Data stolen - USB memory key

  • Thread starter Thread starter Huppy
  • Start date Start date
H

Huppy

Is there any way a telling if someone has plugged in a USB key to my
computer and copied data off it?

I assumed an entry would be put in the event viewer - system log when the
USB drive is added, but I tested it and it didn't. Is there anywhere else
(i.e. another log) I can get this info.

TIA for your help,

-A
 
There is no such log information kept.
Your best bet is to turn of USB drive access to your computer. microsoft.com
has guides for that.
 
Actually, if the USB drive was new to the system and had not been previously
installed, there would be an entry in the setupapi.log file located in the
Windows folder. Also, there would be a new enumeration in the registry under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. You should see a new
entry under the devices VID\PID.

This could help determine if the device was installed. This would not tell
you if files were transferred to or from the system.

/rb
 
Huppy said:
Is there any way a telling if someone has plugged in a USB key to my
computer and copied data off it?

I assumed an entry would be put in the event viewer - system log when
the
USB drive is added, but I tested it and it didn't. Is there anywhere
else
(i.e. another log) I can get this info.
Click to expand...


It is likely the USB drive gets the next drive assignment; i.e., if you
have drives A:, C:, and D: then the USB stick will get E: assigned to
it. So I'd start hunting around for file monitor utilities where you
could monitor all activity under a folder (and then just pick <d>:\ as
the parent folder so everything on it gets monitored). But that won't
tell you who is doing the copying because apparently you leave your
account logged on so anyone can walk over to use your computer. If the
user had to use their own account, you could use auditing to monitor who
logged on when and then check the file monitor to see if they had been
copying to the USB-assigned drive letter. Or you could install a
keylogger (provided it ran no matter which account was used to login).
Or stick a webcam on your computer and have it record when it detects
movement to catch the culprit on video. It's likely they won't know it
is on, and if they stop it then you also have your culprit.
 
To see if any Removable devices have been installed ->
Open Device Manager, Click View, Tic "Show Hidden Devices"
Expand the Disk Drives category - Most USB Key/Thumb
drives will be shown grayed out - Enumerated, but not currently
active in the hardware profile.

As to logging data, that's more difficult to track.

I do know that there are some enhancements planned for USB
to help IT administrators deal with this.
 
There is no such log information kept.
Your best bet is to turn of USB drive access to your computer. microsoft.com
has guides for that.
Click to expand...

Isn't there some wat to assign Windows security to the USB device ?

In the NT archtecture books much is made about the NT security model
and the ability to assign security to anything. I'd like to think that
whenever a USB fob was detected a USIER ID/Password popup would ask
for your XP User ID, which would give you a way to protect your
system. The same thing should woulf for the A drive, but in 13 years
of working with NT I've never seen it come up.
 
Is there any way a telling if someone has plugged in a USB key to my
computer and copied data off it?

I assumed an entry would be put in the event viewer - system log when the
USB drive is added, but I tested it and it didn't. Is there anywhere else
(i.e. another log) I can get this info.

TIA for your help,

-A
Click to expand...

What if they use a PECD or Linux live CD to boot the system and copy the
files from your computer to the USB drive. No record at all on your
system then.

If you're leaving your system unsecured, you probably should worry about
keyloggers and remote access trojans too.
 
Michael Cecil said:
What if they use a PECD or Linux live CD to boot the system and copy
the
files from your computer to the USB drive. No record at all on your
system then.

If you're leaving your system unsecured, you probably should worry
about
keyloggers and remote access trojans too.
Click to expand...


A good argument for using EFS to protect the content of your files so a
copy of them is useless.
 
Thanks for all your help guys.

BTW - the person I suspect of taking the data is a contractor who has a
geniune need to log onto the system (but not copy all the data off it and
take it home). I haven't been leaving the computer logged on for anyone to
walk up, sit down and use ;-)

-H
 
Back
Top