±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35535
New Yesterday: 1 Visitors: 103

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Release of Spider

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

hogfly
Senior Member
 

Release of Spider

Post Posted: Oct 09, 06 19:11

www.cit.cornell.edu/co...ity/tools/

A colleague of mine wrote a tool called Spider. I mentioned it here about a year ago. The tool has been released to the public in a few different flavors.

RIght now it runs on linux (full soruce available) and windows(source code coming soon). OS X is under active development.

How do we use this tool?

1) Under NY law, businesses and other institutions have to notify the public if there is a reasonable belief that there is sensitive data on a machine and it was accessed by unauthorized individuals. The tool *by default* searches for SSN and CC# - two of the major items that are commonly found on computers. You can add your own regular expressions for more searching.
We use it extensively in security incidents involving intrusions.

2) pre-emptive sensitive data removal. Run the tool against your machine *before* you get compromised to remove the unneccessary sensitive data (think of all of the stolen laptops out there).  
 
  

keydet89
Senior Member
 

Re: Release of Spider

Post Posted: Oct 09, 06 19:40

hogfly,

Very cool. I can't tell you how many times I could have used something like this.

Is this for live systems? I'm assuming so, as I haven't read completely through the docs, but I don't see anything that specifically says "dd image" or points to interfacing with EnCase or ProDiscover.

Either way, it looks interesting. If it's for live systems, I'd think that it would be most useful to IT admins and the like, rather than first responders. After all, you don't want to mucking the last access times on all the files on the system prior to imaging (if that's what you're going to do).

I'll definitely be interested in the source...  
 
  

hogfly
Senior Member
 

Re: Release of Spider

Post Posted: Oct 09, 06 19:54

Harlan,
hmm a best practices doc is in order methinks.

Can it be used live? Yes, but I sure as heck wouldn't in an incident since it stomps on access times.

We use it after the disk image has been created in order to search for sensitive materials so you are right, it isn't generally used by first responders.

It can be used on a loopback mounted dd image in linux. I wouldn't use it in windows unless you're using a write blocker or unless you are using it under the second scenario I listed.

We stick to dd images as our standard so I don't think any thought was given to programs like encase Smile  
 
  

keydet89
Senior Member
 

Re: Release of Spider

Post Posted: Oct 09, 06 20:24

I think I'd recommend something like this for use by IT admins...many times, I get the question of "was their sensitive data on the system?", and in the back of my mind, I think, "what...you don't know?"

I'm going to try it against an image file that I have...  
 
  

schlecht
Member
 

Re: Release of Spider

Post Posted: Oct 09, 06 20:37

This is a great idea. While it might not be optimal for live response - I can see using it after the imaging and also as part of configuration reviews. Look at the overall security of a machine to score its risk in light of technical vulnerabilities, but also capturing whether sensitive material is on the machine in question (not just taking somebody's word for it).

I do a lot of pen testing, so this is useful in other ways also.
_________________
schlecht 
 
  

deckard
Senior Member
 

Re: Release of Spider

Post Posted: Oct 09, 06 20:37

looks like a very useful tool. I d/l the linux version and ran against a small test image, works as advertised.

Look forward to some test lab time with it later in week. Good share

Bill
_________________
Replicants are like any other machine - they're either a benefit or a hazard. If they're a benefit, it's not my problem 
 
  

KPryor
Senior Member
 

Re: Release of Spider

Post Posted: Oct 09, 06 23:20

Just downloaded and tried it. Very good tool for sure. I plan to work some more with it later on. Thanks for the heads up on this.
KP  
 

Page 1 of 2
Page 1, 2  Next