Skip to content
/ USB-Forensic-Analysis Public

Digital forensic investigation using Kali Linux on Raspberry Pi to analyze malicious USB payloads (ZIP bombs).

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sirwilliamwallace/USB-Forensic-Analysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Digital Forensics Investigation – USB Analysis on Raspberry Pi

Related Article

I wrote a detailed guide on setting up the Raspberry Pi with Kali Linux and securing it via Tailscale, which was used in this forensic investigation:

➡️ How to Install Kali Linux on a Raspberry Pi and Access It Securely (Tailscale Version)
Published on Medium by Amirhossein Shekooh

Overview

This project documents a full digital forensic analysis of a suspicious 2GB USB flash drive, conducted as part of a university module in Digital Forensics. Using a Raspberry Pi 4 configured with Kali Linux and remote-secured via Tailscale, I followed a professional-grade investigation workflow including evidence imaging, hashing, file carving, and advanced analysis of hidden malicious payloads (ZIP bombs).

Tools & Technologies

  • Kali Linux on Raspberry Pi 4 (custom SSH-only setup)
  • FTK Imager (image creation + MD5 & SHA-1 verification)
  • Foremost (file carving)
  • Binwalk & Strings (advanced ZIP analysis)
  • Tailscale (secure remote access)

Key Steps

1. Write-Blocked Imaging

  • USB was imaged using FTK Imager v4.7.3 with a USB write blocker.
  • MD5 & SHA-1 hashes were created and verified to ensure integrity.

image

MD5: 958eaee85ace515af653944635913209
SHA-1: a641ff2f1b66fa37b9605f8aa0cf6a033fd02e06

2. Secure Analysis Environment

  • Raspberry Pi 4 running Kali Linux configured with USER as sole user.
  • Remote SSH access is locked to the examiner's device via Tailscale.

3. File Carving & Threat Discovery

  • Image file usb-raw-img.dd.001 analysed using Foremost.
  • Two ZIP files were carved: both later flagged as corrupted/malicious. image image
foremost -i usb-raw-img.dd.001 -o recovered_files

4. Safe Static Analysis

  • Binwalk, Strings, and Zipinfo were used to examine ZIP files without extracting them.

  • Found patterns of repeated JPEGs and text files: indicators of ZIP bombs

image

ZIP info: image

Binwalk: image

Legal & Ethical Considerations

  • All actions complied with GDPR, data integrity, and chain-of-custody protocols.

  • Confidential or suspicious data was not stored on personal machines.

  • Tailscale ensured an isolated forensic analysis environment.

Key findings

image

  • ZIP bombs were embedded with repetitive, oversized, corrupted files.

  • Designed to crash systems or delay forensic work.

  • Proper isolation and safe tools mitigated risks successfully.

Licence

This project is licensed under the MIT License – see the LICENSE file for details.

Author

Amirhossein Shekooh BSc Cybersecurity Feel free to explore the report or reach out for discussion or collaboration.

About

Digital forensic investigation using Kali Linux on Raspberry Pi to analyze malicious USB payloads (ZIP bombs).

Topics

raspberry-pi cybersecurity malware-analysis digital-forensics kali-linux zip-bomb tailscale forensics-tools usb-analysis

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published