Starting from this great script offered by Daniel Azuelos
cd /Volumes/suspicious_USB
/usr/bin/sudo find . -atime -21 -exec ls -dluT {} \;
How is it possible to modify it in order to find if a USB flash was plugged in, on any random computer, on a certain date? Say, for instance, May the 3rd? Any way to detect if a file was opened or copied?
Both Linux and Mac terminal scripts would be appreciated!
I found the times when USBs were plugged in with this:
# cat /var/log/messages | grep -A 20 "usb 1-1: new high-speed USB device"
May 17 16:54:28 trogdor kernel: usb 1-1: new high-speed USB device number 8 using xhci_hcd
# cat /var/log/messages | grep "Unmounted" | grep sdf
May 17 16:56:36 trogdor journal: Unmounted /dev/sdf1 on behalf of uid 1000
Then checked what files were modified in that time range with this:
# find / -executable -type f -newermt "2018-05-17 16:54:00" ! -newermt "2018-05-17 16:57:00" -ls
I agree it's not a great solution, and far too manual. As far as I can tell there is no elegant way to see in the logs if files were moved to or from a device.
Bit of explanation: By default CentOS7 holds logs for 4 weeks after their cycled out, so the logs should be there to sift through in /var/log/messages-${date_in_some_format}.
$ cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
....
....
And anything of level info or higher is logged to /var/log/messages according to the rsyslog configuration file, including USB attach/detach in a barely-helpful format.
$ cat /etc/rsyslog.conf
# rsyslog configuration file
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
I plugged in my USB and copied malicious.sh from it into /tmp/ and /home/trogdor/
-rwxr-xr-x. 1 trogdor trogdor 44 May 17 16:55 /tmp/malicious.sh
-rwxr-xr-x. 1 trogdor trogdor 44 May 17 16:56 /home/trogdormalicious.sh
In the logs I searched for when USBs were attached, and then when they were detached. I used -A to output 20 lines after the matching line, to find where the device was mounted so I was sure that this was actually the device that was being unmounted (/dev/sdf in this case). Older logs are by default stored in /var/log with messages-${date in some format}
# cat /var/log/messages | grep -A 20 "usb 1-1: new high-speed USB device"
--
May 17 16:54:28 trogdor kernel: usb 1-1: new high-speed USB device number 8 using xhci_hcd
---
May 17 16:54:29 trogdor kernel: sd 11:0:0:0: [sdf] 31258624 512-byte logical blocks: (16.0 GB/14.9 GiB)
--
Then because the last line shows it was mounted on sdf :
# cat /var/log/messages | grep "Unmounted" | grep sdf
---
May 17 16:56:36 trogdor journal: Unmounted /dev/sdf1 on behalf of uid 1000
I ripped off this for the find time range. The times are recent, but the same applies to times in the more distant past. The output has to be sifted, but it's not as bad as it could be, assuming that the malicious files are uploaded quickly. I also checked only for executable files.
# find / -executable -type f -newermt "2018-05-17 16:54:00" ! -newermt "2018-05-17 16:57:00" -ls
It isn't possible.
If you have access to the computer, you can check it's logs for any activity related to the USB stick in question. For instance plugging a USB device on Linux will create a log trail. If it's persistently logged, or just in the kernel ring buffer (dmesg) depends on the configuration.
With a standard USB stick, you can't really tell if it's been accessed. If you create a disk image of it, or mount it in read only mode nothing will be written to it. If you write anything to it, you can set the access-time (which you check with find -atime) to anything you want, including future and past dates at your will.
