cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
micos
Engaged Sweeper II

Hello team,

Is there any report available to track USB Storage disks activities? I mean when were being connected on assets, as well when they are disconnected?

We need a historical report, not only when the USB Storage disks were detected during the last scan. 

2 ACCEPTED SOLUTIONS
Mister_Nobody
Honored Sweeper II

NG Query:
+ List AD Groups with prefix 'USB'

Select Top 1000000 tblAssets.assetid,
  tblAssets.domain,
  tblAssets.AssetName,
  tblAssets.Userdomain,
  tblAssets.Username,
  Stuff((Select ', ' + tblADGroups.Name As [text()]
    From tblADMembership Inner Join tblADGroups On
          tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
      tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
    Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
      tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
  1, 2, '') groups,
  tblFloppyHist.Model,
  tblFloppyHist.Size,
  tblFloppyHist.FirmwareRevision,
  tblFloppyHist.SerialNumber,
  Case tblFloppyHist.Action
    When 1 Then 'Added'
    When 2 Then 'Removed'
    When 3 Then 'Updated'
  End As Action,
  tblFloppyHist.InterfaceType,
  tblFloppyHist.Lastchanged
From tblFloppyHist
  Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
      tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
  tblFloppyHist.Lastchanged Desc

View solution in original post

Mister_Nobody
Honored Sweeper II

I see that you have setting one scan per 20 days I suggest you change to 1 or 0!

View solution in original post

14 REPLIES 14
Mister_Nobody
Honored Sweeper II

I have tried to add link with USB Devices to show current inserted USB but it's time approximity:

Select Top 1000000 tblAssets.assetid,
  tblAssets.domain,
  tblAssets.AssetName,
  tblAssets.Userdomain,
  tblAssets.Username,
  Stuff((Select ', ' + tblADGroups.Name As [text()]
    From tblADMembership Inner Join tblADGroups On
          tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
      tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
    Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
      tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
  1, 2, '') groups,
  tblFloppyHist.Model,
  tblFloppyHist.Size,
  tblFloppyHist.FirmwareRevision,
  tblFloppyHist.SerialNumber,
  Case tblFloppyHist.Action
    When 1 Then 'Added'
    When 2 Then 'Removed'
    When 3 Then 'Updated'
  End As Action,
  tblFloppyHist.InterfaceType,
  tblFloppyHist.Lastchanged,
  tblUSBDevices.DeviceID
From tblFloppyHist
  Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
      tblFloppyHist.InterfaceType = 'USB'
  Left Join tblUSBDevices On tblAssets.AssetID = tblUSBDevices.AssetID
      And tblFloppyHist.Model = tblUSBDevices.name And
      DateDiff(s, tblFloppyHist.Lastchanged, tblUSBDevices.lastchanged) Between
      -15 And 15
Order By tblAssets.AssetName,
  tblFloppyHist.Lastchanged Desc
Hendrik_VE
Champion Sweeper III

It's been a while, and I don't have time to check it out again, but we've been looking into this for some forensics, and came up with this PowerShell script (which you could use as a starting point to deploy and send the output to eg. an event instead of a txt file):

$logname = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
$log.IsEnabled = $true
$log.SaveChanges()

$rfile = "$env:temp\usbdevices.log"
if (Test-Path -Path $rfile) {Remove-Item $rfile}
else {New-Item -Path $rfile -ItemType File}
$events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DriverFrameworks-UserMode/Operational';id=2003,2102} | ForEach-Object {$_.toxml()}
[xml]$xmlleke = '<Events>' + $events + '</Events>'
$select = @(
    @{ n = 'Time Created'; e = { get-date $_.System.TimeCreated.SystemTime -format g } },
    @{ n = 'EventID'; e = { $_.System.EventID } },
    @{ n = 'Event'; e = {
            switch ($_.System.EventID) {
                2003 { 'USB Device connected' }
                2102 { 'USB Device disconnected' }
                default { 'Unknown' }
            }
        }
    },    
    @{ n = 'Computer'; e = { $_.System.Computer } },
    @{ n = 'FriendlyName'; e = { $devUSB = ((($_.InnerText.Substring($_.InnerText.IndexOf('#') +1,($_.InnerText.LastIndexOf('#') - ($_.InnerText.IndexOf('#')) -1))).Replace('&amp;','_')).Replace('#','\'));`
    $rkey = "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\$devUSB";(Get-ItemProperty -Path $rkey | Select FriendlyName).FriendlyName.ToString()}}
)

 

$xmlleke.Events.Event | Select-Object $select -Unique | Out-File -FilePath $rfile
notepad $rfile

I think that you just need to enable this "Microsoft-Windows-DriverFrameworks-UserMode" event logging (eg. through gpo).

Mister_Nobody
Honored Sweeper II

NG Query:
+ List AD Groups with prefix 'USB'

Select Top 1000000 tblAssets.assetid,
  tblAssets.domain,
  tblAssets.AssetName,
  tblAssets.Userdomain,
  tblAssets.Username,
  Stuff((Select ', ' + tblADGroups.Name As [text()]
    From tblADMembership Inner Join tblADGroups On
          tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
      tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
    Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
      tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
  1, 2, '') groups,
  tblFloppyHist.Model,
  tblFloppyHist.Size,
  tblFloppyHist.FirmwareRevision,
  tblFloppyHist.SerialNumber,
  Case tblFloppyHist.Action
    When 1 Then 'Added'
    When 2 Then 'Removed'
    When 3 Then 'Updated'
  End As Action,
  tblFloppyHist.InterfaceType,
  tblFloppyHist.Lastchanged
From tblFloppyHist
  Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
      tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
  tblFloppyHist.Lastchanged Desc
micos
Engaged Sweeper II

thank you for your support. Also tried this report but still it doesn't give me any results. Maybe I need to enable also something else in Scanned Item Interval or Registry Scanning? 

Mister_Nobody
Honored Sweeper II

I see that you have setting one scan per 20 days I suggest you change to 1 or 0!

micos
Engaged Sweeper II

hello,

Super, its working now. Many thanks @Mister_Nobody  Great job!

Mister_Nobody
Honored Sweeper II

I have tried to write SQL report but LS has no documentation about history tables:

 

Select Top 1000000 tblAssets.assetid,
  tblAssets.AssetName,
  tblFloppyHist.Model,
  tblFloppyHist.Size,
  tblFloppyHist.FirmwareRevision,
  tblFloppyHist.SerialNumber,
  Case tblFloppyHist.Action
    When 1 Then 'Added'
    When 2 Then 'Removed'
    When 3 Then 'Updated'
      End As Action,
  tblFloppyHist.InterfaceType,
  tblFloppyHist.Lastchanged,
  tblFloppyHist.Action As Action1
From tblFloppyHist
  Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID
Where tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
  tblFloppyHist.Lastchanged Desc

 

Mister_Nobody
Honored Sweeper II

No history for USB Devices.

For USB Storage you can see

https://LS_server/Report/report.aspx?det=changes&page=Floppy

micos
Engaged Sweeper II

Hello,

I cant reach this page.