[2] The program's developer, who goes by the online name Hephaest0s, created it in response to the circumstances of the arrest of Silk Road founder Ross Ulbricht, during which U.S. federal agents were able to get access to incriminating evidence on his laptop without needing his cooperation by copying data from its flash drive after distracting him.

In more extreme circumstances where it was likely that the targets could get advance notice of arriving police, judges would grant "power-off" warrants, allowing utilities to turn off the electricity to the location of the raid shortly beforehand, further forestalling any efforts to destroy evidence before it could be seized.

Once they have done so, they often install a device in the USB port that spoofs minor actions of a mouse, touchpad, or keyboard, preventing the computer from going into sleep mode, from which it would usually return to a lock screen which would require a password.

[4] The program, when installed, prompts the user to create a whitelist of devices that are allowed to connect to the computer via its USB ports, which it checks at an adjustable sample rate.

The user may also choose what actions the computer will take if it detects a USB device not on the whitelist (by default, it shuts down and erases data from the RAM and swap file).

Hephaest0s cautions users that they must be using at least partial disk encryption along with USBKill to fully prevent attackers from gaining access;[4] Gizmodo suggests using a virtual machine that will not be present when the computer reboots.

[4] With his 2600 article, Grothe shared a patch that included a feature that allowed the program to shut down a network when a non-whitelisted USB is inserted into any terminal.

It uses a bash script resident in memory based watchdog timer that cycles a loop through the boot device (i.e., the flash drive) three times a second to see if it is still mounted and reboots the computer if it is not.