Depending on the laptop, it can be trivial to open and remove the harddisk, even without tools like a screwdriver. I've removed harddisks from laptops in less than 5 seconds, because they were designed for easy maintenance.
If you leave your locked (Windows) laptop powered on, then USB devices can be inserted and interact because they get power. If you shutdown your laptop and remove all power, then a USB device can not be powered up. That's why I said you can mitigate such attacks by powering down your laptop, and preventing the attacker from powering it up.
You're most likely referring to BadUSB. That requires some hardware tinkering.
An attack that does not require hardware tinkering or skills is credential harvesting with responder & a Bash Bunny for example. https://blog.didierstevens.com/2017/04/06/quickpost-using-my-bash-bunny-to-snag-creds-from-a-locked-machine/
As you can see in the video I made, it takes about 20 seconds.
But like I wrote, this attack requires resources: your attacker needs to obtain a Bash Bunny or similar device.
Another way to mitigate credential harvesting via USB network devices, is to disable support for these devices. But that too might not be practical, if you use similar devices yourself.
Edited by Didier Stevens, 27 March 2018 - 01:54 PM.
SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.
Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"