8/13/2019 Spider2008 Intro

1/2

Spider2008 differs from previous Spiders in several key ways:

• One-user/One-cleanup model. That is Spider2008 is intended to !e run !y an end

user across their own files and revisited periodically as part of a sensitive datacleanup effort.

• To keep performance up and false positives to a minimum Spider2008 takes afiles-to-scan approach in contrast to its predecessor"s files-to-skip approach. Thatis without chan#es to the default confi#uration Spider2008 scans a limitedhandful of file types likely to contain sensitive data:

o $ail!o%es

o Office documents includin# OpenOffice $S Office 200& $S Office

throu#h 200'o ()*s

o Some data!ase formats includin# *o%(ro +ccess *ile$aker most d,ase

/ derivativeso ompressed archives includin# ( 1ip and ,ip.

o 3T$4o 4e#acy formats such as 5uattro and 4otus 6-2-' files

• ncluded re#ular e%pressions have !een consolidated and tuned for !etter

performance. *or e%ample the SS7 re#ular e%pression assumes a search for !oth'-2- and 9-di#it formats with the former takin# a wide variety of possi!ledelimiters.

• Spider2008 can scan *S encrypted files provided key material is availa!le to the

user conte%t in which it runs.

• Spider2008 will also attempt to reset file access times as it scans. This is a

convenience function only and should not be used in an incident response or

forensics context without appropriate measures to prevent modification ofevidence.

• Stateful scannin#. + scan history includin# enou#h confi#uration information to

repeat a scan is stored in ;documents and settin#s;you;local settin#s;applicationdata;spider;state

• Scan histories are uniemediation convenience features are included in the utility:

o Securely erase or move a file usin# )o) ?220.22$ overwrite

8/13/2019 Spider2008 Intro

2/2

o $ove the file to the recycle !in

o #nore the file as a false positive

o $ark the file as havin# valid hits !ut the file must !e retained on the

systemo Open the file in its native application

o *or te%t files and mail!o%es redact matches individually or in total

+ few deployment notes:

'pider 'tate iles) These thin#s end in .ss' and are S54ite data!ases. Spiderkeeps some confi# information inside as well as matches and te%t surroundin# amatch. These are sensitive data by virtue of this. *andle them as such. Thoughencrypted, they should be treated with the same care as the original files theyreference.

'+ite ncryption: This is handled transparently !y Spider2008. The file

@entropyA in its install location is the key. Bes know there are !etter keymana#ement practices !ut until the sensitive data is removed from the machinethe weakness of this desi#n is the least of your worries. Once the cleanup is doneerase the S54ite state files +S+(. One of the o!vious implications of this desi#nis that unless you replace that file with one of your own Cdoesn"t matter what kindor how !i#D a E(1 is a #ood choiceF anyone with a copy of our distri!ution canread the state files.

Spider will make every effort to remove cached hits from its state data!ase as filesare cleaned up throu#h its interface. Still state files should !e consideredsensitive and removed when the cleanup effort is done.

'pider ncremental 'canning)  Spider assumes any scan repeated within one houris intended to !e the previous scan. That is it"ll import the settin#s and matchesfrom the scan state file that e%ists for that hour search the ), for unscanned filesand search the drive for files that have chan#ed. The only way to chan#e this!ehavior is to nuke the previous state file.