1 2 ccsrch (c) 2007 Mike Beekey - zaphod2718@yahoo.com All rights reserved 3 4 Version 1.0.3 5 6 This program is free software; you can redistribute it and/or modify it under 7 the terms of the GNU General Public License as published by the Free 8 Software Foundation; either version 2 of the License, or (at your option) 9 any later version. 10 11 This program is distributed in the hope that it will be useful, but WITHOUT 12 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 14 more details. 15 16 You should have received a copy of the GNU General Public License along with 17 this program; if not, write to the Free Software Foundation, Inc., 59 18 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 20******************************************************************************* 21 22 23This README describes the process for searching the filesystems for credit 24card numbers. 25 26 27ccsrch 1.0.3 (c) 2007 zaphod2718@yahoo.com 28Usage: ./ccsrch <options> <start path> 29 where <options> are: 30 -b Add the byte offset into the file of the number 31 -e Include the Modify Access and Create times in terms 32 of seconds since the epoch 33 -f Just output the filename with potential PAN data 34 -j Include the Modify Access and Create times in terms 35 of normal date/time 36 -o <filename> Output the data to the file <filename> vs. standard out 37 -t <1 or 2> Check if the pattern follows either a Track 1 38 or 2 format 39 -T Check for both Track 1 and Track 2 patterns 40 -h This stuff 41 42 43Examples 44--------------- 45 46# ccsrch ./ Generic search for credit card data starting in 47 current directory with output to screen 48 49# ccsrch -o mycard.log c:\storage Generic search for credit card 50 data starting in c:\storage with 51 output to mycard.log 52 53# ccsrch -t 2 ./ Search for credit card data and check for Track 2 54 data formats with output to screen 55 56# ccsrch -t 2 -o c.log ./ Search for credit card data and check for 57 Track 2 data formats with output to file c.log 58 59 60Output 61--------------- 62 63All output is tab deliminated with the following order (depending on 64the parameters): 65 66Source File Card Type Card Number Byte Offset Modify Time Access Time Create Time Track Pattern Match 67 68 69Assumptions 70--------------- 71 72The following assumptions are made throughout the program searching for the 73card numbers: 74 751. Cards can be a minimum of 14 numbers and up to 16 numbers. 762. Card numbers must be contiguous. The only characters ignored when 77processing the files are carriage returns, new line feeds, and nulls. 783. Files are treated as raw binary objects and processed one character at 79a time. 804. Solo and Switch cards are not processed in the prefix search. 815. Compressed or encoded files are NOT uncompressed or decoded in this version. 82These files should be identified separately and the program run on the 83decompressed or decoded versions. 84 85Prefix Logic 86The following prefixes are used to validate the potential card numbers that 87have passed the mod 10 algorithm check. 88 89Original Sources for Credit Card Prefixes 90http://javascript.internet.com/forms/val-credit-card.html 91http://www.erikandanna.com/Business/CreditCards/credit_card_authorization.htm 92 93Logic Checks 94--------------- 95 96Card Type: MasterCard 97Valid Length: 16 98Valid Prefixes: 51, 52, 53, 54, 55 99 100Card Type: VISA 101Valid Length: 16 102Valid Prefix: 4 103 104Card Type: Discover 105Valid Length: 16 106Valid Prefix: 6011 107 108Card Type: JCB 109Valid Length: 16 110Valid Prefixes: 3088, 3096, 3112, 3158, 3337, 3528, 3529 111 112Card Type: American Express 113Valid Length: 15 114Valid Prefixes: 34, 37 115 116Card Type: EnRoute 117Valid Length: 15 118Valid Prefixes: 2014, 2149 119 120Card Type: JCB 121Valid Length: 15 122Valid Prefixes: 1800, 2131, 3528, 3529 123 124Card Type: Diners Club, Carte Blanche 125Valid Length: 14 126Valid Prefixes: 36, 300, 301, 302, 303, 304, 305, 380, 381, 382, 383, 384, 385, 386, 387, 388 127 128 129Known Issues 130--------------- 131 132One typical observation/complaint is the number of false positives that still 133come up. You will need to manually review and remove these. Certain patterns 134will repeatedly come up which match all of the criteria for valid cards, but 135are clearly bogus. If there are enough cries for help, I may add some 136additional sanity checks into the logic such as bank information. In addition, 137there are certain system files which clearly should not have cardholder data 138in them and can be ignored. There may be an "ignore file list" in a new 139release to reduce the amount of stuff to go through, however this will impact 140the speed of the tool. 141 142Note that since this program opens up each file and processes it, obviously 143the access time (in epoch seconds) will change. If you are going to do 144forensics, one assumes that you have already collected an image following 145standard forensic practices and either have already collected and preserved 146the MAC times, or are using this tool on a copy of the image. 147 148For the track data search feature, the tool just examines the preceding 149characters before the valid credit card number and either the delimiter, 150or the delimeter and the characters (e.g. expiration date) following the 151credit card number. This public release does not perform a full pattern 152match using the Track 1 or Track 2 formats. 153 154We have found that for some POS software log files are generated that not 155only wrap across multiple lines, but insert hex representations of the 156ASCII values of the PAN data as well. Furthermore, these log files may 157contain track data. Remember that the only way that ccsrch will find the 158PAN data and track data is if it is contiguous. In certain instances you 159may luck out because the log files will contain an entire contigous PAN 160and will get flagged. We would encourage you to visually examine the files 161identified for confirmation. Introducing logic to capture all of the 162crazy possible storage representations of PAN and track data we've seen 163would make this tool a beast. 164 165Please note that ccsrch recurses through the filesystem given a start 166directory and will attempt to open any file or object read-only one at a time. 167Given that this could be performance or load intensive depending on the 168existing load on the system or its configuration, we recommend that you run 169the tool on a subset or sample of directories first in order to get an idea 170of the potential impact. We disclaim all liability for any performance impact, 171outages, or problems ccsrch could cause. 172 173Porting 174--------------- 175 176This tool has been successfully compiled and run on the following operating 177systems: FreeBSD, Linux, SCO 5.0.4-5.0.7, Solaris 8, AIX 4.1.X, Windows 2000, 178and Windows XP. If you have any issues getting it to run on any systems, 179please contact the author. 180 181 182Revisions 183--------------- 1841.0.3 Added the ability to just output filenames of potential PAN data. 185 Removed the 13 digit VISA number check. Cleaned up some error and 186 signal handling that varied across operating systems. 187 1881.0.2 Added some additional track data format assumptions for track 1. 189 1901.0.1 Added options for searching files for track data patterns. Also 191 added the ability to select certain output options on the 192 command line. 193 1940.9.3 Removed extraneous calls, simplified parameter passing, fixed 195 non-portable type issues, removed debugging info 196 1970.9.1 Initial release 198 199 200Contributors 201--------------- 202John A, Kyley S, Anand S, Chris L, Mitch A, Bill L, Phoram M 203 204 205Last Update 29/08/07 206 207