USBKill

USBKill is anti-forensic software distributed via GitHub, written in Python for the BSD, Linux and OS X operating systems. It is designed to serve as a kill switch if the computer on which it is installed should fall under the control of individuals or entities the owner or operator does not wish it to.^[1] It is freeware, available under the GNU General Public License.^[2]

The program's developer, who goes by the online name Hepahest0s, created it in response to the circumstances of the arrest of Silk Road founder Ross Ulbricht, during which U.S. federal agents were able to get access to incriminating evidence on his laptop without needing his cooperation by copying data from it flash drive after distracting him.^[3] It maintains a whitelist of devices allowed to connect to the computer's USB ports; if a device not on that whitelist connects, it can take actions ranging from merely returning to the lock screen to encrypting the hard drive, or even deleting all the data on it. However, it can also be used as part of a computer security regime to prevent the surreptitious installment of malware or spyware or the clandestine duplication of files, according to its creator.^[4]

Background

When law enforcement agencies began iregularly making computer crime arrests in the 1990s, they would often ask judges for no knock search warrants, in order to deny their targets time to delete incriminating evidence from computers or storage media. In more extreme circumstances where it was likely that the targets could get advance notice of arriving police, judges would grant "power-off" warrants, allowing utilities to turn off the electricity to the location of the raid shortly beforehand, further forestalling any efforts to destroy evidence before it could be seized. These methods were effective against criminals who produced and distributed pirated software and movies, the primary large-scale computer crime of the era.^[1]

By the 2010s, the circumstances of computer crime had changed along with legitimate computer use. Criminals were more likely to use the Internet to facilitate their crimes, and as such needed to remain online most of the time. To do so, and still keep their activities discreet, they used computer security features like lock screens and password protection.^[1]

For those reasons, law enforcement now attempts to apprehend suspected cybercriminals with their computers on and in use, all accounts both on the computer and online open and logged in, thus easily searchable.^[1] If they do not succeed in seizing the computer in that condition, there are some methods available to bypass password protection, but these may take more time than police have available. Nor may it be legally possible to compel the suspect to relinquish his or her password—in the United States, where many computer-crime investigations take place, courts have distinguished between forcing a suspect to use material means of protecting data such as a thumbprint, retinal scan or key as opposed to a password or passcode, which is purely the product of the suspect's mental processes and is thus protected from compelled disclosure by the Fifth Amendment.^[5]

The usual technique for authorities, either public entities such as law enforcement or private organizations like companies, seizing a computer (usually a laptop) that they believe is being used improperly is to first physically separate the suspect user from the computer enough that he or she cannot touch it, to prevent them from closing its lid, unplugging it or typing a command. Once they have done so, they often install a device in the USB port that spoofs minor actions of a mouse, touchpad or keyboard, preventing the computer from going into sleep mode, from which it would usually return to a lock screen which would require a password. One device commonly used for this purpose is called a Mouse Jiggler.^[6]

References

External links

• usbkill on GitHub