You can use strings and grep to look through an image and do pattern
matching. One option would be to pull it into Autopsy but if you don't
have autopsy, just make and image and run it through strings and grep.
In your example, you're looking for SS#s and credit card numbers. Using
Autopsy is the best way to do it but here's an example what it looks
like under the hood...and this could work for a quick'n'dirty retrieval
of the info. I've done it something like this:
- make the image
Dd if=/dev/had of=drive.img
- look for an SS# in the pattern of 123-12-1234
Strings drive.img | grep
"[0-9][0-9][0-9]\-[0-9]]0-9]\-[0-9][0-9][0-9][0-9]"
- look for an SS# in the pattern of 123121234 (no hyphen)
Strings drive.img | grep "[0-9][0-9][0-9][0-9]]0-9][0-9][0-9][0-9][0-9]"
- look for an CreditCard# in the pattern of 123412341234 (no hyphen)
Strings drive.img | grep
"[0-9][0-9][0-9][0-9]]0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]]0-9]"
You can basically do the same thing for credit card numbers. I recently
did this on an image that hosted some e-commerce web sites. The
application vendor insisted that there was no credit card data stored on
the server....well, that was kindof true as the database was on another
box. I did find credit card info in temp files using the above method.
Obviously this will pull out things other than just credit card numbers.
I actually piped this to a file and let it run for a half-day or so and
then reviewed the log file. When I found numbers that looked like
credit card numbers, I ran THC's credit card verification program to
identify the numbers. Then you could use strings & less to chew through
the drive and finding the data but to get the data around the credit
card number, Autopsy really will be a big help because it will make it
much easier to pull out blocks before and after the block(s) in
question.
-----Original Message-----
From: Roger Padilla [mailto:roger.pa@verizon.net]
Sent: Wednesday, November 03, 2004 5:59 PM
To: forensics@securityfocus.com
Subject: FW: Complex file searches on forensic Image
Per recommendation, I am submitting this request to this group.
Additionally, the search that I need to perform needs (if possible) to
be
able to look within the files. Thanks.
~~~~~~~~~~~~~~~~~~~~
Roger Padilla, Jr.
Technical Consulting
(805) 934-2249
roger.pa@verizon.net
~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Roger Padilla [mailto:roger.pa@verizon.net]
Sent: Wednesday, November 03, 2004 2:25 PM
To: focus-virus@securityfocus.com
Subject: Complex file searches on forensic Image
I am currently in the process of analyzing a hard drive that was found
to
contain personal data which may have been harvested. Per California
Senate
bill 1386 -- the organization I am performing the analysis (ok, I work
for
this company who is reluctant to buy the forensic software) for is
required
by law to notify all individuals whose personal information may have
been
acquired. There are several thousand files on this drive that will need
to
be investigated -- is there any open source software that would allow me
to
do a complex file search using wildcards to look for such information as
social security numbers. For example search for strings matching
***-**-**** or ss#. Also there are several Access databases that will
need
to be researched -- will these need to be opened by a database program,
or
could a product like encase perform this search? Any recommendations
would
be greatly appreciated.
~~~~~~~~~~~~~~~~~~~~
Roger Padilla, Jr.
Technical Consulting
(805) 934-2249
roger.pa@verizon.net
~~~~~~~~~~~~~~~~~~~~
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
