Didier Stevens

Thursday 14 July 2011

Quickpost: Blocking and Detecting a Teensy Dropper

Filed under: Forensics,Hardware — Didier Stevens @ 9:58

A Teensy dropper presents itself as a keyboard (HID) to a PC and this is how it can be used to drop files even if you don’t allow removable drives.

You can prevent the installation of new HIDs, but this is an issue when you need to replace keyboards or mice. Irongeek has a good write-up.

Connected HIDs leave forensics traces in the registry, take a look under key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\

Connecting a Teensy leaves these entries:


Quickpost info

Blog at WordPress.com.