Sunday, January 23, 2011

Introducing Leakinator: A Lightweight USB / Removable Drive Monitor, On A Zero Sum Budget, In 15 Minutes

Agent Smith: We'll need a search running.
Agent Jones: It has already begun.
- The Matrix

One of the things I fell like I continually hear is that security teams need a simple method of monitoring file activity on USB and other removable drives on Windows PCs. There are plenty of data loss detection / prevention products for doing this, of course, but you can never find a DLP tool when you need one.

Enumerating drives and files the hard way, using WMI (windows management instrumentation), and various forms of scripting, is of course something we've been doing for years in the world of windows incident response. Active file monitoring is also do-able remotely in vbscript on Windows 2000 and later.

Introducing Leakinator - a lightweight USB / removable disk sniffer and data loss detection tool implemented in vbscript. Why, oh why, you might ask, in vbscript? Doing this in vbscript has a number of advantages:
  • It uses what we already have. The windows script host is built-in to every Windows version since 2000 as is WMI.
  • It couldn't be simpler; there are no prerequisites other than creds and network access. No need to install dot net, java or anything else on the target. No need to install an agent or program that takes time, might not work, and might tip off the subject that they're being monitored.
  • It’s fast and easy; most of the time in these kinds of incidents a solution is needed quickly and there is not time to buy or install a DLP product.
  • It’s quiet and fairly stealthy. Scripts running and WMI queries are routine in many windows environments and you would have to look closely to notice this which means the subject is less likely to detect this form of monitoring.
  • All of this can all be done remotely using WMI.
Leakinator consists of three scripts:
  • Leakomatic.vbs enumerates logical disks until it finds a removable drive; it then begins monitoring file activity on the first discovered removable drive. If you have a simple environment where removables are rare, or you know the subject has only one, this will do the job.
  • Leakinator.vbs monitors file activity on a drive letter your specify on a computer you specify. You determine the drive letter from the output of driveinator;
  • Driveinator.vbs monitors logical disks and alerts when it finds a removable drive (type 2); a writable CD/DVD disc; or any drive with a FAT or FAT32 filesystem. This is used this in concert with instances of leakinator.vbs when the target system has more than one removable drive to be monitored or the drive letters are changing.
Here is an example of a leakinator user story. In this example, a subject is occasionally connecting a USB drive and copying sensitive data that we’d rather they didn’t. Because the USB drive is only connected for a few minutes each day, it is hard to detect and hard to prove this is taking place.

In this example we know the subject computer normally has no removable drives and we can expect to see only one. So, a security analyst runs leakomatic with the target computer name as an argument:

Leakomatic connects to the target via WMI, examines the logical disk table and finds nothing because the subject has not yet plugged in their USB drive. Leakomatic continues running in monitoring mode and awaits the arrival of the drive.

After a while, the subject plugs in their USB drive and waits for indications they may have been detected. Nothing happens from the subject’s perspective. The security analyst immediately receives an alert that a removable drive has been connected. The analyst sees the output and knows the subject has attached a 512 MB Lexar USB drive containing 6 MB of data – an unapproved device.

After a few minutes, the subject begins copying confidential data and each file operation is logged by leakomatic. The subject opens the USB drives and observes that the files have been copied. He then decides to drop the files in a new folder so they're not present on the root of the file system. After a few minutes, he deletes the folder, planning to try to undelete it later with a disk utility. At this point the subject believes these files cannot be detected.

The security analyst sees each file copy, move and delete operation logged by leakomatic. The analyst knows the file copies are suspicious; the immediate deletes remove any doubt that something suspicious is going on.

At this point, the analyst has found her leak. She has several options and the next steps depend on the investigation:
  • Remotely disconnect the drive using mountvol /D
  • Take a copy of the files on the drive as evidence, if the user has not deleted them.
  • Notify HR / facilities that a USB drive needs to be confiscated
  • Continue the investigation and monitor activity on the drive
Some of these options, like taking a copy of the files, are going to be easier with a shell script or a utility like psexec. Looping a command like mountvol is easily done with WMI and vbscript.

Leakinator v1 is available at where terms of use and release notes will be posted.

The usual caveat applies that this tool should only be used by duly authorized security analysts, with permission of all cognizant authorities, and any other use could be unethical or unlawful. Obviously I cannot possibly determine any individual user's authorization status and providing this tool does not constitute an assertion that you are authorized to use this or any other monitoring script; in fact I assert that you are probably unauthorized to the extent of my knowledge, and therefore should not use this or any other monitoring script or tool.

No comments: