EVALUATION

The remote agent (ISeekDiscovery) is free to distribute and use. However, it requires a configuration file containing its instructions and its results are stored in an encrypted container – both of which require the functionality of other ISeek applications (ISeekDesigner and ISeek Explorer respectively).

For demonstration purposes we are providing several configuration files designed to fit different use cases. These use cases are:

  • Locating ‘hidden’ executable code in email attachments

  • Collecting and processing Windows Registry hives

  • Searching for IBANs located in files and email

  • Searching for complex strings

  • Searching for foreign language terms

 

In the case of locating ‘hidden’ executables, the Enron data set (which is in the public domain) can be used for the test data. Alternatively, we have provided a subset of the Enron files here: linktoenronfiles

 

Sample IBAN numbers are generally available on the internet, while the following terms can be copied and seeded into your own test data set or, in the case of the foreign languages, you can use the international data set from https://edrm.net/download/21304/:

 

Complex string:

2-(14-hydroxypentadecyl)-4-methyl-5-oxo-2,5-dihydrofuran-3-carboxylic acid

 

Foreign language strings:

モデム接続できません - Japanese

팀 운영에 대하여 - Korean

команды - Russian

Anfänger - German

Αντικαταστήστε - Greek

目录创建以下文件(原始文件会自动备份) – Chinese

שלום כולם – Hebrew

 

Using ISeekDiscovery

Normally ISeekDiscovery will run in ‘covert’ mode and be invisible to the user. For the purposes of testing, the configuration files we have provided will put ISeekDiscovery into Workstation Mode which will enable you to manually select the folders containing the data you wish to search (which could be a whole drive). NOTE: ISeekDiscovery will process Apple or Linux volumes if mounted using an appropriate utility, such as those provided by Paragon Software.

For the testing, rather than using ISeekExplorer to open the encrypted file container we have enabled the basic audit function. This function will create a basic text file containing a summary of the results, so for the search term tests, you will be able to confirm that the correct number of hits were identified.

Testing

Step 1 – Copy ISeekDiscovery executable into the directory where you want the results to be stored. This can be a local drive, attached USB or a network location.

Step 2 – Extract the configuration files into the same directory as ISeekDiscovery

Step 3 – Create a copy of the configuration file you wish to use and rename it to iseek.config

Step 4 – Right-Click on the ISeekDiscovery executable and select ‘Run as Administrator’ (required for Workstation Mode only)

Step 5 – When ISeekDiscovery loads, click on ‘Add New Search Path’ (1 in picture below) and select the folder containing the test data. (alternatively, you can just select one of the drive letters to search the entire drive).

 

 

 

Step 6 – With the Search Path selected click on ‘Start Search/Capture’ (2 in diagram) and ISeekDiscovery will begin the process.

Step 7 – When ISeekDiscovery has finished it will display a message box – click on OK to close the box.

Step 8 – Go to the folder where ISeekDiscovery was located, and you will find a new folder named ‘Results’. Open this folder and locate the text file ending Log-isk.txt (or most recent text file if you have made several collections).

Step 9 – You can now view the time it took for ISeekDiscovery to run, how much data it searched and the number of files it collected.

 

Downloads

The ISeekDiscovery agent can be downloaded here:    

A zip file containing the configuration files can be downloaded here:

Untitled_edited.jpg