Roger:
FTimes will allow you to search for this type of stuff. You can
even conduct searches by inserting a single binary on many systems
(we have done 500+) looking for specific data. While I understand
you are looking at a single disk, I'd suggest you check out FTimes
for the next time you are looking for data within a network
(not just a single disk) and need to perform a holistic search
of all file system space.
It's much better to determine the data you are looking for and
run these search patterns across *all* the systems, not just the
ones you think have been compromised. In just about every IR
event I've done, doing a full network file system search turns
up new cracked boxes or places the attacker stored data which
never would have been identified from forensic evidence contained
on the known compromised machines and logs (or lack thereof) the
company maintains.
From the hipdig.pl perldoc on the FTimes project site:
http://ftimes.sourceforge.net/FTimes/index.shtml
Specifies the type of search that is to be conducted. Currently,
the following types are supported: HOST, IP, PASS|PASSWORD, SSN|SOCIAL,
T1|TRACK1, T1S|TRACK1-STRICT, T2|TRACK2, and T2S|TRACK2-STRICT.
The default value is IP. The value for this option is not case
sensitive.
TRACK1 and TRACK2 are credit card search functions.
Thanks,
Jon
On 03-Nov-2004, Roger Padilla wrote:
Per recommendation, I am submitting this request to this group.
Additionally, the search that I need to perform needs (if possible) to be
able to look within the files. Thanks.
~~~~~~~~~~~~~~~~~~~~
Roger Padilla, Jr.
Technical Consulting
(805) 934-2249
roger.pa@verizon.net
~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Roger Padilla [mailto:roger.pa@verizon.net]
Sent: Wednesday, November 03, 2004 2:25 PM
To: focus-virus@securityfocus.com
Subject: Complex file searches on forensic Image
I am currently in the process of analyzing a hard drive that was found to
contain personal data which may have been harvested. Per California Senate
bill 1386 -- the organization I am performing the analysis (ok, I work for
this company who is reluctant to buy the forensic software) for is required
by law to notify all individuals whose personal information may have been
acquired. There are several thousand files on this drive that will need to
be investigated -- is there any open source software that would allow me to
do a complex file search using wildcards to look for such information as
social security numbers. For example search for strings matching
***-**-**** or ss#. Also there are several Access databases that will need
to be researched -- will these need to be opened by a database program, or
could a product like encase perform this search? Any recommendations would
be greatly appreciated.
~~~~~~~~~~~~~~~~~~~~
Roger Padilla, Jr.
Technical Consulting
(805) 934-2249
roger.pa@verizon.net
~~~~~~~~~~~~~~~~~~~~
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
