0

Connecting via remote desktop to a Windows 7 machine today showed the last couple of seconds of a windows device installing and the "Your device is ready" popup for a Sony Xperia T. Going to printers/devices showed an image of the phone. There's no bluetooth on the PC, and there's no reason for such a device to have been connected. Checking USB attach/detach logs showed expected entries and nothing concerning the phone, though that could have been tampered with. There's also no evidence of any virus, but the machine needs more forensic analysis on that front. Putting aside the most obvious explanation that a phone really had been connected, I'd welcome thoughts on alternative possibilities and things to check for any evidence.

UPDATE: There is a slim possibility that a phone was connected 2 weeks ago, however the machine had been logged into since then, and no device installed message popped up on those occasions. In this case the dialog was seen at the point of logging in again, just as if a device had been plugged in and the drivers had installed themselves, but a phone was definitely not connected at the time.

UPDATE2: Forensics show 4 keys modified including the following with data referencing an xperia at the same time as the remote desktop connect so there is some handle on the event, which seems to be triggered from the remote connect.

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0

EDIT: 2014 Jan 28

As a postscript to this, a few days ago we replaced the drive in the machine which put it back to how it was at the start of 2013 (we'd copied the original drive to an SSD at that time), and long before there was possibly unauthorised access to the hardware. Looking at the list of printers today, the phantom phone appeared again, and it's guaranteed that one has not been plugged in since the drive was switched. The only software installed since was Skype. Very mystifying.

Nick
  • 521
  • 3
  • 8
  • 2
    I don't understand the question. This simply sounds like a phone was connected to the computer. – Ramhound Jan 11 '14 at 01:52
  • I agree, except that circumstances make it highly unlikely that a phone *was* physically connected, and as mentioned, the USB attach/detach event logs are consistent with that. So the question is what could lead the PC to behave as though the phone had just been connected when it wasn't. A virus would be a possibility, but there's no trace of that at the moment either. I accept the obscurity and even implausibility of this, but it's what happened and may make sense to someone. Unfortunately a video wasn't taken at the time. – Nick Jan 11 '14 at 02:48
  • 1
    is the cleaning crew plugging their phone in to charge? Where is this remote machine? Tell us more about the environment –  Jan 12 '14 at 04:46
  • The cleaner is in the clear, and the machine is out of the way under a desk in an office which people wouldn't normally go to. Since Jan 2nd, event logs show: The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63626420&1# when the machine boots. Others have written that they noticed this after they plugged in a sony phone. The device connection could have happened on Dec 29th, which would be consistent with things. Just odd that the driver install showed much later. – Nick Jan 12 '14 at 13:12
  • I'll close in a while as this question can never get to a definitive answer, but appreciating the advice and thoughts to add to our own on this. – Nick Jan 12 '14 at 13:18
  • If we assume that a device was connected, we then have to wonder what's the worst case scenario for someone plugging in a smartphone for up to 150 seconds to a PC that's locked. – Nick Jan 12 '14 at 13:25

2 Answers2

2

Remote Desktop does have a way of making local resources available to the remote host. Not sure if a phone would get shared to the remote host (or how it would be shared). If nothing else, it is conceivable that it would be made available as an USB storage device.

Theoretically, you would have known if a phone was plugged into your local computer so this possibility may not apply to your situation.

enter image description here

poke
  • 365
  • 1
  • 3
  • 11
  • Thanks, thought this was possible. No phone would have been plugged into the local machine, but a previous connect could have been unauthorised and have a phone connected. The machine is well isolated though but can't rule this out. – Nick Jan 11 '14 at 20:03
1

It's highly unlikely that a Windows server just decided to imagine a Sony phone was connected and to install the drivers, so you must assume a phone was actually connected.

See if you can trace the device via WiFi. Check logs for wireless access points in the area, and look for a MAC with the first three bytes being an OUI assigned to Sony. You can use a searchable list like https://www.wireshark.org/tools/oui-lookup.html .

Looking online, I found an example Sony Xperia MAC address of 30:39:26 here: http://forum.xda-developers.com/showthread.php?t=2509456

You might then be able to correlate the MACs of Sony devices to access logs of employees, visitors, or vendors as they entered and exited your building, or if they had to badge through internal doorways.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • Thanks John. Assuming a connection is indeed what has to be done. Employees are ruled out at this point and CCTV has showed nothing at the moment. If the "device is ready" alert could be delayed by a couple of weeks we may have an explanation, but it was seen at the point of the 3rd login to the machine since then, so a recent connection seems more likely. USB logging is working and showed nothing, so logs may need to have been patched. No unexpected logins have been identified at this point nor reboots. – Nick Jan 11 '14 at 19:56