How to trace and log if a new USB / pen drive device is connected to your system

It is very unfortunate that most of the people don’t know that, by default windows logs only application and system events. Auditing provides a way for an administrator to detect an attack that has already occurred or is in progress. In addition, auditing can help a developer to sort out security-related problems.


By default Auditing for SECURITY events on windows are disabled.

To enable Audit for “Log on attempts”

Go to START, RUN and type “gpedit.msc”

Go to left hand side tab, navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Select "Audit Object Access" on right hand side tab by double clicking on it.

Select both “Success” and “Failure” boxes and clicks “Ok”.

Note: To log only successful object access attempts select only “Success” box. / To log only failure access attempts select “Failure” box.

Be warned: This policy can really flood your server if you enable it on too many objects.

When you enable the Audit object access events policy for a given computer, Windows doesn’t immediately begin auditing all access events for all objects because the system would immediately pulverize to a close down.



Enabling object access auditing is a two-step process:

1. Enable the Audit object access events policy on the system that contains the objects you want to monitor.

2. Select specific objects and define the types of access you want to monitor.

In this video we consider usb pen drives connected to the system as an object for audit the accessed logs.

To enable the “Object Access” event, go to RUN, type “regedit”. Go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Enum and right click on USBSTOR, click on permissions select Advanced tab, click on Auditing tab.

Click on the add button and select the users you pan to audit the object for. It is preferred to select everyone user so that event for any user will be triggered.
Close registry.

To cross check with the event logs, connect a USB pen drive to the system. An Auto run popup should be visible. Now go to Manage by right clicking on my computer, Select Event Viewer > SECURITY.

We can see few logs on security events.

From this log we can construct the following things:

Date of listing of file Audited

Time of the listing of the file Audited

Username used for listing of the file and also identify weather it is a Successful attempt or Failure attempt.

SID and DEVICE NAME of the pen drive connected to the system.

Conclusion:

Logging events can help you monitor your computer or network and prevent a successful attack and can also prove very useful in determining how and when an attack occurred if you use the logs as forensic evidence.

http://cycops.co.in/