Sunday 17 November 2013

Document tracking and tracing

Many years ago I was asked if it was possible to track when users opened specific word documents to figure out if confidential documents were openly being passed around the organisation or even sent out of the business over the Internet....now before you say that this is done and dusted...I'm talking about a many years ago...

After playing around I figured out an ugly method and so I wrote a web interface to automate the entire process...of building a "phone home" word document and interface keeping track of the documents...I wrote the web interface entirely using Perl CGI....yes Perl...eek!

Since way back then there are now online services that offer a service like this for you and they can even track PDF's...

However after a recent exercise I needed to dig up the ugly Perl application and get it up and running. Looking at the ugly interface and too ashamed to let anyone else in the office look at the interface I decided it was time to redo the application from scratch and this time make it prettier and friendlier and add some extra features...so I went with PHP (not that my PHP skills are that great) since that's all I am playing with at the moment.

So today I introduce to you a simple application that one can use to remotely trace and track when users open specially crafted word documents, and you can even use the URL to embed into other applications where needed.

Dracker

Is a simple application that is used primarily to remotely track and trace custom Microsoft Word documents when opened by users (so far it works well on MS Word for Windows and Mac...I haven't tested on anything else). 

You can use it for the following:
  • Remotely track sensitive documents and keep an eye on where they are being opened
  • Use as a honey pot, store in sensitive shares that should never be opened to see if anyone that shouldn't open it does...
  • Use as a method to find the location of fraudsters and such by sending the phone home documents to them
The entire application is very basic, login, create a new "document", download the generated Word document, edit if you wanted to and save or send it wherever. Once the document is opened up you should receive an email notification informing you of the hit!

Here are some examples of the interface,in the below image, this is the main page, shows the users a list of documents Dracker is listening out for. You can see there is already one document that has been opened:

On the page as shown above users can create new dracks (phone home documents), download newly created tagged documents or delete the entry.

Selecting the "Opened" document, we can drill into some more details with regards to the opened document:

  • Incomming IP Address - Source of the phone home connection
  • Hostname - if it can be resolved at the time of connection
  • Proxy IP - Tries to determine if the Source IP is being proxied
  • Browser - Even MS word for Windows/Mac has a browser agent header
  • Operating System - Guesses the OS
Other details include IP address location, by selecting the source IP address...
There is also a configuration section so that you can setup your email sending settings and add users to the application:


 This is what a "tagged" word doc looks like:



And that's really it, pretty basic! I also made the setup really easy too, just copy to an apache webroot configure your mysql credentials...and your pretty much ready to play.

You can grab yourself a copy of the current stable'ish version at:

https://github.com/syphon1c/dracker/

And be kind this is really my first release in many years...contribute...modify...or do nothing...if I ever get time on the weekends I may fix stuff or possibly further break stuff  (: Its not active development just something I play with from time to time.