Hi Andy et al.
See http://www.beachnet.com/~hstiles/cardtype.html for all card prefixes....
/kess
At 12:31 11/06/2004 -0500, Andy wrote:
One way of reducing the false positives with this grep would be to
add [^0-9] to the beginning and end of the grep expression below.
Anyone storing credit card numbers on disk would find it confusing
to have another number concatenated with their credit card number. Also
I believe that Visa, MC, and Discover use 4 5 and 6 as the first digit
( I don't have an amex around to check ) so you could further reduce
the falses by limiting the first number to valid card numbers. Hope this
helps out.
Andy
Glass
On Thu, Nov 04, 2004 at 08:25:59AM -0500, Jerry Shenk wrote:
You can use strings and grep to look through an image and do pattern
matching. One option would be to pull it into Autopsy but if you don't
have autopsy, just make and image and run it through strings and grep.
In your example, you're looking for SS#s and credit card numbers. Using
Autopsy is the best way to do it but here's an example what it looks
like under the hood...and this could work for a quick'n'dirty retrieval
of the info. I've done it something like this:
- make the image
Dd if=/dev/had of=drive.img
- look for an SS# in the pattern of 123-12-1234
Strings drive.img | grep
"[0-9][0-9][0-9]\-[0-9]]0-9]\-[0-9][0-9][0-9][0-9]"
- look for an SS# in the pattern of 123121234 (no hyphen)
Strings drive.img | grep "[0-9][0-9][0-9][0-9]]0-9][0-9][0-9][0-9][0-9]"
- look for an CreditCard# in the pattern of 123412341234 (no hyphen)
Strings drive.img | grep
"[0-9][0-9][0-9][0-9]]0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]]0-9]"
You can basically do the same thing for credit card numbers. I recently
did this on an image that hosted some e-commerce web sites. The
application vendor insisted that there was no credit card data stored on
the server....well, that was kindof true as the database was on another
box. I did find credit card info in temp files using the above method.
Obviously this will pull out things other than just credit card numbers.
I actually piped this to a file and let it run for a half-day or so and
then reviewed the log file. When I found numbers that looked like
credit card numbers, I ran THC's credit card verification program to
identify the numbers. Then you could use strings & less to chew through
the drive and finding the data but to get the data around the credit
card number, Autopsy really will be a big help because it will make it
much easier to pull out blocks before and after the block(s) in
question.
=========================================================================
Gary C. Kessler gary.kessler@champlain.edu
Associate Professor Project Director
Program Dir., Computer & Digital Forensics Information Security
Program Dir., Computer Networking Vt. Information Technology Ctr.
Champlain College Office: +1 802-865-6460
West Hall, Room 12 Fax: +1 802-865-6447
163 South Willard Street Cell: +1 802-238-8913
Burlington, VT 05401
http://digitalforensics.champlain.edu kumquat@sover.net
http://networking.champlain.edu http://www.garykessler.net
PGP Public Key: http://www.garykessler.net/kumquat_pubkey.html
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
