Log USB Flash Drive COPY Activity

Something to think about is that USB flash drives are kind of an old school way of moving data. Someone wanting a bunch of documents could just as easily email a copy to themselves, login to a web-based cloud storage site like DropBox and upload them, or even print a hard copy. There's so many different ways to go about it.

One option you can look into is if the files are stored on a server you can turn on Auditing, All this will do is keep records of access, so if you're worried about some outgoing employee snooping or stealing files it would show you what they accessed. Here's something to get started with that - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder

Thank you William.

The auditing that Windows comes with creates an enormous amount of data that is very difficult to sift through.

I'm looking for a program, most likely from a third-party, that will create a simplified report revealing what has been copied to or from her USB drive.

I don't mind paying for the software, I'm just looking for good recommendation.

I have not tried it, but doing a Google search, I found this tracking software:

https://www.visualclick.com/content/monitor-usb-windows-file-system.htm?keyword=track%20usb%20activity

This page also has tips for tracking USB Drive activity:

https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/

Owen,
The Visual Click offering looks good. I also found FileAudit from isdecisions.com.

Unfortunately management has rejected the $800 price tag to see if data is leaving the company.

If anyone has offerings cheaper, please let me know. Even if there were a way to easily view the Windows Event logs it would work.

Thank you,

John

Yea, I did not look at the price, and that is a bit pricey, I agree.

I will go do a more indepth search and see what I can find.

What about this software? It seems to log all activity, and as far as I can tell, you can try it for free, and I can't find the price.


 https://www.novirusthanks.org/products/usb-logger/

Owen,

That's the software I mentioned in my original post. (see hotlink) If that software had done what it promised when I deployed it on my network, I could be done with this project.  :)

Can you find anything else like it? Soooo close!

Thanks for all your help,

John

Sorry, I missed that. Too bad, it looked fairly good. One more try....  :-)
BTW: Is there a budget cap I should know about?

$350 budget Cap
It's just to watch that one guy doesn't offload data from his workstation in the next few days.

Thanks again!!!  :)

By the way, a number of these programs have a 30 day trial. As much as I hate to recommend this, that might be all you need it for?

The problem you run into is that Windows does not log file activity that way because so much of it goes on in the background and it would create massive logs full of junk you'd have to filter through. Any special program you use is going to have to actively monitor all file activity, which would probably put a dent in overall PC performance, and try to determine what's normal Windows operation vs. somebody making copies of something. As you are finding, there's a lot of stuff out there that doesn't work as well as you might expect.

One hardcore turn you could take would be to disable USB drive usage if you are concerned about an employee. Some places use this by default as part of their security measures - https://serverfault.com/questions/576768/disable-usb-mass-storage-access-on-client-machines

Windows 8.x and windows 10 can do what you want. They allow auditing the read and write access to removable storage.
Since win7 reaches and of support early 2020, you should be about to upgrade, I suppose?

One hardcore turn you could take would be to disable USB drive usage if you are concerned about an employee. Some places use this by default as part of their security measures -

I get the feeling that they are trying to determine if the person is taking files, and unfortunately, while I agree 100% with your solution, it may not be what they are trying to do.

So, if you goal is to try and see if this person is doing something wrong, you need one of the logging options, many solutions above. But if the goal is to just stop the possibility, then William has the right solution for you. Just turn it off.

Owen, that's why I called the solution "hardcore". If they are so concerned about employees taking files it may be easier to limit that ability to prevent it from happening, as opposed to using loggers to find out it already happened. Better to preserve the data.

We agree. I was just trying to understand what THEIR goal was. Cheers.

Yes, the idea is to allow use of the USB but know when something leaves the company. He's very high up on the totem pole and blocking him wouldn't go over well. For others, I'm starting to block and allow only OUR solutions for file transfer. All of which have logging (ie. LiquidFiles and others)

I have many vendors offering their products so I'll be wading through them in the coming weeks.  THANK YOU ALL FOR GREAT SUPPORT!!!!