Getting Data In

How do I receive events whenever someone plugs/unplugs a USB device?

Dan
Splunk Employee
Splunk Employee

What data can Splunk gather that shows if a USB is being used on a (Windows) desktop. Is that data we can collect via Windows logs? Will it show what port is being used and what drive letter was created on a desktop? How do we collect it?

Tags (3)
1 Solution

Dan
Splunk Employee
Splunk Employee

There was a discussion about this here, which I will shamelessly cross-post: http://www.splunk.com/wiki/Receive_events_whenever_someone_plugs/unplugs_a_USB_device

There are lots of places that track this information. The question is are you getting what you want?

You can monitor HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. That is the most direct way. However, it won't necessarily tell you in layman's terms what device was added, as you get a lot of binary keys with arbitrary and self-described terms (e.g. if a person used a purpose-built device that obfuscates it's function this won't tell you much)

You can configure your audit policy to capture all system changes to the security event log. This is the pretty-print way, and probably the best. However you will capture all device changes (drive mappings at logon, etc) not strictly USB related changes.

Finally, you can use WMI instrumentation to 'track' changes to the USB system. This isn't a bad way, though it doesn't maintain any state so you're really polling the current USB config over and over and de-duping at search time. Its documented here: http://www.splunk.com/base/Documentation/latest/admin/Wmiconf

Receive events whenever someone plugs/unplugs a USB device to/from the computer

[WMI:USBChanges]
interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1

View solution in original post

Dimitri_McKay
Splunk Employee
Splunk Employee

The tracking of USB removable disks has been discussed and analyzed in detail with the usual methods of looking at the windows registry for plugged in devices (USBSTOR keys), registry shell bags, SetupApi logs, etc.

A while back researching something else I happened to hit upon an artifact not known for this purpose, the 'Windows Event Log'. The first time a USB device is inserted into your windows PC, it is logged in a little obscure log which is maintained for the 'ReadyBoost' functionality. This is only true for Windows Vista and above, as XP did not have ReadyBoost. For more information on ReadyBoost refer here: http://en.wikipedia.org/wiki/ReadyBoost

Whenever a new drive is connected to a windows system, windows will test that drive's read/write speed by creating a file on that drive and then deleting it. And this result is logged in the ReadyBoost log. From an investigator point to view, this does not give us too much information about the connected disk, but it does give some useful information, notably the name of the disk, sometimes the size (as shown in pic below) and the date/time when device was first connected to that system. This should correlate to the SetupApi log date/time.

ReadyBoost Operational log under Windows Event Viewer

The messages are usually under EventID 1000-1023 with 1015 and 1016 being irrelevant (performance calculations for booting). It even logs the devices that are not disks such as 3G dongles and non-USB devices such as mounted VHD files.

With this artifact, we have one more thing to confirm the date of first insertion of a device. This should be useful in cases where sometimes the registry keys make it difficult to confirm dates or device names/types.

The full path of this event log file on the system is
'C:\Windows\System32\winevt\Microsoft-Windows-ReadyBoost%4Operational.evtx'.

In the windows event viewer, you can view this log under
'Applications and service logs\Microsoft\Windows\ReadyBoost\Operational'.

Compliments of http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html

Another way to go about this:

sourcetype=WinEventLog:System EventCode="20001"
| dedup Message
| rex field=Message "Driver Management concluded the process to install driver (?.) for Device Instance ID (?.) with the following status: (?0x0)"
| search driver_name="\disk.inf" NOT driver_name="\flpydisk.inf"
|table _time usb_info status

0 Karma

Janderek
New Member

Here : You can monitor HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. That is the most direct way. However, it won't necessarily tell you in layman's terms what device was added, as you get a lot of binary keys with arbitrary and self-described terms (e.g. if a person used a purpose-built device that obfuscates it's function this won't tell you much)

You can configure your audit policy to capture all system changes to the security event log. This is the pretty-print way, and probably the best. However you will capture all device changes (drive mappings at logon, etc) not strictly USB related changes.

Finally, you can use WMI instrumentation to 'track' changes to the USB system.

To read more about this try looking here : http://www.techyv.com/questions/message-popup-when-pendrive-insert

0 Karma

Dan
Splunk Employee
Splunk Employee

There was a discussion about this here, which I will shamelessly cross-post: http://www.splunk.com/wiki/Receive_events_whenever_someone_plugs/unplugs_a_USB_device

There are lots of places that track this information. The question is are you getting what you want?

You can monitor HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. That is the most direct way. However, it won't necessarily tell you in layman's terms what device was added, as you get a lot of binary keys with arbitrary and self-described terms (e.g. if a person used a purpose-built device that obfuscates it's function this won't tell you much)

You can configure your audit policy to capture all system changes to the security event log. This is the pretty-print way, and probably the best. However you will capture all device changes (drive mappings at logon, etc) not strictly USB related changes.

Finally, you can use WMI instrumentation to 'track' changes to the USB system. This isn't a bad way, though it doesn't maintain any state so you're really polling the current USB config over and over and de-duping at search time. Its documented here: http://www.splunk.com/base/Documentation/latest/admin/Wmiconf

Receive events whenever someone plugs/unplugs a USB device to/from the computer

[WMI:USBChanges]
interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...