IDF - Identity Finder Audit - Universal BETA
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1IDF - Identity Finder Audit - Universal BETA5/13/2015 2:48:37 PM
2IDF - Identity Finder Audit - Universal BETA5/14/2015 8:27:47 AM
3IDF - Identity Finder Audit - Universal BETA5/14/2015 8:29:35 AM
4IDF - Identity Finder Audit - Universal BETA5/14/2015 12:38:53 PM
5IDF - Identity Finder Audit - Universal BETA5/14/2015 12:40:05 PM

Description

This is a work in progress.

This analysis reports on the status of Identity Finder installation, scanning, and results.  # of Successful Scans may not be accurate in all cases, but should be investigated if much lower than # of Log Files.

TODOs

  • Number of results
  • Number of unprotected files
  • Number of unremediated files
  • Avg Scan Time
  • Refine # of successful scans ( may have some issues with log parsing / false negatives )

 

Property Details

ID2994808
StatusAlpha - Code that was just developed
TitleIDF - Identity Finder Audit - Universal BETA
DomainBESC
Added by on 5/14/2015 12:40:05 PM
Last Modified by on 5/14/2015 12:40:05 PM
Counters 9742 Views / 9 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

IDF Version
Period 6 hours
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then unique values of ( (it as string as version) of values "DisplayVersion" of keys whose (exists value "DisplayName" whose (it as string as lowercase contains "identity finder") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries;x32 registries) ) else (versions of applications "Identity Finder.app")
defaultTag (Windows Only)
Period 12 hours
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then ( unique values of (it as string as trimmed string) of values "defaultTag" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Identity Finder\Endpoint Service" of (x64 registries;x32 registries) ) else ( unique values of (it as trimmed string) of (substring before "</Value>" of substring after "<Value>" of next line of it) of lines whose ( it contains "defaultTag") of files "epssettings.xml" of folders of folders "/Users/Shared/.identityfinder/Application/" )
Program Folder
Period 12 hours
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then ( folders ( (it as string as trimmed string) of values "InstallLocation" of keys whose(value "DisplayName" of it as string as lowercase contains "identity finder") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries;x32 registries) ) ) else (folders "/Library/Application Support/Identity Finder")
Log Folders
Period 12 hours
 
  * Results in a true/false
Show indented relevance
( (folders of folders "Logs" of folders of folders "/Users/Shared/.identityfinder/Application/"); (folders "Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs" of folders of folders "/Users"); ( ( (folders "ProgramData\Identity Finder\Logs\SystemSearch" of it); (folders "AppData\Local\Identity Finder\logs" of folders of folders "Users" of it) ) of folders "C:" ) )
# of Log Files
Period 12 hours
 
  * Results in a true/false
Show indented relevance
number of files whose (name of it ends with ".log" AND name of it starts with "IDF_") of ( (folders of folders "Logs" of folders of folders "/Users/Shared/.identityfinder/Application/"); (folders "Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs" of folders of folders "/Users"); ( ( (folders "ProgramData\Identity Finder\Logs\SystemSearch" of it); (folders "AppData\Local\Identity Finder\logs" of folders of folders "Users" of it) ) of folders "C:" ) )
# of Successful Scans
Period 12 hours
 
  * Results in a true/false
Show indented relevance
number of files whose (name of it ends with ".log" AND name of it starts with "IDF_" AND exists contents whose(it contains "Search Completed" OR it contains "Search function complete" OR it contains /* Search Completed */ "S%00e%00a%00r%00c%00h%00 %00C%00o%00m%00p%00l%00e%00t%00e%00d") of it) of ( (folders of folders "Logs" of folders of folders "/Users/Shared/.identityfinder/Application/"); (folders "Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs" of folders of folders "/Users"); ( ( (folders "ProgramData\Identity Finder\Logs\SystemSearch" of it); (folders "AppData\Local\Identity Finder\logs" of folders of folders "Users" of it) ) of folders "C:" ) )
Creation Date of most recent log file
Period 6 hours
 
  * Results in a true/false
Show indented relevance
maxima of creation times of files whose (name of it ends with ".log" AND name of it starts with "IDF_") of ( (folders of folders "Logs" of folders of folders "/Users/Shared/.identityfinder/Application/"); (folders "Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs" of folders of folders "/Users"); ( ( (folders "ProgramData\Identity Finder\Logs\SystemSearch" of it); (folders "AppData\Local\Identity Finder\logs" of folders of folders "Users" of it) ) of folders "C:" ) )
IDF run in the past 30 days?
Period 30 minutes
 
  * Results in a true/false
Show indented relevance
exists (now - it) whose(it < 30*day) of maxima of creation times of files whose (name of it ends with ".log" AND name of it starts with "IDF_") of ( (folders of folders "Logs" of folders of folders "/Users/Shared/.identityfinder/Application/"); (folders "Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs" of folders of folders "/Users"); ( ( (folders "ProgramData\Identity Finder\Logs\SystemSearch" of it); (folders "AppData\Local\Identity Finder\logs" of folders of folders "Users" of it) ) of folders "C:" ) )
last 20 lines of all logs
Period 12 hours
 
  * Results in a true/false
Show indented relevance
if ( 10 > number of files whose (name of it ends with ".log" AND name of it starts with "IDF_" AND exists lines whose(it ends with "Search Completed" OR it ends with /* Search Completed */ "%00S%00e%00a%00r%00c%00h%00 %00C%00o%00m%00p%00l%00e%00t%00e%00d%00") of it) of ( (folders of folders "Logs" of folders of folders "/Users/Shared/.identityfinder/Application/"); (folders "Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs" of folders of folders "/Users"); ( ( (folders "ProgramData\Identity Finder\Logs\SystemSearch" of it); (folders "AppData\Local\Identity Finder\logs" of folders of folders "Users" of it) ) of folders "C:" ) ) ) then ( (concatenation of characters whose (it != "%00" AND it != "%FF") of it) whose(it as trimmed string != "") of items 1 of ( /* -> this is the number of lines of the file from the previous statement -> */ item 1 of it, (lines of /* -> the file object -> */ item 0 of it) ) /* -> This whose statement is responsible for filtering for only the last 100 lines of the file -> */ whose ( (line number of /* -> lines of the file -> */ item 1 of it) > ( /* -> number of lines of the file -> */ item 0 of it - 20 /* <- This is the number of lines to return, which is subtracted from the total # of lines <- */ ) ) of ( /* -> the parent file object itself -> */ it, number of lines of it) of files whose (name of it ends with ".log" AND name of it starts with "IDF_") of ( (folders of folders "Logs" of folders of folders "/Users/Shared/.identityfinder/Application/"); (folders "Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs" of folders of folders "/Users"); ( ( (folders "ProgramData\Identity Finder\Logs\SystemSearch" of it); (folders "AppData\Local\Identity Finder\logs" of folders of folders "Users" of it) ) of folders "C:" ) ) ) else ERROR "too many log files"

Relevance

IDF exists (Mac or Windows) (Relevance 3002319)
Used in 5 analyses   * Results in a "string"/number
Show indented relevance
(exists ( (folders "/Library/Application Support/Identity Finder");(folders of folders "Logs" of folders of folders "/Users/Shared/.identityfinder/Application/"); (folders "Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs" of folders of folders "/Users"); ( ( (folders "ProgramData\Identity Finder\Logs\SystemSearch" of it); (folders "AppData\Local\Identity Finder\logs" of folders of folders "Users" of it) ) of folders "C:\" ) ) ) OR ( if (windows of operating system) then (exists service "IDFEndpointService") OR (exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Identity Finder" of registries) OR (exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Identity Finder_UPGBK" of (x64 registries;x32 registries)) OR (exists keys whose (exists value "DisplayName" whose (it as string as lowercase contains "identity finder") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries;x32 registries)) else FALSE )
Used in 5 analyses   * Results in a true/false
Show indented relevance
(windows of operating system) OR (mac of operating system)

Sharing

Social Media:
Share this page on Yammer


Comments

Log In or Register to leave comments!
 

Content

Search
Share
Learn
Projects

Utilities

View SCM Scripts
Base64 Converter
Shell to Action Script

About

About Us
Tour
FAQ
Terms
Contact Us

BigFix Resources

Download BigFix
Support
Forum
Github/Bigfix
bigfix.me All Content
Hosted on bigfixme-as