Hi,
I'm looking for evidence of the use of some dodgy credit cards across a number of computers. I have the full 16-digit numbers of each card.
I've tried searches on the numbers themselves and the same again but with a space separating each group of 4 digits, but neither has yielded any results.
As a final try I intend to look for the numbers as they might appear when "masked" in a credit card transaction receipt,
e.g. with 12 asterisks replacing the first 12 digits followed by the last 4 actual digits.
My question is Have any of you come across any other common formats in which credit card numbers appear when "masked" in receipts?
Thanks in advance for any suggesions.
Why not search for only the last 4 digits? Who's to say how the numbers are formatted, and if they're stored on disk with asterisks or pound symbols?
Yes, you will get a number of false positives, but better to find all and sort them out by hand than to miss them.
Why not search for only the last 4 digits? Who's to say how the numbers are formatted, and if they're stored on disk with asterisks or pound symbols?
Yes, you will get a number of false positives, but better to find all and sort them out by hand than to miss them.
Indeed - I tried that once in the past & found huge numbers of false positives. This time I have a couple of dozen cards and 1.5TB to search & can't devote unimited effort to this single job, hence my request for common formats rather than any conceivable format.
Thanks
I've seen asterisks, hashes, x's or sometimes just a serious or periods - e.g. ….
I know this probably isn't helpful, but I have also seen it presented as the first two numbers from the first set and the last two from the last set.
Do you have the expriry details for the cards? If so you might also want to try somekind of proximity search between the last four digits and the expiry.
You might also want to try limiting your searches, for instance if you are looking for evidence of use of the cards you might limit it to just Temp Internet Files and the user documents before expanding it out to the whole 1.5TB. It might make the results a little more manageable and you might be able to do a search just on the last four digits as Harlan suggested.
Splunk….
If you have FTK you can use live search to run strings that contain the entire credit card number including the dashes.
I think there is an option in the encase to search for credit numbers exclusively. this option will bring all the numbers in credit card number format i.e. 16 digit numbers. try for it.
krishna