Re: [sleuthkit-users] Need to look for PII on multiple drives - suggested tool?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Need to look for PII on multiple drives - suggested tool?
|
From: Derrick K. <dk...@gm...> - 2011-10-13 16:35:40
|
Hi Karl. Take a look at `bulk_extractor' (http://afflib.org), specifically the 'accts' scanner option. This scanner automatically searches for SSN's and CC data and `bulk_extractor' will run against the image without having to mount it. If you don't like the command line version there is also a GUI for `bulk_extractor' available here: https://domex.nps.edu/deep/Bulk_Extractor.html Derrick On Thu, Oct 13, 2011 at 10:20 AM, Karl Bernard <kar...@gm...> wrote: > Is there a tool in the SIFT kit for looking for sensitive information? I > think I've gone through the tool list, but I may have overlooked > something... What else would you suggest? > We've imaged three drives (2 are hfsplus and one is ntfs) and need to do a > best effort look to see if there's any Personally Identifiable Information > (PII - primarily SSN's and CC numbers) on these drives. I've used the SIFT > kit to mount them into the default "mnt" samba share and tried using Senf > (https://senf.security.utexas.edu/) and Spider > (http://www2.cit.cornell.edu/security/tools/), from a nearby Windows system > but the tools are VERY slow and have been difficult to tune. > I've considered just copying out all document-type files and using the tools > to look through them that way. (Even this gets a little complicated since I > want to do an xcopy-style copy that preserves file paths and have found this > to be a real hassle in linux - best suggestion I've seen so far is > this: http://www.mcwalter.org/technology/shell/recursive.html) > Thoughts, suggestions? > Document types I'm considering copying/looking at: > > accdb, csv, db, doc, docx, odb, odm, odp, ods, odt, ots, pages, pdf, ppt, > pptx, rtf, stc, sxc, tax, tsv, txt, wdb, wpd, wps, wri, xhtml, xlk, xlr, > xls, xlsm, xlsx, xltm, xml > > Sorry for cross-posting... > Thanks, > Karl Bernard > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |