Drive Creation

The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:

• USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter E:\ on a Windows machine.
• Network Drive Mapping: A network share \\server\share is mapped to the drive Z:\.
• Virtual Drive Creation: A virtual disk is mounted on /mnt/virtualdrive using an ISO image or a virtual hard disk (VHD).
• Cloud Storage Mounting: Google Drive is mounted as G:\ on a Windows machine using a cloud sync tool.
• External Storage Integration: An external HDD or SSD is connected and assigned /mnt/external on a Linux system.

This data component can be collected through the following measures:

Windows Event Logs

• Relevant Events:
  • Event ID 98: Logs the creation of a volume (mount or new drive letter assignment).
  • Event ID 1006: Logs removable storage device insertions.
• Configuration: Enable "Removable Storage Events" in the Group Policy settings:
  Computer Configuration > Administrative Templates > System > Removable Storage Access

Linux System Logs

• Command-Line Monitoring: Use dmesg or journalctl to monitor mount events.

• Auditd Configuration: Add audit rules to track mount points.

• Logs can be reviewed in /var/log/audit/audit.log.

macOS System Logs

• Unified Logs: Monitor system logs for mount activity:
• Command-Line Tools: Use diskutil list to verify newly created or mounted drives.

Endpoint Detection and Response (EDR) Tools

• EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events.

SIEM Tools

• Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities.