Why do you say that? Do you have any basis in fact?
>...perhaps 0.0001% of Windows domain controllers would know where to look for it,
Perhaps...if by "domain controller" you mean sysadmin. But these folks can be educated, as can law enforcement, etc. I started presenting on this at GMU2005, and have published articles and blogs on it.
> Does WinXX create a log file of USB insertion - damned if I know!
If by WinXX you mean WinXP (or WinNT+), then the answer is yes. When a USB removable storage device is plugged into a WinNT+ (includes 2000, XP, 2003) system, that fact is recorded in the file system (the first time, anyway) as well as within the Registry.
Give me an unaltered image of a system and I can tell you how many USB removable storage devices were plugged into it, when each was first plugged in, and the last time they were plugged in. I may even be able to tell you which drive they were mapped to. I may even be able to tie it to a unique device.
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com/http://windowsir.blogspot.com/
A while back, I'd posted on my blog that it might be possible, if you knew the location of several managed WinXP laptops within the building, to use WMI/WDM scripts to locate SSIDs and signal strength, as "seen" by those systems. That way, you could get an idea of where the rogue WAPs may be.
For example if you have an SSID with a low signal strength for a system on the third floor, query some other nearby systems, even ones on the second and fourth floors...it won't be exact but it will give you an idea. You can even get on the phone and have someone walk over there for you!
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com/http://windowsir.blogspot.com/
Slashdot Mirror
Why do you say that? Do you have any basis in fact?
>
Perhaps...if by "domain controller" you mean sysadmin. But these folks can be educated, as can law enforcement, etc. I started presenting on this at GMU2005, and have published articles and blogs on it.
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com/
http://windowsir.blogspot.com/
> Does WinXX create a log file of USB insertion - damned if I know! If by WinXX you mean WinXP (or WinNT+), then the answer is yes. When a USB removable storage device is plugged into a WinNT+ (includes 2000, XP, 2003) system, that fact is recorded in the file system (the first time, anyway) as well as within the Registry. Give me an unaltered image of a system and I can tell you how many USB removable storage devices were plugged into it, when each was first plugged in, and the last time they were plugged in. I may even be able to tell you which drive they were mapped to. I may even be able to tie it to a unique device. H. Carvey "Windows Forensics and Incident Recovery" http://www.windows-ir.com/ http://windowsir.blogspot.com/
A while back, I'd posted on my blog that it might be possible, if you knew the location of several managed WinXP laptops within the building, to use WMI/WDM scripts to locate SSIDs and signal strength, as "seen" by those systems. That way, you could get an idea of where the rogue WAPs may be. For example if you have an SSID with a low signal strength for a system on the third floor, query some other nearby systems, even ones on the second and fourth floors...it won't be exact but it will give you an idea. You can even get on the phone and have someone walk over there for you! H. Carvey "Windows Forensics and Incident Recovery" http://www.windows-ir.com/ http://windowsir.blogspot.com/