Need advice on way ahead

Mar 28, 2016
Dear all

During a recent Incident Response, we have come across a very peculiar problem and I need advice on how to tackle it. My organisation does not permit the use of USB mass storage devices as a policy, except on certain designated computers. During a routine security check, we found evidence of recent USB mass storage devices on a non-designated computer. Further investigation revealed that these USB devices had been used on multiple computers and all these computers are on a Windows Domain.

We, in accordance with org policy, picked up the concerned computers and the two USB devices and started examining them. During the investigation we found the following:-
(a) All the computers (05 of them) had USBSTOR entries showing usage of these two USB devices in 2015 and this was corroborated by the apisetup data but there were no subsequent entries in apisetup, even though there SHOULD have been some changes in the device driver(s) these last four years. The owner claims that the USBSTOR entries have been created even though the USB drives were under lock-and key and have not been used. After taking possession of the USB devices, we asked the owner if there were any subsequent USBSTOR entries in the 15 odd days where the USB drives were in OUR physical possession. And he has promptly produced two instances where the USBSTOR shows the devices to have been used!!

I have a distinct feeling that there is something funny going on because I am not aware of any mechanism where the USB logs can replicate themselves with different date-time stamps even in a Domain environment. I need advice on how to nail this thing down and get to the bottom of it and determine if there is tampering of logs or something like that. Will appreciate any pointers or advice.

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu