Driver forensics: Investigating use of PiKVM and similar devices on Windows

The advent of remote work has been a game changer for employers and employees alike. With it, came the onset and adoption of many newer technologies, including KVM-over-IP devices. These KVM-over-IP devices allow users to connect to remote computers as though they were physically in front of them. These devices can connect and leave minimal footprints on the remote computer (like plugging in a USB mouse), making them a preferred tool for malicious insiders or “fake” remote workers.

Many forensic investigation discussions dwell on investigating USB mass storage devices but what happens when the investigated activity involves only connecting the device to an external display via an HDMI cord?

In this session, we will be discussing specifics on how the use of PiKVM can be detected and investigated leveraging a combination of forensic tools, and how the approach can be adapted for other similar devices.