A USB history tool
I am used to searching through registry with regedit, regripper and a host of other very specialized tools but never came across one for USB history. The only problem is that it only reads the current registry, no reading from a USB, write blocker, etc. At least not that I found a way yet. Reading a remote registry would be SOOOO very cool with this it would hurt me.
Check it out. You might be really surprised whats been plugged into your machine and not realized it yet.
Nice little specialty tool going into the e-toolbox.
View any installed/connected USB device on your system
- b/eads
Check it out. You might be really surprised whats been plugged into your machine and not realized it yet.
Nice little specialty tool going into the e-toolbox.
View any installed/connected USB device on your system
- b/eads
Comments
-
GSXR750K2 Member Posts: 323 ■■■■□□□□□□If you're into scripting check out this a PowerShell script that I keep in my bag-o-tricks for USB history. Found the article I got it from here...
https://blogs.technet.microsoft.com/heyscriptingguy/2012/05/18/use-powershell-to-find-the-history-of-usb-flash-drive-usage/
It also walks through the registry entries that store removable drive information. With WinRM (Windows Remote Management) enabled, you can execute script blocks on remote machines. -
cyberguypr Mod Posts: 6,928 ModWe are aggressive monitoring unauthorized USB usage. Since forensically retrieving these details may be to late for us, we leverage the Microsoft-Windows-DriverFrameworks-UserMode and other logs in order to get near real-time USB information usage. We feed those into Splunk were we get alerting and do some other correlation and compare to a known-good device list. Something to consider if this type of monitoring is of high concern.
-
dmoore44 Member Posts: 646cyberguypr wrote: »We are aggressive monitoring unauthorized USB usage. Since forensically retrieving these details may be to late for us, we leverage the Microsoft-Windows-DriverFrameworks-UserMode and other logs in order to get near real-time USB information usage. We feed those into Splunk were we get alerting and do some other correlation and compare to a known-good device list. Something to consider if this type of monitoring is of high concern.
Man, I wish I could get endpoint OS logs in to Splunk. It always made little sense to me to configure workstations and servers to log data, but then leave those logs on the machine!
At a previous job, we used tools like Tripwire Enterprise and TEM, so writing queries to poll endpoints in near real-time was no big deal (TEM polled several times every minute, can't remember what the poll rate was for Tripwire).Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow