Sign in with
Sign up | Sign in
Your question

A question about monitoring USB drives

Last response: in Windows 7
Share
October 3, 2012 6:14:20 PM

This question ties a little bit to all versions of Windows and Server editions (because of mointoring).

Okay so here's the scenario:

Person A decides to plug his USB thumb drive into Workstation A. The USB thumb drive has a Label name of "DUSTOFFTSK". Person A waits for the thumb drive to be installed by Windows as removable disk storage media. The USB thumb drive shows the Label name in the explorer view of "My Computer". He does all this connected to a network that handles mass computer monitoring and maintaining, such as an enterprise setting of PCs.

My question being; because the USB thumb drive had a label, does any of that information show up in Event Viewer or on the administrator's server computer if they review the logs? Or does the Windows software tools to mass monitor hardware leave that information out during audit sessions?

I'm only concerned about them seeing the name of the USB drive. Can anyone confirm if it does record on either Event Viewer or on Server workstations?


Thanks.
a b $ Windows 7
October 3, 2012 6:21:41 PM

Get ready for not only seeing the label but the entire file list and every copy action in the logs! There is software to do that.
a b 8 Security
a b $ Windows 7
October 3, 2012 6:42:28 PM

Sounds like your employer is serious about security. From the moment you plugged that thumb drive in they knew everything there was to know about it, including the movement of files on to or off of.
Related resources
October 4, 2012 12:13:47 AM

noidea_77 said:
Get ready for not only seeing the label but the entire file list and every copy action in the logs! There is software to do that.


What if I said that their servers were running Windows Server 2003 and had only up to Windows XP SP3 on them? And one person does an audit if it's brought up if they see something "suspicious".

I just wanted to know because we had someone fired for mass deleting company data.

Can Windows Server 2003 really keep a log of the USB label and find Hidden files? Or do they need other software to track specifically?

They were on the low-side when it came to security but I wanted to make sure if Windows Server 2003 had any ability to do that without add on software?
October 4, 2012 12:15:18 AM

ex_bubblehead said:
Sounds like your employer is serious about security. From the moment you plugged that thumb drive in they knew everything there was to know about it, including the movement of files on to or off of.

Is this a feature default with Windows Server 2003 to audit the machine?

I doubt the tech at our place even goes that far but I wondered if it was an ability included without the need of extra software?


And thats bad if they can....
a b 8 Security
a b $ Windows 7
October 4, 2012 3:36:01 AM

By default there are no logs kept. However, there is information embedded in the registry that a good forensic examiner can extract which can be used to determine when and what. Needless to say it ain't cheap for that sort of examination.
October 5, 2012 12:08:21 AM

ex_bubblehead said:
By default there are no logs kept. However, there is information embedded in the registry that a good forensic examiner can extract which can be used to determine when and what. Needless to say it ain't cheap for that sort of examination.

If it's like that on default, then I am very relieved. They probably haven't gotten around to change those settings specifically so I hear here.

Thanks for clearing that up for me.
a b 8 Security
a b $ Windows 7
October 5, 2012 12:14:18 AM

I said there are no logs kept, not that there was no evidence trail. Every device plugged in gets recorded in the registry. Unless the registry is purged this information remains with the system forever.
!