XP Remote Detection of Removeable Media Write

  • Thread starter Thread starter ASecurityGuy
  • Start date Start date
A

ASecurityGuy

I am looking for hook that I can pull up remotely on WindowsXP desktops
that indicates that a file has been written to a CD, USB or removeable
media. I see some info in the event log when there is a file queued to
write to CD (7035 IMAPI CD-Burn start/stop) and I can pick up a USB
removeable media under NTMSmgr.msc, but I just can't seem to find a
good indicator that a file has been written.

Is anyone playing in this area? Or does anyone have any suggestion for
places I can look. I preferr not to have to turn on audit or run a
background script on the machines... It would really be nice if we
could figure a way to push it to the system.evt to pull reports.

TIA,
SG
 
ASecurityGuy said:
I am looking for hook that I can pull up remotely on WindowsXP
desktops that indicates that a file has been written to a CD, USB
or removeable media. I see some info in the event log when there
is a file queued to write to CD (7035 IMAPI CD-Burn start/stop) and
I can pick up a USB removeable media under NTMSmgr.msc, but I just
can't seem to find a good indicator that a file has been written.

Is anyone playing in this area? Or does anyone have any suggestion
for places I can look. I preferr not to have to turn on audit or
run a background script on the machines... It would really be nice
if we could figure a way to push it to the system.evt to pull
reports.
Click to expand...

So - how will you be able to tell if they open the file in
Word/Excel/Powerpoint/Notepad/Wordpad/WordPerfect/etc and SAVE it to the
external media?

What if they use a third party burner?

What if they use their own file explorer from the USB drive they plug in?

What if they just take screenshots of the data and save those to the
external media or email them elsewhere?

What I am saying is that while there may be some ways you can track some
things - there is almost always ways around it - usually simple and low-tech
ones that are much more difficult to detect.
 
Shenan,
Well, generically, the OS looks at USB, CD and Floppy and removable
media. So in essence, these media devices share common system functions
under that umbrella.

Similarly, the function of "write" to is a common function regardless
of
which application issues the 'save' or 'copy' command.

A the system level there is likely not more that a handful of actual
system calls which are used to accomplish this 'write to removable'
function.

While I have not been able to find the specific call references in the
Developers documentation, I am fairly confident that these calls are
present and can be monitored at the system level as evidenced by a
number of third party products that accomplish this very task. I figure
if they can be monitored and managed by third party tools, there is
likely a MS switch in XP that will allow me to run something like MDM
or debug mode to pick these activities up.

As far as 'ways around it', I'm not building Fort Knox, but I would
guess if we get this to the lowest OS level, it is unlikely that most
developers will go to the trouble of re-writing basic system calls and
device drivers to circumvent some obscure monitor that might be
implemented.

SG
 
Back
Top