Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: FW: Complex file searches on forensic Image

from [Jerry Shenk] Network Security [Permanent Link]
Subject: RE: FW: Complex file searches on forensic Image
Date: Mon, 8 Nov 2004 10:25:28 -0500 
That looks like a pretty handy package.  I use the Knoppix-STD CD at
times (http://www.knoppix-std.org/tools.html).  That's not actually my
preferred forensic toolkit but it's the only one I have that has ftimes
on it.  Having ftimes on a bootable CD would make it pretty handy for
what you're talking about.

-----Original Message-----
From: Jon O. [mailto:jono@networkcommand.com] 
Sent: Thursday, November 04, 2004 3:54 PM
To: Roger Padilla
Cc: forensics@securityfocus.com
Subject: Re: FW: Complex file searches on forensic Image



Roger:

FTimes will allow you to search for this type of stuff. You can
even conduct searches by inserting a single binary on many systems
(we have done 500+) looking for specific data. While I understand
you are looking at a single disk, I'd suggest you check out FTimes
for the next time you are looking for data within a network
(not just a single disk) and need to perform a holistic search 
of all file system space.

It's much better to determine the data you are looking for and
run these search patterns across *all* the systems, not just the
ones you think have been compromised. In just about every IR 
event I've done, doing a full network file system search turns
up new cracked boxes or places the attacker stored data which 
never would have been identified from forensic evidence contained 
on the known compromised machines and logs (or lack thereof) the 
company maintains.


From the hipdig.pl perldoc on the FTimes project site:

http://ftimes.sourceforge.net/FTimes/index.shtml

Specifies the type of search that is to be conducted. Currently,
the following types are supported: HOST, IP, PASS|PASSWORD, SSN|SOCIAL,
T1|TRACK1, T1S|TRACK1-STRICT, T2|TRACK2, and T2S|TRACK2-STRICT.
The default value is IP.  The value for this option is not case
sensitive.

TRACK1 and TRACK2 are credit card search functions.


Thanks,
Jon


On 03-Nov-2004, Roger Padilla wrote:

Per recommendation, I am submitting this request to this group.
Additionally, the search that I need to perform needs (if possible) to

be

able to look within the files.  Thanks. 


~~~~~~~~~~~~~~~~~~~~
Roger Padilla, Jr.
Technical Consulting
(805) 934-2249
roger.pa@verizon.net
~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: Roger Padilla [mailto:roger.pa@verizon.net] 
Sent: Wednesday, November 03, 2004 2:25 PM
To: focus-virus@securityfocus.com
Subject: Complex file searches on forensic Image

I am currently in the process of analyzing a hard drive that was found

to

contain personal data which may have been harvested.  Per California

Senate

bill 1386 -- the organization I am performing the analysis (ok, I work

for

this company who is reluctant to buy the forensic software) for is

required

by law to notify all individuals whose personal information may have

been

acquired.  There are several thousand files on this drive that will

need to

be investigated -- is there any open source software that would allow

me to

do a complex file search using wildcards to look for such information

as

social security numbers.  For example search for strings matching
***-**-**** or ss#.  Also there are several Access databases that will

need

to be researched -- will these need to be opened by a database

program, or

could a product like encase perform this search?  Any recommendations

would

be greatly appreciated. 
 
~~~~~~~~~~~~~~~~~~~~
Roger Padilla, Jr.
Technical Consulting
(805) 934-2249
roger.pa@verizon.net
~~~~~~~~~~~~~~~~~~~~



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Tool Called AREA51, Christopher Brown
Next by Date:  RE: Tool Called AREA51, Dave Sharp
Previous by Thread:  Re: FW: Complex file searches on forensic Image, Jon O.
Next by Thread:  RE: Books - was E-evidence site, Gaydosh, Adam
Indexes:  [Date] [Thread] [Top] [All Lists]