
Show HN: CLI forensics tool for tracking USB device artifacts on Linux - snovvcrash
https://github.com/snovvcrash/usbrip
======
jaclaz
Question: From the screenshots it seems like no year is shown? Only month,
day, time.

It would be IMHO advisable to use not the name of the month and _somehow_ fit
in the line the year.

Note: Small typo: the past of "shut down" is "shut down" and not "shutted
down".

~~~
pretty_lorelei
They explain the reason in README:

    
    
      usbrip works with non-modified structure of system log files only, so, unfortunately, it won't be able to parse USB history if you change the format of syslogs (with syslog-ng or rsyslog, for example). That's why the timestamps of "Connected" and "Disconnected" fields don't have the year, by the way. Keep that in mind.

~~~
jaclaz
Well, no, that is a non-explanation.

If the format of syslogs doesn't change there should be no issues (or should
it be read as "the system logs don't have the year"? )

If you don't have the year, it is not a "full date" in the forensic sense of
the term, and you simply cannot present such a result in a Court.

A statement like "A Netac USB device was connected on May 26, _presumably in
the year 2019_ , exactly at 00:51:54 and soon after disconnected, exactly at
00:52:21" won't be good.

If it is technically not possible to retrieve the year, then the whole stuff
has very little relevance on itself.

It would be needed to create a complete timeline of the system under
investigation and correlate the month, day, time with activities that have an
objective timestamp including the year.

~~~
pretty_lorelei
> or should it be read as "the system logs don't have the year"? That's the
> case. RFC 3164, which specifies the log format, is the only one usbrip can
> read, and it doesn't have an option to specify year.

~~~
jaclaz
Well, then the tool has no actual "forensics" use by itself.

It's a pity, of course, but it can only be a tool to confirm findings that
have a "proper" timestamp.

Most probably the log consists of "appended" entries that might mitigate the
issue, still it is needed a clear and extended "justification" to the
procedure with wich the year is "attributed" to the yearless entry for
forensics use.

------
MartijnBraam
Wouldn't this be more reliable by recording udev events instead of parsing the
syslog?

~~~
snovvcrash
Yes, it is one of possible decisions but that would make the tool a bit less
portable. When dealing with text logs, you can move them around as well as
keep backup storages updating them with new entries.

~~~
techntoke
I'm confused by this. Why can you not have udev events or the kernel API doing
the same thing?

------
ape4
That sample command line in the screenshot. Its so easy ;)

------
Lowkeyloki
I like this. Is there a way to clean up the logs this uses to hide these
traces? I didn't see any such functionality as I skimmed the README.

------
LukeB42
Looks interesting. Could you please convert the tabs to 4 spaces though?

~~~
simion314
FYI, I have no idea if I use tabs or spacves in my projects, my IDE is
configured to use the popular linting/formatting so it autoformats using that,

Honest question, when you hit issues caused by someone else code not using
your favorite style of tab vs spaces? Is there an editor/IDE that can't
autodetect this and work properly or is there a language that would fail
because is hyper sensitive to white space?

~~~
kbanana
Python, which this program is written in, uses indentation for blocks. Mixing
spaces and tabs is basically a syntax error.

~~~
giancarlostoro
Which is why PEP-8 the Python code style guide enforces 4 spaces. This
maintains consistency throughout the community. Also PyCharm one of the more
popular IDEs for Python uses 4 spaces by default.

~~~
joepie91_
That's not what PEP-8 is for, it was meant to define the style _of the
standard libraries_. A lot of people in the community voluntarily adopted it
for their projects, but that wasn't its purpose.

