https://github.com/sirwilliamwallace/usb-forensic-analysis
Digital forensic investigation using Kali Linux on Raspberry Pi to analyze malicious USB payloads (ZIP bombs).
https://github.com/sirwilliamwallace/usb-forensic-analysis
cybersecurity digital-forensics forensics-tools kali-linux malware-analysis raspberry-pi tailscale usb-analysis zip-bomb
Last synced: 2 months ago
JSON representation
Digital forensic investigation using Kali Linux on Raspberry Pi to analyze malicious USB payloads (ZIP bombs).
- Host: GitHub
- URL: https://github.com/sirwilliamwallace/usb-forensic-analysis
- Owner: sirwilliamwallace
- License: mit
- Created: 2025-06-28T19:57:25.000Z (about 1 year ago)
- Default Branch: master
- Last Pushed: 2025-06-28T20:41:47.000Z (about 1 year ago)
- Last Synced: 2025-06-28T21:29:21.012Z (about 1 year ago)
- Topics: cybersecurity, digital-forensics, forensics-tools, kali-linux, malware-analysis, raspberry-pi, tailscale, usb-analysis, zip-bomb
- Homepage:
- Size: 14.6 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Digital Forensics Investigation – USB Analysis on Raspberry Pi
## Related Article
I wrote a detailed guide on setting up the Raspberry Pi with Kali Linux and securing it via Tailscale, which was used in this forensic investigation:
**➡️ [How to Install Kali Linux on a Raspberry Pi and Access It Securely (Tailscale Version)](https://medium.com/@mrnumberx/how-to-install-kali-linux-on-a-raspberry-pi-and-access-it-securely-tailscale-version-1a663d64ec74)**
Published on *Medium* by Amirhossein Shekooh
---
## Overview
This project documents a full **digital forensic analysis** of a suspicious 2GB USB flash drive, conducted as part of a university module in Digital Forensics. Using a **Raspberry Pi 4** configured with **Kali Linux** and remote-secured via **Tailscale**, I followed a professional-grade investigation workflow including evidence imaging, hashing, file carving, and advanced analysis of hidden malicious payloads (ZIP bombs).
---
## Tools & Technologies
- Kali Linux on Raspberry Pi 4 (custom SSH-only setup)
- FTK Imager (image creation + MD5 & SHA-1 verification)
- Foremost (file carving)
- Binwalk & Strings (advanced ZIP analysis)
- Tailscale (secure remote access)
---
## Key Steps
### 1. Write-Blocked Imaging
- USB was imaged using FTK Imager v4.7.3 with a USB write blocker.
- MD5 & SHA-1 hashes were created and verified to ensure integrity.
```plaintext
MD5: 958eaee85ace515af653944635913209
SHA-1: a641ff2f1b66fa37b9605f8aa0cf6a033fd02e06
```
### 2. Secure Analysis Environment
- Raspberry Pi 4 running Kali Linux configured with `USER` as sole user.
- Remote SSH access is locked to the examiner's device via Tailscale.
---
### 3. File Carving & Threat Discovery
- Image file `usb-raw-img.dd.001` analysed using Foremost.
- Two ZIP files were carved: both later flagged as corrupted/malicious.
```bash
foremost -i usb-raw-img.dd.001 -o recovered_files
```
### 4. Safe Static Analysis
- Binwalk, Strings, and Zipinfo were used to examine ZIP files without extracting them.
- Found patterns of repeated JPEGs and text files: indicators of ZIP bombs
ZIP info:
Binwalk:
## Legal & Ethical Considerations
- All actions complied with GDPR, data integrity, and chain-of-custody protocols.
- Confidential or suspicious data was not stored on personal machines.
- Tailscale ensured an isolated forensic analysis environment.
### Key findings
- ZIP bombs were embedded with repetitive, oversized, corrupted files.
- Designed to crash systems or delay forensic work.
- Proper isolation and safe tools mitigated risks successfully.
## Licence
This project is licensed under the MIT License – see the [LICENSE](./LICENSE) file for details.
## Author
**Amirhossein Shekooh**
BSc Cybersecurity
Feel free to explore the report or reach out for discussion or collaboration.