USB monitoring and admin rights

Discussion in 'other security issues & news' started by smd123, Dec 8, 2011.

Thread Status:
Not open for further replies.
  1. smd123

    smd123 Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    5
    Location:
    USA
    Hi,
    Can an enterprise USB monitoring software fail to log USB flash drive activity for any reason? Can admin rights prevent this from happening?
    I'd admin rights and copied some files about 2 yrs ago. Now the Windows team is claiming they cannot find logs for that. How do I go about disproving them?
    I do not what kind of system they use for monitoring and not an expert of Windows XP.
    Thanks for any help.
     
  2. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I'm thinking we might need more detail (of the situation, not company names and such.) If this all you know, it's not going to be easy to figure out what the situation really consists of...
     
  3. smd123

    smd123 Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    5
    Location:
    USA
    About 2 yrs back I'd taken some files thru USB flash drive. Apparently, firm (my former employer) had some kind of monitoring system for USB drives. I do not know what system is.
    Now the company is claiming that they can not find any logs showing I copied the files and hence I circumvented their security system to copy files. I am not that smart to figure out how to do this, when I don't even know what system they were using. I did however have "local admin rights" at that time. I did call help line and associate mentioned that I can copy files with those rights.
    I tried to copy files 9 months later and at that time operation was completely blocked. I am not sure if I'd admin rights at that time or the monitoring software had changed. I called help line again to send someone to copy files.
    How can I prove that I did not circumvent their system? I do not have access to any of their systems now. Is it possible that logs were missed due to admin rights or for any other reason?
    This is as much information I can divulge. Hope this helps.
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,981
    Location:
    U.S.A.
    smd123, if you called a "help line" twice, they might have a record of your calls, plus associates' names, who perhaps could verify and confirm your actions.
     
  5. smd123

    smd123 Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    5
    Location:
    USA
    Yes, they are in the process of verifying calls etc. However, that does not explain why the logs are missing. That's what I needed help with as I am not an expert in this field.
    Thank you.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ smd123

    Hi, if they used this they should be able to identify yours :thumb:

     
  7. smd123

    smd123 Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    5
    Location:
    USA
    Thanks for the post. As i mentioned i do not what system they use. Some sort of enterprise software and claim nothing re; my work station in log. Question is, is it possible for software not to have logged this due to admin right or other anomaly?
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    :)

    I don't know. But if you asked the management etc to ask IT etc to run USBDeview they should be able to see what devices were used & their serial #'s etc. If you run it on your comp & get your USB serial # you can compare it to their test with USBDeview & see if it matches.
     
  9. smd123

    smd123 Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    5
    Location:
    USA
    @LoneRanger thanks for this post. This might be of some help. Since you've more knowledge than I do, does windows also record the files copied some where that can be retrieved either thru a tool or forensically?
     
  10. smokenz

    smokenz Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    2
    can I ask if they want the logs because they believe you stole information? what you explain is not very specific, but implies this.

    it seems odd to me, that a firm you worked for 2 years ago is now saying you disabled a usb logging system. as in, they suspect you stole information and can't prove it, so they only option they have is to say you disabled the service to get you to admit to doing it.

    and when they say the logs are missing. are they saying they are deleted? stopped recording between a set period of time that has both previous and future recordings from the alleged time? did they have this system 2 years ago, if 9 months later it prevented you, was it configured correctly.

    i've been involved in many data breach cases, especially around usb,which is generally easy to prove if the company has the correct security model set up, follows ISO27002, SoX Compliance, PCI Compliance etc.

    it sounds like, for example. you were a business development manager. you had access to some projected business models. you left after being there a year or so, went to a competitor, and now that competitor is winning that particular market.

    now your previous firm suspects you of copying this information. but they can't prove it, so last resort is to threaten you and scare you into admitting it.

    remember they can't just accuse you of anything if you don't admit to it and they don't have logs, especially as you could counter sue for defamation claims. which you'd be surprised is quite common these days, and prevents even a previous employers saying bad about a past employee, even if they fired them.
     
Loading...
Thread Status:
Not open for further replies.