Is there any way I can store evidence for users who save data to their mobile devices?
I was able to set up a device rule which lets me know when a mobile device is plugged in to and unplugged from the machine. However I don't seem to be able to get it to store evidence if the users saves files to their device.
I am successfully monitoring and storing evidence when users write data to an external drive like a flash drive. I originally assumed that mobile devices would be treated as storage devices and would fall under my default "Monitor and Store Evidence" Protection Rule but that does not seem to be the case.
I'm not seeing a way for me to add the PnP Definition to the Protection Rules so that I can store evidence for these devices. Only a Removable Storage Protection rule which doesn't let me select Device Classes.
Any help would be greatly appreciated. Hopefully I worded this correctly..
Edited: Formatting on 7/10/13 2:32:01 PM CDT
Depends on what the mobile device shows up as to the OS. If the mobile device shows up as regular removable storage media, then a Removable Storage Protection rule can be used to monitor file copy.
If not, you are limited to blocking the device itself using Device rules.
I had a feeling this was the case.
I'm assuming it's not going to show up as a regular removable storage media. If it were, my existing rules would have been giving me evidence.
Thank you for the fast reply Vimalnavis!
Just a though, why not block iTunes etc? Unless there's a compelling reason for your people to be syncing data to their phones etc?
DLP 9.3.1 allows for the creation of Protection Rules that can now monitor data being copied to MTP devices. If you have tagged or classified data, you can even prevent writing to such devices now. Be aware that Protection Rules are blanket rules can will cover ALL removable storage, including your approved USBs (exempted by VID/PID, serial number or being EERM-encrypted).
Removable Storage Protection rules have always had blanket coverage. The MTP support for RSP vs. RSD is what introduces the caveat/challenge.