Getting Data In

How do I receive events whenever someone plugs/unplugs a USB device?

Splunk Employee
Splunk Employee

What data can Splunk gather that shows if a USB is being used on a (Windows) desktop. Is that data we can collect via Windows logs? Will it show what port is being used and what drive letter was created on a desktop? How do we collect it?

Tags (3)
1 Solution

Splunk Employee
Splunk Employee

There was a discussion about this here, which I will shamelessly cross-post: http://www.splunk.com/wiki/Receive_events_whenever_someone_plugs/unplugs_a_USB_device

There are lots of places that track this information. The question is are you getting what you want?

You can monitor HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. That is the most direct way. However, it won't necessarily tell you in layman's terms what device was added, as you get a lot of binary keys with arbitrary and self-described terms (e.g. if a person used a purpose-built device that obfuscates it's function this won't tell you much)

You can configure your audit policy to capture all system changes to the security event log. This is the pretty-print way, and probably the best. However you will capture all device changes (drive mappings at logon, etc) not strictly USB related changes.

Finally, you can use WMI instrumentation to 'track' changes to the USB system. This isn't a bad way, though it doesn't maintain any state so you're really polling the current USB config over and over and de-duping at search time. Its documented here: http://www.splunk.com/base/Documentation/latest/admin/Wmiconf

Receive events whenever someone plugs/unplugs a USB device to/from the computer

[WMI:USBChanges]
interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1

View solution in original post

Splunk Employee
Splunk Employee

The tracking of USB removable disks has been discussed and analyzed in detail with the usual methods of looking at the windows registry for plugged in devices (USBSTOR keys), registry shell bags, SetupApi logs, etc.

A while back researching something else I happened to hit upon an artifact not known for this purpose, the 'Windows Event Log'. The first time a USB device is inserted into your windows PC, it is logged in a little obscure log which is maintained for the 'ReadyBoost' functionality. This is only true for Windows Vista and above, as XP did not have ReadyBoost. For more information on ReadyBoost refer here: http://en.wikipedia.org/wiki/ReadyBoost

Whenever a new drive is connected to a windows system, windows will test that drive's read/write speed by creating a file on that drive and then deleting it. And this result is logged in the ReadyBoost log. From an investigator point to view, this does not give us too much information about the connected disk, but it does give some useful information, notably the name of the disk, sometimes the size (as shown in pic below) and the date/time when device was first connected to that system. This should correlate to the SetupApi log date/time.

ReadyBoost Operational log under Windows Event Viewer

The messages are usually under EventID 1000-1023 with 1015 and 1016 being irrelevant (performance calculations for booting). It even logs the devices that are not disks such as 3G dongles and non-USB devices such as mounted VHD files.

With this artifact, we have one more thing to confirm the date of first insertion of a device. This should be useful in cases where sometimes the registry keys make it difficult to confirm dates or device names/types.

The full path of this event log file on the system is
'C:\Windows\System32\winevt\Microsoft-Windows-ReadyBoost%4Operational.evtx'.

In the windows event viewer, you can view this log under
'Applications and service logs\Microsoft\Windows\ReadyBoost\Operational'.

Compliments of http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html

Another way to go about this:

sourcetype=WinEventLog:System EventCode="20001"
| dedup Message
| rex field=Message "Driver Management concluded the process to install driver (?.) for Device Instance ID (?.) with the following status: (?0x0)"
| search drivername="*\disk.inf" NOT drivername="*\flpydisk.inf"
|table time usbinfo status

0 Karma

New Member

Here : You can monitor HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Enum\USB. That is the most direct way. However, it won't necessarily tell you in layman's terms what device was added, as you get a lot of binary keys with arbitrary and self-described terms (e.g. if a person used a purpose-built device that obfuscates it's function this won't tell you much)

You can configure your audit policy to capture all system changes to the security event log. This is the pretty-print way, and probably the best. However you will capture all device changes (drive mappings at logon, etc) not strictly USB related changes.

Finally, you can use WMI instrumentation to 'track' changes to the USB system.

To read more about this try looking here : http://www.techyv.com/questions/message-popup-when-pendrive-insert

0 Karma

Splunk Employee
Splunk Employee

There was a discussion about this here, which I will shamelessly cross-post: http://www.splunk.com/wiki/Receive_events_whenever_someone_plugs/unplugs_a_USB_device

There are lots of places that track this information. The question is are you getting what you want?

You can monitor HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. That is the most direct way. However, it won't necessarily tell you in layman's terms what device was added, as you get a lot of binary keys with arbitrary and self-described terms (e.g. if a person used a purpose-built device that obfuscates it's function this won't tell you much)

You can configure your audit policy to capture all system changes to the security event log. This is the pretty-print way, and probably the best. However you will capture all device changes (drive mappings at logon, etc) not strictly USB related changes.

Finally, you can use WMI instrumentation to 'track' changes to the USB system. This isn't a bad way, though it doesn't maintain any state so you're really polling the current USB config over and over and de-duping at search time. Its documented here: http://www.splunk.com/base/Documentation/latest/admin/Wmiconf

Receive events whenever someone plugs/unplugs a USB device to/from the computer

[WMI:USBChanges]
interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1

View solution in original post