Spider2008 differs from previous Spiders in several key ways: One-user/One-cleanup model. That is Spider2008 is intended to !e run !

!y an end user across their own files and revisited periodically as part of a sensitive data cleanup effort. To keep performance up and false positives to a minimum Spider2008 takes a files-to-scan approach in contrast to its predecessor"s files-to-skip approach. That is without chan#es to the default confi#uration Spider2008 scans a limited handful of file types likely to contain sensitive data: o $ail!o%es o Office documents includin# OpenOffice $S Office 200& $S Office throu#h 200' o ()*s o Some data!ase formats includin# *o%(ro +ccess *ile$aker most d,ase ---/-. derivatives o /ompressed archives includin# 0-( 12ip and ,0ip. o 3T$4 o 4e#acy formats such as 5uattro and 4otus 6-2-' files -ncluded re#ular e%pressions have !een consolidated and tuned for !etter performance. *or e%ample the SS7 re#ular e%pression assumes a search for !oth '-2-8 and 9-di#it formats with the former takin# a wide variety of possi!le delimiters. Spider2008 can scan :*S encrypted files provided key material is availa!le to the user conte%t in which it runs. Spider2008 will also attempt to reset file access times as it scans. This is a convenience function only and should not be used in an incident response or forensics context without appropriate measures to prevent modification of evidence. Stateful scannin#. + scan history includin# enou#h confi#uration information to repeat a scan is stored in ;documents and settin#s;you;local settin#s;application data;spider;state Scan histories are uni<ue with hourly #ranularity. This means that repeatin# a scan within an hour implies the need to import the previous scan and resume work. This is done !y searchin# for chan#ed files and #ivin# the user the choice to scan chan#ed files scan files not processed in the last scan or proceed without a new scan. Scan histories are transparently encrypted !y S54ite. The key for this purpose lives alon#side Spider2008"s installation and should be changed from the distributed key. This key should be unique per machine, domain, subnet, business unit, or whatever site-specific partitioning is appropriate. Spider2008 supports transparent =e! updates and unattended scannin#. Both features are not tested to the degree necessary for this release ( ! "an !##$% and are disabled until they&re ready. >emediation convenience features are included in the utility: o Securely erase or move a file usin# )o) ?220.22$ overwrite

o $ove the file to the recycle !in o -#nore the file as a false positive o $ark the file as havin# valid hits !ut the file must !e retained on the system o Open the file in its native application o *or te%t files and mail!o%es redact matches individually or in total + few deployment notes: 'pider 'tate (iles) These thin#s end in .ss' and are S54ite data!ases. Spider keeps some confi# information inside as well as matches and te%t surroundin# a match. These are sensitive data by virtue of this. *andle them as such. Though encrypted, they should be treated with the same care as the original files they reference. '+,ite -ncryption: This is handled transparently !y Spider2008. The file @entropyA in its install location is the key. Bes - know there are !etter key mana#ement practices !ut until the sensitive data is removed from the machine the weakness of this desi#n is the least of your worries. Once the cleanup is done erase the S54ite state files +S+(. One of the o!vious implications of this desi#n is that unless you replace that file with one of your own Cdoesn"t matter what kind or how !i#D a E(:1 is a #ood choiceF anyone with a copy of our distri!ution can read the state files. Spider will make every effort to remove cached hits from its state data!ase as files are cleaned up throu#h its interface. Still state files should !e considered sensitive and removed when the cleanup effort is done. 'pider .ncremental 'canning) Spider assumes any scan repeated within one hour is intended to !e the previous scan. That is it"ll import the settin#s and matches from the scan state file that e%ists for that hour search the ), for unscanned files and search the drive for files that have chan#ed. The only way to chan#e this !ehavior is to nuke the previous state file.