Join Us!

Notifications
Clear all

Release of Spider  

  RSS
hogfly
(@hogfly)
Active Member

http//www.cit.cornell.edu/computer/security/tools/

A colleague of mine wrote a tool called Spider. I mentioned it here about a year ago. The tool has been released to the public in a few different flavors.

RIght now it runs on linux (full soruce available) and windows(source code coming soon). OS X is under active development.

How do we use this tool?

1) Under NY law, businesses and other institutions have to notify the public if there is a reasonable belief that there is sensitive data on a machine and it was accessed by unauthorized individuals. The tool *by default* searches for SSN and CC# - two of the major items that are commonly found on computers. You can add your own regular expressions for more searching.
We use it extensively in security incidents involving intrusions.

2) pre-emptive sensitive data removal. Run the tool against your machine *before* you get compromised to remove the unneccessary sensitive data (think of all of the stolen laptops out there).

Quote
Posted : 09/10/2006 8:11 pm
keydet89
(@keydet89)
Community Legend

hogfly,

Very cool. I can't tell you how many times I could have used something like this.

Is this for live systems? I'm assuming so, as I haven't read completely through the docs, but I don't see anything that specifically says "dd image" or points to interfacing with EnCase or ProDiscover.

Either way, it looks interesting. If it's for live systems, I'd think that it would be most useful to IT admins and the like, rather than first responders. After all, you don't want to mucking the last access times on all the files on the system prior to imaging (if that's what you're going to do).

I'll definitely be interested in the source…

ReplyQuote
Posted : 09/10/2006 8:40 pm
hogfly
(@hogfly)
Active Member

Harlan,
hmm a best practices doc is in order methinks.

Can it be used live? Yes, but I sure as heck wouldn't in an incident since it stomps on access times.

We use it after the disk image has been created in order to search for sensitive materials so you are right, it isn't generally used by first responders.

It can be used on a loopback mounted dd image in linux. I wouldn't use it in windows unless you're using a write blocker or unless you are using it under the second scenario I listed.

We stick to dd images as our standard so I don't think any thought was given to programs like encase )

ReplyQuote
Posted : 09/10/2006 8:54 pm
keydet89
(@keydet89)
Community Legend

I think I'd recommend something like this for use by IT admins…many times, I get the question of "was their sensitive data on the system?", and in the back of my mind, I think, "what…you don't know?"

I'm going to try it against an image file that I have…

ReplyQuote
Posted : 09/10/2006 9:24 pm
schlecht
(@schlecht)
Junior Member

This is a great idea. While it might not be optimal for live response - I can see using it after the imaging and also as part of configuration reviews. Look at the overall security of a machine to score its risk in light of technical vulnerabilities, but also capturing whether sensitive material is on the machine in question (not just taking somebody's word for it).

I do a lot of pen testing, so this is useful in other ways also.

ReplyQuote
Posted : 09/10/2006 9:37 pm
deckard
(@deckard)
Member

looks like a very useful tool. I d/l the linux version and ran against a small test image, works as advertised.

Look forward to some test lab time with it later in week. Good share

Bill

ReplyQuote
Posted : 09/10/2006 9:37 pm
KPryor
(@kpryor)
Member

Just downloaded and tried it. Very good tool for sure. I plan to work some more with it later on. Thanks for the heads up on this.
KP

ReplyQuote
Posted : 10/10/2006 12:20 am
keydet89
(@keydet89)
Community Legend

I downloaded and installed the Windows version…and saw that it requires .NET. Eesh! What a pain!

ReplyQuote
Posted : 10/10/2006 12:30 am
keydet89
(@keydet89)
Community Legend

Okay, what I meant by that was this…

Let's say I image a system, and then want to run Spider. I have to install .Net on the system.

Or, if I have LiveView and an image, I still have to install .Net, if the system doesn't already have it…which is many times the case.

So besides changing MAC times, you also have to deal with a 23.1MB download, and an installation.

In the big scheme of things, this is manageable, particularly if the answer is absolutely necessary. However, there has *got* to be an easier way…like having a command line version that you can install on Helix, or run from a CD, that doesn't require .Net…

ReplyQuote
Posted : 10/10/2006 1:59 am
hogfly
(@hogfly)
Active Member

Harlan,
Indeed and the linux version meets that need.

ReplyQuote
Posted : 10/10/2006 2:01 am
keydet89
(@keydet89)
Community Legend

Hogfly,

How so? I can't put the Linux version on a CD, put the CD into a live Windows system and use it.

No, one would have to image the drive, or mount it on a Linux system with a write-blocker.

I've seen some tools come out recently (First Response from Mandiant, for one) that require .Net…for no apparent reason. That requirement for Spider really reduces the usefulness of the tool.

I applaud the efforts of the folks who produced the tool, but the requirement for .Net is cumbersome and reduces its usefulness.

ReplyQuote
Posted : 10/10/2006 2:36 am
hogfly
(@hogfly)
Active Member

Harlan,
I think I misinterpreted your previous post.

The linux version of the tool can run from the bootable side of Helix so you could image a system and run it from there, without using windows and installing .NET.

While .NET is cumbersome, the tool meets its intended use.

*shrug*

ReplyQuote
Posted : 10/10/2006 2:46 am
keydet89
(@keydet89)
Community Legend

You're right, it does…but a 23.1MB download is going to overwrite a lot of sectors, and the installation is going to add Registry keys and perhaps modify files.

ReplyQuote
Posted : 10/10/2006 5:17 am
az_gcfa
(@az_gcfa)
Active Member

Another possibility is run helix from laptop and remotely mount the drive via smb as readonly, noatime. That is provided the drive is setup as shared! Setting the drive up to be shared would be the lesser of the two evils - installing .NET.

ReplyQuote
Posted : 18/10/2006 10:48 am
Share: