Deadpan

PAN Scanner Tool Set

Category: Software,
Tags: download pan pci dss

Updated: 18 Apr 2017

Basic Idea of a Split Tool Set

This PAN scanner tool set consists of two programmes:

   deadpan   --   the PAN scanner (a directory walker)
dprep -- a report extractor
 
            deadpan                            dprep
      +-----------------+    encrypted     +-----------+
      |   PAN scanner   |     journal      |  Report   |
      | creates journal | -------------->  | generator |
      +-----------------+                  +-----------+

where the scanner produces an encrypted report that can only be decrypted and decoded by the report generator.

deadpan:

Deadpan walks the file system while scanning files for PANs.

Deadpan produces an encrypted scan journal which cannot be decrypted by deadpan itself because it has only the public key (for technology details see the crypto repository.)

By design, reports are safe regarding confidentiality (eg. PANs, see PCI DSS).

dprep:

Dprep reads the encrypted journal produced by deadpan: it comes with a built-in private encryption key.

Dprep prints a scan report.

Examples

    deadpan . | dprep --raw   # live scanning output using raw report

    deadpan -o- . | dprep     # prints report when done

    deadpan -o journal.txt    # create an encrypted  journal
    dprep journal.txt         # print a report from the journal

where on Linux you might consider to prefix deadpan and dprep with “./”.

Options Overview

Try the help option --help for either command dprep or deadpan.

Deadpan comes with flexible scan mode strategies (isolated PANs, Magnetic Track data) and file walker object decoders, try:

    deadpan --scanmode=?
    deadpan --policy=?

for more information on search mode and file walker policies. As for the latter there is currently support for reading ZIP file (incl. DOCX, JAR etc.) as well as ignoring binaries, graphics and media.

The standard PAN report facility (dprep without option) is a simple report sorted by file objects and then PANs as a secondary index.

The raw report facility (with: dprep --raw) of the report dprep extractor provides a convenient way for further data processing. The raw mode reveals the full journal. Each journal line starts with a character key followed by some text. The keys have the following meaning:

     > time stamp
     * extended file/object system path
     + PAN, location/seek address, context details etc.
     = file object summary (#findings, deflate factor etc.)
     ! error messages
     ? other messages
     % SPACE <mode> SPACE <digest>

Example

     deadpan . | dprep --raw | awk '$1=="*"{print $2}'     # on Linux/Cygwin/Posix
     deadpan . | dprep --raw | awk "$1=="""*"""{print $2}" # on Windows

prints all path names from the journal.

Future development

There will be a NTFS file system walker which allows to read Windows backup files and deleted file fragments (and hidden streams). This allows to read the Windows file system partition directly (no locked files).

There is a MBR decoder available already for decoding the partition table. Combined with an NTFS decoder the whole disk can be easily life scanned.

I have written such read-only decoders (or drivers) for other systems and other programming languages for

   NTFS   --   Windows file system (allows for reading locked files)
PST/OST -- Windows Outlook
Tar   -- Posix tape archive
ESE/Exchange -- Extensible storage engine for Windows Exchange

so it is not rocket science (but takes a while).

There will probably be more built in reports.

back to top