We are getting more requests for information on how to trace data traveling to and from removable storage, such as flash drives, as a result of data breaches and Snowden-like information grabs. The Windows Security Log does provide a mechanism to audit portable storage access, which is good news. We’ll demonstrate how it functions and then compare native auditing to the CYB3R-X platform briefly because it has some improved capabilities in this regard.


In Windows, removable storage auditing functions similarly to file system auditing and records the same events. The distinction is in limiting which activity gets audited.


There are two layers of audit policy for file system auditing, to recap. The Audit File System audit subcategory must first be enabled at the computer level. Then, you decide which folders you want to audit and turn on object-level auditing for those folders to keep track of users/groups, permissions, and success/failure outcomes.  For instance, you can audit Read access on C:\documents for the SalesReps group.


However, auditing of removable storage is significantly less versatile and much easier to implement. Windows starts auditing all access requests for all portable storage as soon as the Removable Storage audit subcategory is enabled. It is the same as activating Full Control for Everyone audits.


How do we know that this is a removable storage event rather than a routine audit of the File System? As it uses the same event ID as regular file system auditing, it must be the same. Take note of the word “Removable Storage” in the task category up top. You may find out who carried out the action from the information under Subject. The name of the file, the location of the file on the portable storage device, and the arbitrary name Windows gave the device the first time it was connected to this system are all provided by the Object Name command. Process information identifies the application that was used to carry out the access. Look at the Accesses field, which specifies the permissions actually utilized, to identify what kind of access (such as Delete, Write, or Read) was executed.


You should use group policy to activate Audit Removable Storage on all of your endpoints if you want to keep track of the data that is copied from your network to portable storage devices. Next keep an eye out for Event ID 4663, where the Access Type is either WriteData or AppendData and the Task Category is Removable Storage.


As you can see, Microsoft chose the quickest way to provide an audit trail of removable storage access. Only the file-level access events of the files on the device are used to track device connections. These events also do not allow you to view the device’s model, manufacturer, or serial number. That device information is known to Windows; it is simply not logged by these events because they are captured at the same point in the operating system as other file access events. The agent for the CYB3R-X platform, on the other hand, logs both connection events and details regarding every device. Actually, the CYB3R-X platform even lets you selectively ban or permit access to particular devices depending on the policy you establish. Please explore the expanded capabilities of the CYB3R-X platform.


For a demo, email us at demo@cyb3r-x.com.