Tags: forensics usb-keyboard
Rating:
![](https://i.imgur.com/GDOsyXa.png)
This is a USB capture, keyboard perhaps.
![](https://i.imgur.com/cwWSVvv.png)
Yeep ... keyboard: https://www.chicony.com.tw/chicony/en/Product/Input*Device
We can use tshark and manually map the pressed keys:
```bash
tshark -r key_mission.pcap -Y '((usb.transfer_type == 0x01) && (frame.len == 35)) && !(usb.capdata == 00:00:00:00:00:00:00:00)' -T fields -e usbhid.data
```
Or go YOLO and use available [scripts](https://github.com/WangYihang/UsbKeyboardDataHacker/blob/master/UsbKeyboardDataHacker.py)
Just change `usb.capdata` to `usbhid.data`:
```
python3 UsbKeyboardDataHacker.py key_mission.pcap
[+] Found : I<SPACE>aam<SPACE>ssendinf<DEL><DEL>g<SPACE>ssecrretary's<SPACE>loccation<SPACE>oveer<SPACE>this<SPACE>tottally<SPACE>encrypted<SPACE>channel<SPACE>to<SPACE>make<SPACE>surre<SPACE>no<SPACE>one<SPACE>elsse<SPACE>will<SPACE>be<SPACE>able<SPACE>to<SPACE><SPACE>rreeat<DEL>
<DEL>d<SPACE>itt<SPACE>exceppt<SPACE>of<SPACE>us.<SPACE>Tthis<SPACE>informmaation<SPACE>iss<SPACE>confiddential<SPACE>and<SPACE>must<SPACE>not<SPACE>be<SPACE>sharred<SPACE>with<SPACE>anyone<SPACE>elsse.<SPACE>Tthe<SPACE>
<SPACE>ssecrretary's<SPACE>hidden<SPACE>looccation<SPACE>is
<SPACE>CHTB{a_place=3<DEL><DEL>-3<DEL><DEL>_3<DEL><DEL><DEL>3_fAr_fAar_awway_ffr0m_eearth}<RET>
```
Flag: `CHTB{a_plac3_fAr_fAr_awway_ffr0m_eearth}`