USB data theft: how 60 seconds and a thumb drive can copy your entire device
USB exfiltration is the most underrated threat in any unsupervised-device scenario. How it actually works, why standard antivirus misses it, and what kernel-level monitoring can do.
There is no safer-feeling moment in a repair shop than when the technician plugs in a thumb drive. It looks like a tool. It can be a tool. It can also be a one-minute exit door for everything on your machine.
USB-based exfiltration is the most consistently underrated threat in any unsupervised-device scenario, and it is one of the patterns the University of Guelph study (see our analysis) explicitly captured.
§ How fast is fast
On a 2024-class laptop and a USB 3.2 Gen 2 stick, sustained sequential copy hits about 1 GB per second. A modest 256 GB drive can absorb the contents of an average personal laptop in well under five minutes. Robocopy and xcopy are part of stock Windows. There is no installer, no antivirus prompt, and no obvious trace once the drive is unplugged.
§ Why antivirus does not catch it
Antivirus engines look for malware signatures and bad-behaviour patterns. A built-in Windows utility doing fast file reads is not malware behaviour. Some enterprise EDR products do detect bulk-copy patterns; almost none ship on consumer machines.
§ What does work
- +Kernel-level event tracing (ETW on Windows) that records process starts and file open volumes regardless of the API. This catches robocopy and xcopy at the level where they cannot hide.
- +USB device-arrival logging with VID, PID, and serial number, plus matching device-removal records. Reconstructable timeline: a USB stick was here, between these two timestamps, while these files were being read.
Together, those two streams produce a forensic timeline. Black Box runs ETW and the USB device watcher as part of its default event set. Each event is hashed into a SHA-256 chain, so a technician who reaches the log file cannot quietly delete the USB-arrival entry without producing a chain break.
§ Practical hardening
- 01Move sensitive files off the device entirely; they cannot be copied if they are not present.
- 02Sign out of cloud accounts that auto-sync; otherwise a copied folder reaches a second host.
- 03Run a forensic recorder, so any USB device that arrives is logged with VID, PID, and serial.
FREQUENTLY ASKED
Common questions
How long does a full-device copy actually take?+
On modern hardware with a USB 3.2 stick, around 1 GB per second sustained. The user profile of an average laptop transfers in under a minute.
Will my antivirus catch a robocopy bulk transfer?+
Almost certainly not on consumer Windows. Robocopy is a built-in administrative tool. Enterprise EDR products may flag it; consumer AV does not.
Does Black Box block USB devices?+
No. It records them. Blocking is a separate decision; recording is the evidence layer that makes the bench non-anonymous.
NEXT STEP
Want a forensic recorder
on your machine?
Black Box ships free for individuals. 2.9 MB installer, digitally signed, no card required.
KEEP READING
Related on Alcyone Secure
Phone and laptop repair shop privacy breaches: every documented incident from 2021 to 2025
A working catalogue of real, sourced incidents where phone and laptop repair shops snooped, copied, or leaked customer data. Apple, Geek Squad, Trivandrum, Kolkata, Singapore, Guelph and more.
14 MIN READ →INVESTIGATIONThe University of Guelph study: half of computer repair stores snoop on customers
How researchers at the University of Guelph proved (with tagged decoy files and battery-replacement requests) that roughly 50 percent of repair shops snoop on the customer files they have no reason to open.
8 MIN READ →GUIDEHow to protect your phone or laptop before sending it for repair: the 2026 checklist
A 12-step pre-repair checklist for phones and Windows laptops, grounded in real incidents from Apple/Pegatron to Kolkata 2025. Backups, encryption, account hygiene, and forensic recording, in the right order.
10 MIN READ →