Web Links:
- Latest Binaries: Repository
- About PAN scanner design: Deadpan Tooling or Challenging PAN Scanners
- On developing forensic seach tools: Unstructured Search
Basic Idea of a Split Tool Set
This PAN scanner tool set consists of two programmes:
deadpan | -- | the PAN scanner (a directory walker) | |||
dprep | -- | a report extractor | |||
deadpan dprep
+-----------------+ encrypted +-----------+
| PAN scanner | journal | Report |
| creates journal | --------------> | generator |
+-----------------+ +-----------+
where the scanner produces an encrypted report that can only be decrypted and decoded by the report generator.
deadpan:
Deadpan walks the file system while scanning files for PANs.
Deadpan produces an encrypted scan journal which cannot be decrypted by deadpan itself because it has only the public key (for technology details see the crypto repository.)
By design, reports are safe regarding confidentiality (eg. PANs, see PCI DSS).
dprep:
Dprep reads the encrypted journal produced by deadpan: it comes with a built-in private encryption key.
Dprep prints a scan report.
Examples
deadpan . | dprep --raw # live scanning output using raw report
deadpan -o- . | dprep # prints report when done
deadpan -o journal.txt # create an encrypted journal
dprep journal.txt # print a report from the journal
where on Linux you might consider to prefix deadpan and dprep with “./”.
Options Overview
Try the help option --help for either command dprep or deadpan.
Deadpan comes with flexible scan mode strategies (isolated PANs, Magnetic Track data) and file walker object decoders, try:
deadpan --scanmode=?
deadpan --policy=?
for more information on search mode and file walker policies. As for the latter there is currently support for reading ZIP file (incl. DOCX, JAR etc.) as well as ignoring binaries, graphics and media.
The standard PAN report facility (dprep without option) is a simple report sorted by file objects and then PANs as a secondary index.
The raw report facility (with: dprep --raw) of the report dprep extractor provides a convenient way for further data processing. The raw mode reveals the full journal. Each journal line starts with a character key followed by some text. The keys have the following meaning:
> time stamp
* extended file/object system path
+ PAN, location/seek address, context details etc.
= file object summary (#findings, deflate factor etc.)
! error messages
? other messages
% SPACE <mode> SPACE <digest>
Example
deadpan . | dprep --raw | awk '$1=="*"{print $2}' # on Linux/Cygwin/Posix
deadpan . | dprep --raw | awk "$1=="""*"""{print $2}" # on Windows
prints all path names from the journal.
Future development
There will be a NTFS file system walker which allows to read Windows backup files and deleted file fragments (and hidden streams). This allows to read the Windows file system partition directly (no locked files).
There is a MBR decoder available already for decoding the partition table. Combined with an NTFS decoder the whole disk can be easily life scanned.
I have written such read-only decoders (or drivers) for other systems and other programming languages for
NTFS | -- | Windows file system (allows for reading locked files) | |||
PST/OST | -- | Windows Outlook | |||
Tar | -- | Posix tape archive | |||
ESE/Exchange | -- | Extensible storage engine for Windows Exchange |
so it is not rocket science (but takes a while).
There will probably be more built in reports.