EventTracker: Removable Media Device Monitoring...EventTracker: Removable Media Device Monitoring 6...

EventTracker 8815 Centre Park Drive

Columbia MD 21045 www.eventtracker.com

Publication Date: Dec 21, 2011

EventTracker: Removable Media Device Monitoring

Version 7.x

http://www.eventtracker.com/�


1

Abstract With the introduction of newer portable devices, the security needs of protecting integrity and confidential data has been changed. An increasing need of portable access to the data has also increased the risk of sensitive or confidential data exposure. Therefore, to keep a record of removable media device activities has become one of the most important compliance factor for the enterprise. EventTracker’s advanced removable media monitoring capacity protects and monitors system(s) from illegal access or data theft. EventTracker helps user(s) to disable the unauthorized access to the machine and allow the trusted devices connection.

Purpose This document will help you to enable the removable device monitoring and explains the procedure to find the Device ID and USB serial number. It also monitors insertion/removal and files written to and read from removable media such as CD/DVD and USB.

Intended Audience

Administrators who are assigned the task to monitor and manage events using EventTracker.

Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 7.x. The instructions can be used while working with later releases of EventTracker Enterprise.

The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided.

Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. © 2013 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.


2

Table of Contents

Overview ....................................................................................................................................................... 3 EventTracker Monitoring Features ............................................................................................................ 3 Implement Monitoring Removable Media Feature in EventTracker v7.1 .............................................. 6

Monitor CDW/DVD Burning Activities ................................................................................................... 6

Monitor CD-ROM Activities ..................................................................................................................... 6

Configure EventTracker Agent to Monitor Removable Media ............................................................. 7

Disable USB Drives .............................................................................................................................. 7

Exempt Authorized USB Drives .......................................................................................................... 8

Configure Device Monitoring Alerts ....................................................................................................... 9

Import and Configure CD-DVD Monitoring Alert .............................................................................. 9

Configure USB Device Monitor Alerts .................................................................................................. 10

EventTracker Device Monitoring Categories ....................................................................................... 11

EventTracker Device Monitoring Reports ............................................................................................ 13

Category Reports ............................................................................................................................... 13

Custom Reports ................................................................................................................................. 15

EventTracker Generated Events ........................................................................................................... 17

Media Type: CD/DVD Recorder ......................................................................................................... 17

Media Type: CD-ROM ........................................................................................................................ 21

Media Type: Removable (USB) .......................................................................................................... 25

Limitations ............................................................................................................................................. 31

EventTracker Configurations for removable device monitoring in v7.2 ............................................... 32 EventTracker settings options for USB and other device changes ................................................... 32

Define USB exception list ...................................................................................................................... 34

To find USB volume serial number ....................................................................................................... 35

To find USB Device ID ............................................................................................................................ 37

To convert USB Serial number format ................................................................................................. 40

Possible Substring match for Device ID............................................................................................... 41


3

Overview The USB and removable media are vital part of any enterprise when it comes to data transfer. They have many shapes as flash memory drives, cell phones, cameras, and PDAs that can serve as storage devices. These portable devices are convenient for transfer and storage of large data with or without network access and that too in short time. However, with all these advantages, it has some security vulnerabilities. In modern day enterprise, USB data transfer is the simplest way of Data theft. The chances of data leakage, creation of duplicate documents and illegal data transfer etc has also increased.

As a SIEM solution, EventTracker not only has the ability to monitor the USB or removable media device communications, but it also can identify the trusted USB and other devices. You can define the unique identifier number of the USB so that the device will not be disabled upon insertion, and can access the information from system.

EventTracker Monitoring Features Reports insertion / removal of the removable device

EventTracker will log every activity of the USB or other removable media device like plug-in, plug-out, or data transfer etc. A complete audit trail that consists of the user, device type, serial number, time and all the file activities are captured, and sent as an event to the EventTracker Console for processing.

Prevents unauthorized access and reports the intrusion in real time Every time an USB is inserted, the EventTracker agent looks at USB exception list, and if there is no violation of policy, permits access to the device, while logging the insert activity. If a violation of policy is detected, access is prevented and the violation is immediately sent to the EventTracker Console. At this point if access is permitted, EventTracker also begins to monitor all the activities on the device, and every file that is written to or deleted from the device is recorded.

Restricts Access EventTracker can restrict access to all the USB Devices on a particular system, and also can exempt the specified USB devices from monitoring which are added in the USB Exception list.


4

Protects the system from malware EventTracker can disable the USB or other removable media device upon insertion, and thus safeguards the network from viruses and Trojans.

Logging USB device communication For the security and compliance purpose, EventTracker logs the USB communication in detail as incidents.

Figure 1: Event Properties

Get Alert notification In EventTracker, user can configure alerts to receive the notification upon removable media activities.

Example: EventTracker: USB device disabled, Media Insert alert etc.


5

Figure 2: Alert Configuration

Media Insertion Report EventTracker has a provision to configure the reports to analyze the removable media device activities. These reports are helpful to find unauthorized access to the systems. To configure the USB device report, open EventTracker Enterprise >> Click Operations menu >> Click Reports tab >> In the Report Tree, click USB Device Report node.

Figure 3: Reports


6

Implement Monitoring Removable Media Feature in EventTracker v7.1

1. When a USB device is plugged in or a media is inserted to the CD/DVD drive, Windows sends media insertion notification with the drive letter/name to the EventTracker Windows Agent.

2. Upon receiving the notification, EventTracker Windows Agent launches USBTracker.exe with drive details. USBTracker.exe is an EventTracker utility that monitors removable media file changes activities.

3. USBTracker.exe generates event 3239 and starts monitoring all activities (files added/modified/deleted/copied) that happen on the removable media.

4. When USB device is unplugged or media is ejected, Windows sends media removal notification to the USBTracker.exe.

5. Upon receiving the notification, USBTracker.exe stops monitoring, generates event 3240 with details on all activities and exits.

NOTE:

This feature is supported for Windows only (Win XP, Vista, 2K3, 2K8, and Win 7) and requires EventTracker Agent to be installed and configured.

Monitor CDW/DVD Burning Activities Windows XP, 2003, 2008, Vista, Win7 has built-in CD recorder feature that lets you drag and drop files using Windows Explorer to write files to a CD. Before burning the CD, Windows buffers the files in ‘staging area’. Staging area is a hidden folder that is usually "Drive_letter:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\CD Burning ".

By monitoring the staging area for the list of files being queued up for writing, you can unravel rather a disquieting puzzle who? when? and what?

Monitor CD-ROM Activities Windows copies the files copied from CD-ROM (CTRL + C or mouse right-click) to the clipboard. By monitoring the clipboard you can keep tabs on the file copy activity.


7

Configure EventTracker Agent to Monitor Removable Media

1. Click the Admin drop-down list and then click Windows Agent Config. 2. Select the system from the Select system drop-down list. 3. Click the System Monitor tab.

Report insert / remove check box is selected by default. Leave as it is. 4. Select the Record activity check box under USB and Other Device Changes.

This enables monitoring all removable media (USB, CD-R, CD-RW, and DVD) on the managed system.

5. Click Save.

Figure 4

Disable USB Drives This option helps you altogether block USB devices. You can only disable USB drives and not CDROM.

1. Select the Disable USB devices check box under USB and Other Device Changes. 2. Click Save on the System Monitoring page.

EventTracker blocks all USB devices.


8

Exempt Authorized USB Drives This option helps you restrict users use only authorized USB devices.

1. Click USB Exception List. EventTracker enables this button only when you select the Disable USB devices check box. EventTracker displays the USB Exception List pop-up window.

2. Select an appropriate Format option. 3. Type the serial number in the Enter USB Serial number field. 4. Click Add.

EventTracker adds the serial number to the USB Serial Numbers list.

Figure 5

5. Click Save & Close. 6. Click Save on the System Monitoring page.


9

Configure Device Monitoring Alerts Configure Alerts to receive notifications. You can also view these Alert events on the Alerts Dashboard.

Import and Configure CD-DVD Monitoring Alert To configure CD-DVD Monitoring Alert, do the following

a. Log on to EventTracker. b. Click the Admin drop-down list and then click Alerts. c. Locate the EventTracker CD-DVD Monitoring Alert. d. Select severity of threat from the Threat Level drop-down list. e. Select the check box under Active, if not selected. f. Set appropriate Alert actions to receive notifications. g. Click OK on the message box.

Figure 6


10

Configure USB Device Monitor Alerts 1. Click the Admin drop-down list and then click Alerts. 2. Locate the EventTracker: USB device disabled & Media insert alert Alerts. 3. Select severity of threat from the Threat Level drop-down list. 4. Select the check box under Active, if not selected. 5. Set appropriate Alert actions to receive notifications. 6. Click OK on the message box.

Figure 7


11

Figure 8

EventTracker Device Monitoring Categories To view Categories, click the Admin drop-down list and then click Category.

Category: EventTracker: USB device disabled

Description: All events logged by EventTracker when it disables unauthorized USB device, which is not in the exception list. Event Id: 3242.


12

Figure 9

Category: EventTracker: USB or other device monitoring

Description: All events logged by EventTracker while monitoring USB, CD, and DVD device or media insertion and removal. Event Id: 3228, 3229, 3239, 3240.

Figure 10


13

EventTracker Device Monitoring Reports

Category Reports Operations -> Reports -> EventTracker: USB device disabled

EventTracker Agent for Windows can be configured to disable USB device. If this feature is enabled, this report provides information on disabled devices across selected computers for the chosen time period.

Usage: This feature should be enabled for both Servers and Workstations. This report is useful to track unauthorized usage of USB devices.

Figure 11

Figure 12


14

Operations -> Reports -> EventTracker: USB or other device monitoring

EventTracker Agent for Windows can be configured to monitor insert/removal and files added/modified/deleted/copied to and from removable media. If this feature is enabled, this report provides information on those activities across selected computers for the chosen time period.

Usage: This report must be run and reviewed regularly for all critical servers and workstations.

Figure 13

Figure 14


15

Custom Reports Operations -> Reports -> USB Device Disabled Report

This report provides information on disabled USB device across selected computers for the chosen time period.

Usage: This report would be useful when you are looking for a quick report on disabled USB devices.

Figure 15

Operations -> Reports -> USB Device Report -> USB Device Report Detail

This report provides detailed information on the files added/modified/deleted to USB device. It can be tuned by applying Refine or Filter criteria, systems, and time period.

Usage: This report is usually run during a detailed investigation phase, as needed.

Figure 16

Operations -> Reports -> USB Device Report -> USB Device Report Summary

This report provides summary information on the files added/modified/deleted to USB device. Charts are included per system per activity top 10 USB devices sorted by top 5 users.

Usage: This report would be useful when you are looking for a quick report for the files added/modified/deleted/copied to and from USB devices.


16

Figure 17


17

EventTracker Generated Events

Media Type: CD/DVD Recorder Drive Monitoring started event [3239]

Figure 18

Description:

Drive Monitoring started for E:\

Volume Label: NW65OS

Volume Serial No: 3700563404

Volume ID: \\?\Volume{c40a164e-b680-11df-affc-806d6172696f}\

Type: CD - ROM

File System: CDFS


18

Network Volume: No

Description: Change affects media in drive.

Console User: TOONS\shibu

Active Users: TOONS\shibu

Drive Monitoring stopped [3240]

Figure 19

Description:

Drive Monitoring stopped for E:\




19


Type: CD - ROM

File System: CDFS

Network Volume: No




Recorder status:

Ejected without writing.

Files copied by user: TOONS\shibu

GetProcessID.obj|Added|10/27/2010 02:35:00 PM

IMAPITools.obj|Added|10/27/2010 02:35:00 PM

StdAfx.obj|Added|10/27/2010 02:35:00 PM

USBTracker.obj|Added|10/27/2010 02:35:00 PM

Files copied to clipboard:

E:\READ_ME.TXT|10/27/2010 02:35:04 PM

E:\READ_ME.HTM|10/27/2010 02:35:04 PM

E:\READ_ME.TXT|10/27/2010 02:35:14 PM

E:\READ_ME.HTM|10/27/2010 02:35:14 PM

If files are queued in the staging area and the media was ejected without writing prior to current burning session EventTracker tracks those files too as shown in the following text highlighted in blue.

Description:




21

Media Type: CD-ROM Detected new drive event [3228]

Figure 20

Description:

Detected new media in drive <E:>



Volume ID: \\?\Volume{e4694682-12ca-11dd-a32c-806d6172696f}\

Type: CD - ROM

File System: CDFS

Network Volume: No


22


Drive Monitoring started event [3239]

Figure 21

Description:

Drive Monitoring started for E:\




Type: CD - ROM

File System: CDFS


23

Network Volume: No


Console User: TOONS\kalyani

Active Users: TOONS\kalyani

Drive Monitoring stopped event [3240]

Figure 22

Description:






24

Type: CD - ROM

File System: CDFS

Network Volume: No




Recorder status:

Unknown


E:\TOOLS|10/28/2010 11:24:38 AM

Media from drive removed event [3229]

Figure 23


25

Description:

Media from drive <E:> removed.

Network Volume: No


Media Type: Removable (USB) Detected new drive event [3228]

Figure 24

Description:

Detected new drive <F:>

Volume Label: PNPL2


26


Volume ID: \\?\Volume{cbb79a4d-b006-11df-ab88-0015586a1e0a}\

Type: Removable

File System: FAT32

Network Volume: No

Description: Change affects physical device or drive.

USB Monitoring started event [3239]

Figure 25

Description:

USB Monitoring started for F:\


27

Volume Label: PNPL2



Type: Removable

File System: FAT32

Network Volume: No




USB Monitoring stopped event [3240]

Figure 26


28

Description:

USB Monitoring stopped for F:\

Volume Label: PNPL2



Type: Removable

File System: FAT32

Network Volume: No




No files added or modified or deleted

If files have been added/modified/deleted, the description contains file details as shown below.

Description:

USB Monitoring stopped for F:\

Volume Label: PNPL2


Volume ID: \\?\Volume{cbb79a4d-b006-

11df-ab88-0015586a1e0a}\

Type: Removable

File System: FAT32

Network Volume: No




29


Added EventLoggingInformation.xls 10/27/2010 12:01:18 PM

Modified EventLoggingInformation.xls 10/27/2010 12:01:18 PM

Added err_gde.pdf 10/27/2010 12:01:18 PM

Deleted EventLoggingInformation.xls 10/27/2010 12:02:23 PM

Deleted err_gde.pdf 10/27/2010 12:02:47 PM

Drive removed event [3229]

Figure 27

Description:

Drive <F:> removed


30

Network Volume: No

Description: Change affects physical device or drive

Media drive is disabled by EventTracker event [3242]

Figure 28

Description:

Media drive <F:> is disabled by EventTracker. Please contact your system administrator.

Volume Label: PNPL2



Type: Removable


31

File System: FAT32

Network Volume: No


Limitations EventTracker Windows Agent monitors CD/DVD burning activities carried only through the Windows Explorer and does not monitor burning activities done via third party tools such as Nero, Iomega, etc.


32

EventTracker Configurations for removable device monitoring in v7.2 EventTracker settings options for USB and other device changes

Open EventTracker Control panel, double click EventTracker Agent Configuration, and then click the System Monitor tab.

OR

Open EventTracker Enterprise, click Admin dropdown, and then click Windows Agent Configuration. Click System Monitor tab.

Figure 29: EventTracker Agent Configuration


33

• Click ‘Report insert/remove’ checkbox: to report the insertion or removal of removable device to the manager.

• Click ‘Record Activity’ checkbox: to keep record of activities like data transfer done by the USB or other removable media device.

• Click ‘Disable USB Device’ checkbox: to block all the USB devices from accessing the system. Enabling this checkbox activates ‘USB Exception List’ button.

NOTE:

While editing USB serial number or device Id, if you do not make any changes and click the Edit Ok/OK button, then EventTracker will display an error message. EventTracker assumes the unchanged number as duplicate entry and therefore do not allow entering the same USB serial number or device ID.

In EventTracker Control panel:

Figure 30

In EventTracker Enterprise Web console:

Figure 31


34

Define USB exception list In EventTracker, ‘USB Exception list’ can be used to,

Authorize the USB communication to a specific model of USB device, while blocking all other devices.

Allow a single device with a unique identifier (such as serial number), while blocking all the devices from same manufacturer.

Figure 32: USB exception List

• Enter the ‘USB volume serial number’ to authorize data transfer.

• If your device does not have the serial number, then EventTracker also has a provision to define Device ID of the USB. Enter the USB device ID and add the USB to the exception list.

• Do not forget to click Save & Close button to save the changes in the USB serial number or Device ID.

• To update the serial number or Device ID, click the number or ID, and then click the Edit button.

Make appropriate changes and then click the Edit Ok button.


35

To find USB volume serial number 1. Verify if the USB device is inserted properly on the system.

2. Open My Computer and note the drive letter for the USB device.

3. Open the command prompt and change to the USB drive by typing <drive letter>.

4. Type ”dir” to see the directory listing.

Figure 33: Find the USB serial number in command prompt

5. Note down the volume serial number shown in ‘Hexadecimal’ format.

6. In the USB Exception list window, enter this serial number in Enter USB Volume Serial

number text box.

7. Click the Hex option.

8. Click the Add button to add the serial number.

The output will be seen as below. (Refer Figure 34).


36

Figure 34

NOTE: In the command prompt, the volume serial number will always be in ‘Hexadecimal’ format. You can convert it into ‘Decimal’ format, if required.


37

To find USB Device ID 1. Verify if the USB device is inserted properly on the system.

2. Go to Control panel, and click Systems.

OR

Right click on My Computer, and then click Properties.

3. Click the Hardware tab, and then click the Device manager button.

Figure 35: System Properties

4. Under Universal Serial Bus controllers node, an entry for the inserted USB device is shown. (Refer figure 36).

5. Right-click on the USB entry and select Properties.


38

Figure 36: Computer Management

6. Select Details tab.

Figure 37: USB Mass Storage Device Properties


39

Device ID Example:

USB\VID_058F&PID_6387\X6G7JFL3 (Transcend USB)

Vendor Identification Number (VID) - VID_058F

Product Identification Number (PID) - PID_6387

Serial Number of the device - X6G7JFL3

7. In the dropdown, - Select Device instance ID for Win 2003, XP based systems. - Select Device Instance path for Vista, Win2008 and Win 7 based systems.

8. Click on the instance id shown in the box and copy by pressing Control + C button on the

keyboard.

9. In the USB Exception list, paste this ID in the Enter USB Device ID text box, and then click

the Add button to add the Device ID.

The output will be seen as below:

Figure 38: USB Exception list

10. Click the Save & Close button.


40

To convert USB Serial number format You can convert the USB serial number from Hexadecimal to Decimal format, and vice versa.

1. Enter the USB serial format in USB Volume Serial No field.

Figure 39: USB Serial number- Hexadecimal format

2. To convert the number in decimal format, click the Dec option.

Figure 40: USB Serial number- Decimal format

EventTracker automatically converts the number from Hexadecimal to Decimal.

3. To convert the number again in hexadecimal format, click the Hex option.

NOTE: EventTracker will not allow you to enter an invalid number (containing alphabet or signs)

when decimal (Dec) option is selected.


41

Possible Substring match for Device ID The Disable USB Devices checkbox when clicked, blocks the entry of all the USB devices. However, for the authentic USB devices, we can add its USB serial number or device ID to allow the USB data transfer. Following are the possible substring match for the Device ID to allow more than one device at a time. • To allow devices from a particular vendor: Enter only the VID part like USB\Vid_0781

In this example, 0781 is for SanDisk.

• To allow devices from a particular vendor and a particular product: Enter VID and PID parts like USB\Vid_0781&Pid_5567 In this example, 5567 is for SanDisk Cruzer Blade.

• To allow a particular device from a particular vendor and a particular product:

Enter VID, PID, and device serial number like USB\Vid_0781&Pid_5567\20040203321B6B6256E9

Click here for more details on PID/VID.

http://wiki.debian.org/DeviceDatabase/USB�

EventTracker: Removable Media Device Monitoring...EventTracker: Removable Media Device Monitoring 6...

Documents

Transcript of EventTracker: Removable Media Device Monitoring...EventTracker: Removable Media Device Monitoring 6...