Data stolen - USB memory key

[Guest]

Archived from groups: microsoft.public.windowsxp.hardware,microsoft.public.windowsxp.general (More info?)

Is there any way a telling if someone has plugged in a USB key to my
computer and copied data off it?

I assumed an entry would be put in the event viewer - system log when the
USB drive is added, but I tested it and it didn't. Is there anywhere else
(i.e. another log) I can get this info.

TIA for your help,

-A

 

[myob]

Archived from groups: microsoft.public.windowsxp.hardware,microsoft.public.windowsxp.general (More info?)

There is no such log information kept.
Your best bet is to turn of USB drive access to your computer. microsoft.com
has guides for that.


"Huppy" <bushk@ngaroo.com> wrote in message
news:uwiFDn8AFHA.3264@TK2MSFTNGP12.phx.gbl...
> Is there any way a telling if someone has plugged in a USB key to my
> computer and copied data off it?
>
> I assumed an entry would be put in the event viewer - system log when the
> USB drive is added, but I tested it and it didn't. Is there anywhere else
> (i.e. another log) I can get this info.
>
> TIA for your help,
>
> -A
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.hardware,microsoft.public.windowsxp.general (More info?)

To see if any Removable devices have been installed ->
Open Device Manager, Click View, Tic "Show Hidden Devices"
Expand the Disk Drives category - Most USB Key/Thumb
drives will be shown grayed out - Enumerated, but not currently
active in the hardware profile.

As to logging data, that's more difficult to track.

I do know that there are some enhancements planned for USB
to help IT administrators deal with this.

"Vanguard" <vanguard_stealth@yahooNIXTHIS.com> wrote in message
news:Ob2imF9AFHA.3492@TK2MSFTNGP12.phx.gbl...
> "Huppy" <bushk@ngaroo.com> wrote in message
> news:uwiFDn8AFHA.3264@TK2MSFTNGP12.phx.gbl...
>> Is there any way a telling if someone has plugged in a USB key to my
>> computer and copied data off it?
>>
>> I assumed an entry would be put in the event viewer - system log when the
>> USB drive is added, but I tested it and it didn't. Is there anywhere else
>> (i.e. another log) I can get this info.
>
>
> It is likely the USB drive gets the next drive assignment; i.e., if you
> have drives A:, C:, and D: then the USB stick will get E: assigned to it.
> So I'd start hunting around for file monitor utilities where you could
> monitor all activity under a folder (and then just pick <d>:\ as the
> parent folder so everything on it gets monitored). But that won't tell
> you who is doing the copying because apparently you leave your account
> logged on so anyone can walk over to use your computer. If the user had
> to use their own account, you could use auditing to monitor who logged on
> when and then check the file monitor to see if they had been copying to
> the USB-assigned drive letter. Or you could install a keylogger (provided
> it ran no matter which account was used to login). Or stick a webcam on
> your computer and have it record when it detects movement to catch the
> culprit on video. It's likely they won't know it is on, and if they stop
> it then you also have your culprit.
>
> --
> _____________________________________________________________
> Post your replies to the newsgroup. Share with others.
> For e-mail: Remove "NIXTHIS" and append "#VS811" to Subject.
> _____________________________________________________________
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.hardware (More info?)

On Wed, 26 Jan 2005 17:15:34 -0000, "Huppy" <bushk@ngaroo.com> wrote:

>Is there any way a telling if someone has plugged in a USB key to my
>computer and copied data off it?
>
>I assumed an entry would be put in the event viewer - system log when the
>USB drive is added, but I tested it and it didn't. Is there anywhere else
>(i.e. another log) I can get this info.
>
>TIA for your help,
>
>-A

What if they use a PECD or Linux live CD to boot the system and copy the
files from your computer to the USB drive. No record at all on your
system then.

If you're leaving your system unsecured, you probably should worry about
keyloggers and remote access trojans too.

--
Michael Cecil
http://home.comcast.net/~macecil/

 

[Guest]

Archived from groups: microsoft.public.windowsxp.hardware,microsoft.public.windowsxp.general (More info?)

Actually, if the USB drive was new to the system and had not been previously
installed, there would be an entry in the setupapi.log file located in the
Windows folder. Also, there would be a new enumeration in the registry under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. You should see a new
entry under the devices VID\PID.

This could help determine if the device was installed. This would not tell
you if files were transferred to or from the system.

/rb

"myob" <myob@myob.com> wrote in message
news:#REptv8AFHA.3836@tk2msftngp13.phx.gbl...
> There is no such log information kept.
> Your best bet is to turn of USB drive access to your computer.
microsoft.com
> has guides for that.
>
>
> "Huppy" <bushk@ngaroo.com> wrote in message
> news:uwiFDn8AFHA.3264@TK2MSFTNGP12.phx.gbl...
> > Is there any way a telling if someone has plugged in a USB key to my
> > computer and copied data off it?
> >
> > I assumed an entry would be put in the event viewer - system log when
the
> > USB drive is added, but I tested it and it didn't. Is there anywhere
else
> > (i.e. another log) I can get this info.
> >
> > TIA for your help,
> >
> > -A
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.hardware,microsoft.public.windowsxp.general (More info?)

In article <#REptv8AFHA.3836@tk2msftngp13.phx.gbl>, myob <myob@myob.com> wrote:
>There is no such log information kept.
>Your best bet is to turn of USB drive access to your computer. microsoft.com
>has guides for that.
>



>
>"Huppy" <bushk@ngaroo.com> wrote in message
>news:uwiFDn8AFHA.3264@TK2MSFTNGP12.phx.gbl...
>> Is there any way a telling if someone has plugged in a USB key to my
>> computer and copied data off it?
>>
>> I assumed an entry would be put in the event viewer - system log when the
>> USB drive is added, but I tested it and it didn't. Is there anywhere else
>> (i.e. another log) I can get this info.
>>
>> TIA for your help,
>>
>> -A

Isn't there some wat to assign Windows security to the USB device ?

In the NT archtecture books much is made about the NT security model
and the ability to assign security to anything. I'd like to think that
whenever a USB fob was detected a USIER ID/Password popup would ask
for your XP User ID, which would give you a way to protect your
system. The same thing should woulf for the A drive, but in 13 years
of working with NT I've never seen it come up.



--

a d y k e s @ p a n i x . c o m

Don't blame me. I voted for Gore.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.hardware,microsoft.public.windowsxp.general (More info?)

Thanks for all your help guys.

BTW - the person I suspect of taking the data is a contractor who has a
geniune need to log onto the system (but not copy all the data off it and
take it home). I haven't been leaving the computer logged on for anyone to
walk up, sit down and use ;-)

-H

"Rick Brooks" <rick_brooks.nospam@vibren.com> wrote in message
news:%233NW188AFHA.3664@TK2MSFTNGP14.phx.gbl...
> Actually, if the USB drive was new to the system and had not been
previously
> installed, there would be an entry in the setupapi.log file located in the
> Windows folder. Also, there would be a new enumeration in the registry
under
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. You should see a new
> entry under the devices VID\PID.
>
> This could help determine if the device was installed. This would not tell
> you if files were transferred to or from the system.
>
> /rb
>
> "myob" <myob@myob.com> wrote in message
> news:#REptv8AFHA.3836@tk2msftngp13.phx.gbl...
> > There is no such log information kept.
> > Your best bet is to turn of USB drive access to your computer.
> microsoft.com
> > has guides for that.
> >
> >
> > "Huppy" <bushk@ngaroo.com> wrote in message
> > news:uwiFDn8AFHA.3264@TK2MSFTNGP12.phx.gbl...
> > > Is there any way a telling if someone has plugged in a USB key to my
> > > computer and copied data off it?
> > >
> > > I assumed an entry would be put in the event viewer - system log when
> the
> > > USB drive is added, but I tested it and it didn't. Is there anywhere
> else
> > > (i.e. another log) I can get this info.
> > >
> > > TIA for your help,
> > >
> > > -A
> > >
> > >
> >
> >
>
>