Abstract

Determining a computer's identity is a challenge of critical importance to a forensics investigator. However, relay and impersonation attacks can defeat even computers that contain trusted computing hardware. In this paper, we consider how to leverage the virtually ubiquitous USB interface to uniquely identify computers based on the characteristics of their hardware, firmware, and software USB stacks. We use a USB protocol analyzer to collect data on 24 machines connected to a range of different USB devices, and demonstrate through machine learning classification techniques that we can differentiate not only between operating systems, but between seemingly unnoticeable differences in machine model types as well. We also show that we can differentiate between real and virtualized hosts responding to USB stimuli, and point to new ways of recognizing remote attacks. These results are a first step in showing that USB is a novel and effective means of identifying machines, and a valuable tool in the arsenal of a forensics kit.