Monitoring USB Drive Activities with PowerShell Script

Monitoring USB Drive Activities with PowerShell Script

No Comments

Introduction: At times, managing USB drive activities in a corporate environment can be challenging, especially when there’s a need to balance security concerns with operational requirements. Our consulting practice has encountered situations where limited retention policies in EDR/Logging tools and the need to allow USB drives pose a significant challenge. To ensure data security and compliance, we needed a solution to monitor USB drive activities, particularly during offboarding processes.

The Solution: We developed a simple yet effective PowerShell script that monitors USB drive activities to address this challenge. The script is designed to detect when a USB drive is inserted and log any file transfers or deletions that occur on the drive. This allows us to keep track of data movements and identify any potential security risks, such as unauthorized data transfers or leakage.

How It Works: The script is triggered whenever a USB drive is detected manually or through automated alerts from tools like Datto RMM, which has a component for this scenario. It runs continuously for a predefined period (24hr), monitoring all file activities on the USB drive. After the monitoring period ends, the script generates a report detailing any file transfers or deletions that occurred during that time.

Implementation: Implementing this solution is straightforward. Simply download the PowerShell script from the provided link and integrate it into your existing monitoring infrastructure. For example, you can configure Datto RMM to execute the script as a component whenever a USB drive is detected, or perhaps run it as a scheduled task. This allows you to leverage existing tools and workflows while enhancing your security posture without complicated paid tools.

View Script



Leave a Reply

Your email address will not be published. Required fields are marked *