March 9th, 2009 by peter.bassill

One of the problems I recently came across was just how to audit USB devices that have been previously connected to systems on the network. The task seemed simple, every month run a job that would discover the USB devices that have been introduced to systems on the network and report on them. As I was using Nessus at the time, I looked into the functionality of the USB Device Enumeration plugin but that would only tell me what USB devices where currently plugged in. I needed a way to look back in time for each machine.

Now, from my forensics work I knew that HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR would list all the USB devices that has been connected to a system so I researched ways of having Nessus pull this information using its registry interigation plugin. Sadly, no dice. The plugin would not handle the wildcard so I put it to Tenable and three days later the plugin was released under Nessus ID 34220. 

Once I had the plugin, the rest was simple. A simple perl script would parse the nessus report output and enter the data into a small database and report on any new additions. Simple, safe and reliable.

(If you want further details on USB viewing, the forensicwiki is an excellent resource!)