USB monitoring and admin rights

[smd123]

Hi,
Can an enterprise USB monitoring software fail to log USB flash drive activity for any reason? Can admin rights prevent this from happening?
I'd admin rights and copied some files about 2 yrs ago. Now the Windows team is claiming they cannot find logs for that. How do I go about disproving them?
I do not what kind of system they use for monitoring and not an expert of Windows XP.
Thanks for any help.

[HAN]

I'm thinking we might need more detail (of the situation, not company names and such.) If this all you know, it's not going to be easy to figure out what the situation really consists of...

[smd123]

About 2 yrs back I'd taken some files thru USB flash drive. Apparently, firm (my former employer) had some kind of monitoring system for USB drives. I do not know what system is.
Now the company is claiming that they can not find any logs showing I copied the files and hence I circumvented their security system to copy files. I am not that smart to figure out how to do this, when I don't even know what system they were using. I did however have "local admin rights" at that time. I did call help line and associate mentioned that I can copy files with those rights.
I tried to copy files 9 months later and at that time operation was completely blocked. I am not sure if I'd admin rights at that time or the monitoring software had changed. I called help line again to send someone to copy files.
How can I prove that I did not circumvent their system? I do not have access to any of their systems now. Is it possible that logs were missed due to admin rights or for any other reason?
This is as much information I can divulge. Hope this helps.

[JRViejo]

Quote:

Originally Posted by smd123

I did however have "local admin rights" at that time. I did call help line and associate mentioned that I can copy files with those rights.

I am not sure if I'd admin rights at that time or the monitoring software had changed. I called help line again to send someone to copy files.

smd123, if you called a "help line" twice, they might have a record of your calls, plus associates' names, who perhaps could verify and confirm your actions.

[smd123]

Yes, they are in the process of verifying calls etc. However, that does not explain why the logs are missing. That's what I needed help with as I am not an expert in this field.
Thank you.

[CloneRanger]

@ smd123

Hi, if they used this they should be able to identify yours

Quote:

USBDeview v1.96

Description

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.
For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more.

http://www.nirsoft.net/utils/usb_devices_view.html

[smd123]

Thanks for the post. As i mentioned i do not what system they use. Some sort of enterprise software and claim nothing re; my work station in log. Question is, is it possible for software not to have logged this due to admin right or other anomaly?

[CloneRanger]

Quote:

Originally Posted by smd123

Thanks for the post.

Quote:

Question is, is it possible for software not to have logged this due to admin right or other anomaly?

I don't know. But if you asked the management etc to ask IT etc to run USBDeview they should be able to see what devices were used & their serial #'s etc. If you run it on your comp & get your USB serial # you can compare it to their test with USBDeview & see if it matches.

[smd123]

@LoneRanger thanks for this post. This might be of some help. Since you've more knowledge than I do, does windows also record the files copied some where that can be retrieved either thru a tool or forensically?

[smokenz]

can I ask if they want the logs because they believe you stole information? what you explain is not very specific, but implies this.

it seems odd to me, that a firm you worked for 2 years ago is now saying you disabled a usb logging system. as in, they suspect you stole information and can't prove it, so they only option they have is to say you disabled the service to get you to admit to doing it.

and when they say the logs are missing. are they saying they are deleted? stopped recording between a set period of time that has both previous and future recordings from the alleged time? did they have this system 2 years ago, if 9 months later it prevented you, was it configured correctly.

i've been involved in many data breach cases, especially around usb,which is generally easy to prove if the company has the correct security model set up, follows ISO27002, SoX Compliance, PCI Compliance etc.

it sounds like, for example. you were a business development manager. you had access to some projected business models. you left after being there a year or so, went to a competitor, and now that competitor is winning that particular market.

now your previous firm suspects you of copying this information. but they can't prove it, so last resort is to threaten you and scare you into admitting it.

remember they can't just accuse you of anything if you don't admit to it and they don't have logs, especially as you could counter sue for defamation claims. which you'd be surprised is quite common these days, and prevents even a previous employers saying bad about a past employee, even if they fired them.