Direct Inward Dialing: +1 408 916 9892
A organization's information can be stolen in multiple ways, but data theft through a USB flash drive is probably one of the easiest ways. USB devices are physically concealable and inexpensive. So while conducting a forensic investigation of how data was stolen, you will have to check the USB drive usage in your network.
PowerShell's Get-WMIObject reveals all USB devices connected to your network when queried with 'win32_diskdrive'. You can do this with ADAudit Plus's attractive graphical interface which provides a consolidated dashboard of all your AD reports. It provides special 'USB Storage Auditing' reports that track file activity like 'copy and paste', 'read', 'modified', and device plug-ins. The table below draws a comparison between detecting USB devices using PowerShell and ADAudit Plus.
Run the 'Get-WMIObject' along with the 'win32_diskdrive' query.
Win32 is a disk drive a computer recognizes when it runs on the Windows Operating system.
Specify the 'Interface type'.
GET-WMIOBJECT win32_diskdrive | Where { $_.InterfaceType –eq ‘USB’ }
Login to ADAudit Plus web console with authorized credentials. Click on the 'Server Audit' tab and select 'USB Storage Auditing' from the left pane.
This gives you multiple reports on 'All File and Folder Changes', 'File read', "File Modified', 'File Copy and paste', 'Removable device plug-in'.
The reports provide detailed information about the file or folder accessed, the location of the change, who made the change and what modification was made.
You can also perform a filtered search by 'server', 'filter/folder name', 'location' 'modified by', and 'message'. These filters help you identify any particular event that you're looking for.
