Corporate espionage and insider data exfiltration investigations frequently involve USB removable media. An employee suspected of stealing intellectual property typically reaches for a USB drive because it is the simplest exfiltration channel that bypasses email gateway plus cloud-upload monitoring. The Sherlock USB Blocker prevents the exfiltration at the kernel layer plus produces a tamper-evident event log that supports forensic investigation if the policy was bypassed or if a different host was used. This guide covers the USB exfiltration threat model, the USB Blocker capability scope plus the forensic value of the event log.
The USB exfiltration threat model
Corporate espionage typically involves a person with authorized access who chooses to transfer information out of the organization. The motivations vary (competitive advantage at a new employer, third-party payment, personal grievance, regulatory complaint preparation) but the technical pattern is consistent: the actor needs to move data from a corporate-controlled system to an actor-controlled location.
USB drives are the most common physical exfiltration channel because:
USB drives bypass most monitoring. Email gateways watch attachments, cloud upload monitoring watches HTTP POSTs to cloud services, but USB writes happen at the OS file system layer where most monitoring stacks have weaker visibility.
USB drives are physical and untraceable. A USB drive walked out of the building cannot be remotely revoked or wiped. Cloud uploads can be traced through service provider records; USB drives cannot.
USB drives are commonly authorized. Most organizations allow USB drive use for legitimate purposes (presentation files, software installation, customer file transfers). The presence of USB drive usage is not by itself suspicious.
USB drives scale to substantial data volumes. A modern USB-C drive can hold multiple terabytes. The capacity covers source code, customer databases, product designs, financial records plus other high-value categories.
The defensive challenge is that legitimate USB use plus malicious USB exfiltration look identical at the surface level. Distinguishing them requires either kernel-level visibility (the USB Blocker approach) or post-incident forensic analysis of the workstation.
What the Sherlock USB Blocker does
The Sherlock USB Blocker sits at the kernel layer on the Windows workstation plus enforces USB device policy. The Pro tier includes:
Mass storage block: USB drives are denied at the kernel layer before the file system mounts. The denial is enforced regardless of which user is logged in, which application requests the access plus whether the user has local administrator rights. Bypassing the block requires bypassing the kernel.
MTP plus phone tethering block: Android plus iOS devices commonly mount as MTP (Media Transfer Protocol) volumes when connected. The USB Blocker treats MTP as removable media plus blocks it. Phone-to-workstation file transfer paths get cut off.
HID injection block: rubber ducky-class devices masquerade as keyboards to inject malicious commands. The USB Blocker can deny new HID devices to prevent this attack class.
Tamper-evident event log: every USB connection attempt, allowed or denied, is logged with timestamp, device VID:PID, serial number, action taken plus the operator identity if intervention occurred. The log is cryptographically signed for tamper detection.
Policy export: the USB Blocker policy plus event log can be exported for compliance documentation, post-incident review plus litigation evidence.
What kernel-level USB blocking catches plus does not catch
USB blocking is a control surface, not a complete data exfiltration prevention. Practitioners need to calibrate expectations:
What it does catch:
(1) USB mass storage write attempts on the protected workstation,
(2) Phone-to-workstation file transfer attempts via MTP,
(3) Rubber ducky-class HID injection attacks,
(4) USB Wi-Fi adapters used to bypass network controls,
(5) USB-attached storage controllers in laptops with the workstation device policy applied.
What it does not catch:
(1) Network exfiltration paths (cloud upload, email attachment, encrypted tunnel),
(2) Data printed to physical paper plus removed,
(3) Data photographed off the screen with a personal phone (out-of-band),
(4) Exfiltration from a workstation that does not have the USB Blocker deployed (BYOD, contractor laptop, etc.),
(5) Data already exfiltrated before USB Blocker was deployed.
Investigation workflow when USB exfiltration is suspected
The forensic investigation workflow when an insider is suspected of USB exfiltration:
Preserve the workstation with chain of custody. The suspect's workstation is preserved through forensic acquisition. The Sherlock Disk Imager handles the acquisition with hash verification plus manifest documentation suitable for litigation.
Extract USB Blocker event log: if the USB Blocker was deployed, its tamper-evident event log shows every USB connection attempt during the relevant period. Denied attempts are particularly telling: a series of denied attempts to write large datasets to USB indicates intent even if the exfiltration was blocked.
Extract Windows registry USB history: Windows tracks USB device connection history in registry hives (SYSTEM\CurrentControlSet\Enum\USBSTOR plus related). Even without the USB Blocker, the registry preserves a record of every USB storage device ever connected plus when. The Sherlock Sherlock Universal Events Viewer can correlate these registry artifacts with Windows event log entries to construct a timeline.
Extract Windows event log: Event ID 6416 (Plug and Play device detected) plus 4663 (object access) entries provide additional forensic timeline detail. The combined view answers "when did suspect USB drives connect, what did they appear as, what files were potentially written."
Extract file system journal: the NTFS Master File Table plus its $LogFile journal record file activity in a way that survives many user attempts at deletion. Recent file writes to USB drive mount points surface here.
Cross-correlate with browser forensics: the Sherlock Sherlock Browser Viewer recovers browser history plus download records. Cloud upload activity (Dropbox personal, Google Drive personal, file.io, WeTransfer) often precedes or follows USB activity as the actor explores multiple exfiltration channels.
Examiner report: the forensic examiner produces a written report covering the acquisition method, the artifacts recovered, the timeline reconstruction plus findings. The report is signed plus accompanies the litigation evidence.
Common findings in USB exfiltration investigations
Across casework Sherlock Forensics has supported, several patterns recur:
The suspect tested multiple USB drives. Insider data exfiltration often involves the actor trying multiple USB drives until one is allowed by policy or until the actor finds one with sufficient capacity. The pattern of multiple device VID:PID values in short succession is a behavioral signal.
The pre-departure surge. Most USB exfiltration concentrates in the final weeks before the actor's departure (resignation, termination, planned exit). USB activity that surges 2-4 weeks before departure plus correlates with downloads of high-value files from corporate systems is the canonical pattern.
The cross-channel attempt. Insiders often try multiple exfiltration channels in parallel. USB attempts often correlate with cloud upload attempts, large email attachment attempts plus print job spikes within hours of each other.
The cover behavior. Sophisticated insiders attempt to disguise USB activity as legitimate work (presentation file transfers, customer file deliveries). Examination of the actual files transferred plus correlation with their stated business purpose surfaces the cover behavior.
The deleted-and-forgotten artifact. Insiders sometimes delete USB drive connection records, browser history or recent-file lists thinking the trail is gone. The registry artifacts plus file system journal survive most casual deletion attempts. The forensic recovery surfaces what the actor thought they had erased.
What this means for insider threat program planning
The mistake insider threat programs make is treating USB device control as either fully sufficient or fully irrelevant. Neither is correct. USB Blocker prevents one category of exfiltration plus produces a tamper-evident log that supports forensic investigation. It does not prevent all exfiltration. Layered with email gateway, cloud upload monitoring, endpoint DLP plus periodic forensic audit, USB control is a meaningful component of the defense.
The honest practitioner posture is to deploy USB Blocker for the workstations handling high-value data plus combine it with forensic acquisition capability for incident response. The combination prevents the most common physical exfiltration channel plus enables defensible investigation when the policy is bypassed or when exfiltration occurred before deployment.
The Sherlock Forensics services practice supports insider threat investigations across mid-market plus enterprise customers. The forensic toolchain includes the Sherlock Disk Imager for workstation acquisition with chain of custody, the Sherlock USB Blocker for kernel-level USB control with tamper-evident logging, the Sherlock Universal Events Viewer for event log timeline reconstruction, the Sherlock Browser Viewer for cloud-channel cross-correlation, plus the Sherlock PST Viewer for email correspondence forensics in the same investigation.
Talk to our team about insider threat investigation, data exfiltration forensic support or USB device control program design.
USB exfiltration is the most common physical insider data theft channel. Get the Sherlock USB Blocker for kernel-level USB control with tamper-evident logging. Talk to our team about insider threat investigation support.