Looking for Private Data with the Simple Search Expert
Guest Blog by Michael Hawker
A little earlier, we talked about the new Expert system available in Network Monitor 3.3. With our release on the horizon, we wanted to give you a little more insight into the usefulness of Experts and what they can do.
Presently, we only have the Simple Search Expert available, but more will be coming with our release. Simple Search lets you search within frames for ASCII like strings using a direct case-insensitive search or regular expressions. It can also search within the comment text of frames as well.
Simple Search provides a quick way to find what you’re looking for within a capture file without the need for filtering. The regular expression power also adds another level of depth not previously available to Network Monitor users. Let’s talk about how these features can help you.
Be sure to download the Network Monitor 3.3 Beta from Microsoft Connect as well as the NmSimpleSearch Expert
Data Exfiltration
Data Exfiltration is all about your personal data security. Is your personal information leaving your computer without your knowledge? Maybe you thought it was secure. The Simple Search Expert can help you find out.
Imagine you were a concerned online shopper or maybe you’re a website developer testing a new website. In either case, you want to know if your information is being securely transferred from your PC to the website’s server. If the information is sent in a visible fashion, anyone along the way could intercept it.
Bring up Network Monitor and your favorite web browser and search engine. Start capturing in Network Monitor and search for “myname@iwantyourdata.com”. Stop your capture and save it to a file. You can then use the start page to quickly open your saved capture. Now launch Simple Search from the Experts Menu. You can even use the right-click menu in the Frame Summary view to launch Experts too:
Some Experts will even be interested in the frame you’re right-clicking on. Simple Search doesn’t look at that information, but an Expert should document if it does or not.
Now, we can use the Simple Search Expert to see if our e-mail address was transferred in plain-text over the internet. We can either type in our e-mail address in the search box, or use the Common Regex menu and select E-mail Address:
This option will give us what looks like gobbledygook, but is in fact a complex regular expression for recognizing e-mail address. When we hit the search button, Simple Search will search through the file and tell us how many instances of an e-mail address it found and select the frame in Network Monitor.
You can click on the Hex Details button in Simple Search to display where the string was found in the data packet:
Now, you can use this technique to check your favorite online shopping sites to see if they transmit your e-mail address unencrypted when you login.