Create Event Log entry when a file is opened, or copied from CD/DVD

Question

I've been tasked with configuring Group Policy/writing a .NET Windows Service which will add entries into a Windows Event Log whenever a user opens or copies a file/files from any optical media (not interested in removable USB drives).

My first attempt was to use C# and get the list of processes and see what files they had open and if the path started with an optical drive letter. This didn't work as while some programs keep the file open (e.g. Acrobat Reader) others do not (Internet Explorer, Notepad). My second attempt was to turn on auditing of object access along with setting the file access security audit on the disc drive ... which you can't do, because there's no security on read-only file systems. My last ditch attempt was to use the auditing of removable storage group policy, but that doesn't add any log entries for optical media (I tested a USB pen drive and that did create entries), additionally it's only available in Windows 8+ and I need to support Windows 7.

So, I am all out of ideas and turning to the experts here to see if you have any ideas on how I could approach this problem.

Answer 1

I suspect that this would have to be implemented on a lower, driver level. I suspect that there is commercial software available for this.

Optical drives usually use FAT(32) as the file system, which, as you already noticed, doesn't support auditing. You could of course audit the local file system, but that wouldn't let you distinguish between write access that originates from an optical drive.

I would install Process Monitor from SysInternals, to see if it reports file transfers from the optical drive - it should. I'd give you a starting point.

I personally don't think that this is an easy endeavor since you'll need to install and interact with a driver.

Maybe somebody else has another idea.

Answer 2

Since Windows don't have file system hooks like most UNIX but malware authors somehow knew how to hide themselves by hooking into syscalls (aka rootkits) you may want to look into how rootkits work.

You can write a library that hooks into the file open syscall and generate event log entries there. Then write a program to load this library into the system automatically.

Bonus point if you can make this entire logging mechanism hidden, true rootkit style.