003e ...]] [--port \u003cPORT\u003e [\u003cPORT\u003e ...]] [-c \u003cCOLUMN\u003e [\u003cCOLUMN\u003e ...]] [-f \u003cFILE\u003e [\u003cFILE\u003e ...]] [-q] [--debug]\nGet USB event history.\n\n~$ usbrip events open \u003cDUMP.JSON\u003e [-t | -l] [-e] [-n \u003cNUMBER_OF_EVENTS\u003e] [-d \u003cDATE\u003e [\u003cDATE\u003e ...]] [--host \u003cHOST\u003e [\u003cHOST\u003e ...]] [--vid \u003cVID\u003e [\u003cVID\u003e ...]] [--pid \u003cPID\u003e [\u003cPID\u003e ...]] [--prod \u003cPROD\u003e [\u003cPROD\u003e ...]] [--manufact \u003cMANUFACT\u003e [\u003cMANUFACT\u003e ...]] [--serial \u003cSERIAL\u003e [\u003cSERIAL\u003e ...]] [--port \u003cPORT\u003e [\u003cPORT\u003e ...]] [-c \u003cCOLUMN\u003e [\u003cCOLUMN\u003e ...]] [-q] [--debug]\nOpen USB event dump.\n\n~$ sudo usbrip events genauth \u003cOUT_AUTH.JSON\u003e [-a \u003cATTRIBUTE\u003e [\u003cATTRIBUTE\u003e ...]] [-e] [-n \u003cNUMBER_OF_EVENTS\u003e] [-d \u003cDATE\u003e [\u003cDATE\u003e ...]] [--host \u003cHOST\u003e [\u003cHOST\u003e ...]] [--vid \u003cVID\u003e [\u003cVID\u003e ...]] [--pid \u003cPID\u003e [\u003cPID\u003e ...]] [--prod \u003cPROD\u003e [\u003cPROD\u003e ...]] [--manufact \u003cMANUFACT\u003e [\u003cMANUFACT\u003e ...]] [--serial \u003cSERIAL\u003e [\u003cSERIAL\u003e ...]] [--port \u003cPORT\u003e [\u003cPORT\u003e ...]] [-f \u003cFILE\u003e [\u003cFILE\u003e ...]] [-q] [--debug]\nGenerate a list of trusted (authorized) USB devices.\n\n~$ sudo usbrip events violations \u003cIN_AUTH.JSON\u003e [-a \u003cATTRIBUTE\u003e [\u003cATTRIBUTE\u003e ...]] [-t | -l] [-e] [-n \u003cNUMBER_OF_EVENTS\u003e] [-d \u003cDATE\u003e [\u003cDATE\u003e ...]] [--host \u003cHOST\u003e [\u003cHOST\u003e ...]] [--vid \u003cVID\u003e [\u003cVID\u003e ...]] [--pid \u003cPID\u003e [\u003cPID\u003e ...]] [--prod \u003cPROD\u003e [\u003cPROD\u003e ...]] [--manufact \u003cMANUFACT\u003e [\u003cMANUFACT\u003e ...]] [--serial \u003cSERIAL\u003e [\u003cSERIAL\u003e ...]] [--port \u003cPORT\u003e [\u003cPORT\u003e ...]] [-c \u003cCOLUMN\u003e [\u003cCOLUMN\u003e ...]] [-f \u003cFILE\u003e [\u003cFILE\u003e ...]] [-q] [--debug]\nGet USB violation events based on the list of trusted devices.\n\n# ---------- STORAGE ----------\n\n~$ sudo usbrip storage list \u003cSTORAGE_TYPE\u003e [-q] [--debug]\nList contents of the selected storage. STORAGE_TYPE is either \"history\" or \"violations\".\n\n~$ sudo usbrip storage open \u003cSTORAGE_TYPE\u003e [-t | -l] [-e] [-n \u003cNUMBER_OF_EVENTS\u003e] [-d \u003cDATE\u003e [\u003cDATE\u003e ...]] [--host \u003cHOST\u003e [\u003cHOST\u003e ...]] [--vid \u003cVID\u003e [\u003cVID\u003e ...]] [--pid \u003cPID\u003e [\u003cPID\u003e ...]] [--prod \u003cPROD\u003e [\u003cPROD\u003e ...]] [--manufact \u003cMANUFACT\u003e [\u003cMANUFACT\u003e ...]] [--serial \u003cSERIAL\u003e [\u003cSERIAL\u003e ...]] [--port \u003cPORT\u003e [\u003cPORT\u003e ...]] [-c \u003cCOLUMN\u003e [\u003cCOLUMN\u003e ...]] [-q] [--debug]\nOpen selected storage. Behaves similarly to the EVENTS OPEN submodule.\n\n~$ sudo usbrip storage update \u003cSTORAGE_TYPE\u003e [IN_AUTH.JSON] [-a \u003cATTRIBUTE\u003e [\u003cATTRIBUTE\u003e ...]] [-e] [-n \u003cNUMBER_OF_EVENTS\u003e] [-d \u003cDATE\u003e [\u003cDATE\u003e ...]] [--host \u003cHOST\u003e [\u003cHOST\u003e ...]] [--vid \u003cVID\u003e [\u003cVID\u003e ...]] [--pid \u003cPID\u003e [\u003cPID\u003e ...]] [--prod \u003cPROD\u003e [\u003cPROD\u003e ...]] [--manufact \u003cMANUFACT\u003e [\u003cMANUFACT\u003e ...]] [--serial \u003cSERIAL\u003e [\u003cSERIAL\u003e ...]] [--port \u003cPORT\u003e [\u003cPORT\u003e ...]] [--lvl \u003cCOMPRESSION_LEVEL\u003e] [-q] [--debug]\nUpdate storage -- add USB events to the existing storage. COMPRESSION_LEVEL is a number in [0..9].\n\n~$ sudo usbrip storage create \u003cSTORAGE_TYPE\u003e [IN_AUTH.JSON] [-a \u003cATTRIBUTE\u003e [\u003cATTRIBUTE\u003e ...]] [-e] [-n \u003cNUMBER_OF_EVENTS\u003e] [-d \u003cDATE\u003e [\u003cDATE\u003e ...]] [--host \u003cHOST\u003e [\u003cHOST\u003e ...]] [--vid \u003cVID\u003e [\u003cVID\u003e ...]] [--pid \u003cPID\u003e [\u003cPID\u003e ...]] [--prod \u003cPROD\u003e [\u003cPROD\u003e ...]] [--manufact \u003cMANUFACT\u003e [\u003cMANUFACT\u003e ...]] [--serial \u003cSERIAL\u003e [\u003cSERIAL\u003e ...]] [--port \u003cPORT\u003e [\u003cPORT\u003e ...]] [--lvl \u003cCOMPRESSION_LEVEL\u003e] [-q] [--debug]\nCreate storage -- create 7-Zip archive and add USB events to it according to the selected options.\n\n~$ sudo usbrip storage passwd \u003cSTORAGE_TYPE\u003e [--lvl \u003cCOMPRESSION_LEVEL\u003e] [-q] [--debug]\nChange password of the existing storage.\n\n# ---------- IDs ----------\n\n~$ usbrip ids search [--vid \u003cVID\u003e] [--pid \u003cPID\u003e] [--offline] [-q] [--debug]\nGet extra details about a specific USB device by its \u003cVID\u003e and/or \u003cPID\u003e from the USB ID database.\n\n~$ usbrip ids download [-q] [--debug]\nUpdate (download) the USB ID database.\n```\n\n## Help\n\nTo get a list of module names use:\n\n```console\n~$ usbrip -h\n```\n\nTo get a list of submodule names for a specific module use:\n\n```console\n~$ usbrip \u003cMODULE\u003e -h\n```\n\nTo get a list of all switches for a specific submodule use:\n\n```console\n~$ usbrip \u003cMODULE\u003e \u003cSUBMODULE\u003e -h\n```\n\nExamples\n==========\n\n* Show the event history of all USB devices, suppressing banner output, info messages and user interaction (`-q`, `--quiet`), represented as a list (`-l`, `--list`) with latest 100 entries (`-n NUMBER`, `--number NUMBER`):\n\n  ```console\n  ~$ usbrip events history -ql -n 100\n  ```\n\n* Show the event history of the external USB devices (`-e`, `--external`, which were *actually* disconnected) represented as a table (`-t`, `--table`) containing Connected, VID, PID, Disconnected and Serial Number columns (`-c COLUMN [COLUMN ...]`, `--column COLUMN [COLUMN ...]`) filtered by date (`-d DATE [DATE ...]`, `--date DATE [DATE ...]`) and PID (`--pid \u003cPID\u003e [\u003cPID\u003e ...]`) with logs taken from outer files (`-f FILE [FILE ...]`, `--file FILE [FILE ...]`):\n\n  ```console\n  ~$ usbrip events history -et -c conn vid pid disconn serial -d '1995-09-15' '2018-07-01' --pid 1337 -f /var/log/syslog.1 /var/log/syslog.2.gz\n  ```\n\n  :alien: **Note:** there is a thing to remember when working with filters. There are 4 types of filtering available: only *external* USB events (devices that can be pulled out easily, `-e`), *by date* (`-d`), *by fields* (`--host`, `--vid`, `--pid`, `--product`, `--manufact`, `--serial`, `--port`) and *by number of entries* you get as the output (`-n`). When applying different filters simultaneously, you will get the following behavior: firstly, *external* and *by date* filters are applied, then usbrip will search for specified *field* values in the intersection of the last two filters, and in the end it will cut the output to the *number* you defined with the `-n` option. So think of it as an **intersection** for *external* and *by date* filtering and **union** for *by fields* filtering. Hope it makes sense.\n\n* Build the event history of all USB devices and redirect the output to a file for further analysis. When the output stream is NOT terminal stdout (`|` or `\u003e` for example) there would be no ANSI escape characters (color) in the output so feel free to use it that way. Also notice that usbrip uses some UNICODE symbols so it would be nice to convert the resulting file to UTF-8 encoding (with `encov` for example) as well as change newline characters to Windows style for portability (with `awk` for example):\n\n  ```console\n  ~$ usbrip events history -t | awk '{ sub(\"$\", \"\\r\"); print }' \u003e usbrip.out \u0026\u0026 enconv -x UTF8 usbrip.out\n  ```\n\n  :alien: **Note:** you can always get rid of the escape characters by yourself even if you have already got the output to stdout. To do that just copy the output data to `usbrip.out` and apply one more `awk` instruction:\n\n  ```console\n  ~$ awk '{ sub(\"$\", \"\\r\"); gsub(\"\\\\x1B\\\\[[0-?]*[ -/]*[@-~]\", \"\"); print }' usbrip.out \u0026\u0026 enconv -x UTF8 usbrip.out\n  ```\n\n* Generate a list of trusted USB devices as a JSON file (`trusted/auth.json`) with VID and PID attributes containing the first *three* devices connected on November 30, 1984:\n\n  ```console\n  ~$ sudo usbrip events genauth trusted/auth.json -a vid pid -n 3 -d '1984-11-30'\n  ```\n\n  :warning: **Warning:** there are cases when different USB flash drives might have identical serial numbers. This could happen as a result of a [manufacturing error](https://forums.anandtech.com/threads/changing-creating-a-custom-serial-id-on-a-flash-drive-low-level-blocks.2099116/) or just some black hats were able to rewrite the drive's memory chip which turned out to be non-one-time programmable and so on... Anyways, *\"no system is safe\"*. usbrip **does not** handle such cases in a smart way so far, namely it will treat a pair of devices with identical SNs (if there exists one) as the same device regarding to the trusted device list and `genauth` module.\n\n* Search the event history of the external USB devices for violations based on the list of trusted USB devices (`trusted/auth.json`) by PID attribute, restrict resulting events to those which have Bob-PC as a hostname, EvilUSBManufacturer as a manufacturer, 0123456789 as a serial number and represent the output as a table with Connected, VID and PID columns:\n\n  ```console\n  ~$ sudo usbrip events violations trusted/auth.json -a pid -et --host Bob-PC --manufact EvilUSBManufacturer --serial 0123456789 -c conn vid pid\n  ```\n\n* Search for details about a specific USB device by its VID (`--vid VID`) and PID (`--pid PID`):\n\n  ```console\n  ~$ usbrip ids search --vid 0781 --pid 5580\n  ```\n\n* Download the latest version of `usb.ids` [database](http://www.linux-usb.org/usb.ids \"List of USB ID's\"):\n\n  ```console\n  ~$ usbrip ids download\n  ```\n\nCredits \u0026 References\n==========\n\n* [usbrip / Инструменты Kali Linux](https://kali.tools/?p=4873)\n* [Как узнать, какие USB устройства подключались к Linux / HackWare.ru](https://hackware.ru/?p=9703)\n* [usbrip: USB-форензика для Линуксов, или Как Алиса стала Евой / Форум информационной безопасности Codeby.net](https://codeby.net/threads/usbrip-usb-forenzika-dlja-linuksov-ili-kak-alisa-stala-evoj.63644/)\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://youtu.be/DP4ScSp_2yE\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/23141800/120510806-73e70300-c3d2-11eb-8703-83af98f1a180.jpg\" alt=\"13cubed.jpg\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nStargazers Chart\n==========\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://starchart.cc/snovvcrash/usbrip\"\u003e\u003cimg src=\"https://starchart.cc/snovvcrash/usbrip.svg\" alt=\"stargazers\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnovvcrash%2Fusbrip","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnovvcrash%2Fusbrip","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnovvcrash%2Fusbrip/lists"}