Home > CTF, Forensics > Alex CTF USB probing Forensics 3 – 150 writeup

Alex CTF USB probing Forensics 3 – 150 writeup


Challenge file: Download.

In fact, this is my first attempt to recover USB traffic from a PCAP file.

The initial 4 packets had the information of the devices involved in the traffic. Using the Product ID and Vendor ID I did some research here to get the device details. It is a flash drive.


In the following paragraphs I will try to explain my approach to solve this problem but if you just want to see the solution please check the last 2 paragraphs.

Wireshark doesn’t have an easy option to view the transferred files using USB protocol, on the contrary it’s easy to extract or view transferred files in TCP (using TCP stream).

I made a simple test to understand how a simple file is transferred via USB protocol. I plugged in a USB device and transferred a text file ( with contents “findme”*1000). Of course, wireshark was listening to the usb interface in the background. To capture the USB traffic you must load the USB kernel module (check here).

$ sudo modprobe usbmon

Most of the packet’s sizes were less than 100 bytes and the transferred text file was found in a packet having a length greater than 1000 bytes, check the URB_BULK out.


So as a conclusion check for the packets having size greater than 1000 bytes with flags URB_BULK out/in. Also I found the file names that were present inside the flash drive.

Let’s repeat the same steps to find what was transferred. Load up the challenge file and try to find the packets having length greater than 1000 bytes. Go down a bit and bingo, you can find the PNG image’s header! 😉


Select the stream and press Ctrl + h or you can use File->Export Packet Bytes. Open the saved file in a image viewer and you see the flag!!


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner


behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!


Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......

%d bloggers like this: