Tags: usb mouse pcap forensics 

Rating: 1.7

### Long Battery Life

*[Don't follow my github repo for CTF](https://github.com/spitfirerxf)*

_Really long battery life and very durable! Hint: USB traffic from Wireless Mouse_

We got a PCAP file, filled with USB packet captures. Opened it in Wireshark, saw several configuration about some Video Capture Device and 2.4G Keyboard Mouse.

So the hint wasn't there in the first place, so we went down the rabbit hole, we thought that the first several capture was from video capture device, because the configuration section told something about video encoding. And apparently it wasn't. We also thought that it could be keyboard, because of the 8 byte data instead of the mouse's 4 bytes stream (at least from what I read from USB documentation). But if it's keyboard it doesn't make any sense, it can't be parsed as an actual readable string.

![The rabbithole TM](https://github.com/spitfirerxf/RaziCTF-2020/raw/main/rabbithole.png)

And the hint came out (because only 1 people solved it without the hint), and we immediately worked on it. We found [this wiki](https://ctf-wiki.github.io/ctf-wiki/misc/traffic/protocols/USB/) about USB, and explaining that mouse can actually be 8 bytes. So we went to [this repo](https://github.com/WangYihang/UsbMiceDataHacker) and modify it a bit so it can parse our mouse capture and draw it to matplotlib.

Then save it into a file and we got the flag.

![The Flag](https://github.com/spitfirerxf/RaziCTF-2020/raw/main/out.png)

`RaziCTF{I_Love_My_Mouse}`