Windows Event Logs are an excellent resource for investigating USB-related activities. These logs provide insights into when devices are connected or disconnected, driver installations, user actions, and more. Let’s break this down in simple terms.
-----------------------------------------------------------------------------------------------------
Key Logs to Monitor for USB Activity
System Log (Plug and Play Events)
When a new USB or Plug and Play device is connected, Windows installs a driver, logging Event ID 20001 (start of installation) and 20003 (completion of installation).
These events include details like:
Timestamp (when the installation occurred)
Device Information (Vendor ID, Product ID, iSerialNumber)
Installation Status (e.g., 0x0 means no errors).
Limitation: Modern Windows versions (10/11) often log only Event ID 20003 by default.
Example Use: Correlate timestamps with user logins to identify who connected the device.
Security Log (Audit Removable Storage)
Event ID 4663 is logged when files or folders on a removable device are accessed, created, or modified.
Tracks:
User Account performing the action.
Action Type (e.g., file creation, deletion, or read).
Object Name (the specific file or folder).
Challenge: The log does not directly tie file operations to a specific device. Investigators must cross-reference with other logs or artifacts.
Security Log (Audit Plug and Play Activity)
Event ID 6416 records every time a Plug and Play device is added.
Provides:
Detailed device information (VID, PID, iSerialNumber, volume name).
Benefit: Unlike System Logs, these events are recorded each time a device is connected.
How to Enable: Configure the “Audit PNP Activity” option in Advanced Audit Policy Configuration.
Microsoft-Windows-Partition/Diagnostic Log
Tracks detailed removable device activity, including when a device is connected or disconnected.
Often used alongside Event ID 6416 and 4663 for a complete timeline.
-----------------------------------------------------------------------------------------------------
Additional Logs for Device Activity
Microsoft-Windows-DriverFrameworks-UserMode/Operational Log
Available by default in Windows 7, but must be enabled in later versions.
Logs connection and removal of devices, allowing you to determine how long a device was connected.
MBAM/Operational Log (Microsoft BitLocker Administration and Monitoring)
Tracks the mounting and dismounting of removable devices.
Includes the volume GUID, which can help correlate device activity with registry data
-----------------------------------------------------------------------------------------------------
Setting Up Auditing for USB Devices
To make the most of these logs, you need to configure Windows to track the necessary events:
Enable Removable Storage Auditing:
Go to Advanced Audit Policy Configuration > Object Access > Audit Removable Storage.
Enable both Success and Failure auditing.
Enable Plug and Play Activity Auditing:
Under Advanced Audit Policy Configuration > Detailed Tracking, enable Audit PNP Activity.
-----------------------------------------------------------------------------------------------------
Key Takeaways
Use System Logs for identifying the first-time connection of devices.
Rely on Security Logs for tracking file and folder operations.
Combine Event IDs 4663, 6416, and 20003 to get a complete picture of device activity.
Cross-reference logs with the Registry or other artifacts like Prefetch data to match devices with user actions.
Enable auditing policies to ensure detailed logs are captured.
By strategically leveraging these logs, investigators can gain valuable insights into USB usage, even in environments with limited historical data retention.
--------------------------------------------------Dean--------------------------------------------------
Comentarios