Enterprise Recon 2.3

Local Storage and Local Memory

This section covers the following topics:

Supported Operating Systems

Local storage and local memory are included by default as available scan locations when adding a new server or workstation Target.

ER2 supports the following operating systems as local storage and local memory scan locations:

Environment (Target Category) Operating System
Microsoft Windows Desktop
(Desktop / Workstation)
  • Windows XP
  • Windows XP Embedded
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10

Looking for a different version of Microsoft Windows?

Microsoft Windows Server
(Server)
  • Windows Server 2003 R2
  • Windows Server 2008/2008 R2
  • Windows Server 2012/2012 R2
  • Windows Server 2016
  • Windows Server 2019

Looking for a different version of Microsoft Windows?

Linux
(Server)
  • CentOS 32-bit/64-bit
  • Debian 32-bit/64-bit
  • Fedora 32-bit/64-bit
  • Red Hat 32-bit/64-bit
  • Slackware 32-bit/64-bit
  • SUSE 32-bit/64-bit
  • Ubuntu 32-bit/64-bit

Looking for a different Linux distribution?

UNIX
(Server)
  • AIX 6.1+
  • FreeBSD 10+ x86
  • FreeBSD 10+ x64
  • HP UX 11.31+ (Intel Itanium) 1
  • Solaris 10+ (Intel x86)
  • Solaris 10+ (SPARC)
macOS 1
(Desktop / Workstation)
  • OS X Mountain Lion 10.8
  • OS X Mavericks 10.9
  • OS X Yosemite 10.10
  • OS X El Capitan 10.11
  • macOS Sierra 10.12
  • macOS High Sierra 10.13
  • macOS Mojave 10.14

1 Does not support scanning of Local Process Memory.

Microsoft Windows Operating Systems

Ground Labs supports and tests ER2 for all Windows versions supported by Microsoft.

Prior versions of Windows may continue to work as expected. However, Ground Labs cannot guarantee support for these versions indefinitely.

Linux Operating Systems

Ground Labs supports and tests ER2 for all Linux distributions listed under Supported Operating Systems. However, other Linux distributions that are not indicated may work as expected.

Licensing

For Sitewide Licenses, all scanned local storage and local memory Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, local storage and local memory Targets require Server & DB Licenses or Client Licenses, and consume data from the Server & DB License or Client License data allowance limit, depending on the Target operating system.

See Target Licenses for more information.

Local Storage

Local Storage refers to disks that are locally mounted on the Target server or workstation. The Target server or workstation must have a Node Agent installed.

You cannot scan a mounted network share as Local Storage.

To scan Local Storage:

  1. From the New Search page, Add Targets.
  2. In the Enter New Target Hostname field, enter the host name of the server or workstation.
  3. Click Test. If the host name is resolved, the Test button changes to a Commit button.
  4. Click Commit.
  5. In Select Types, select Local Storage. You can scan the following types of Local Storage:

    Local Storage Description
    Local Files

    To scan all local files:

    1. Select All local files.
    2. Click Done.

    To scan a specific file or folder:

    1. Click Customise next to All local files.
    2. Enter the file or folder Path and click + Add Customised.

    Local Shadow Volumes

    Windows only

    To scan all local shadow volumes:

    1. Select All local shadow volumes.
    2. Click Done.

    To scan a specific shadow volume:

    1. Click Customise next to All local shadow volumes.
    2. Enter the Shadow volume root and click + Add Customised.

    Local Free Disk Space

    Windows only

    Deleted files may persist on a system's local storage, and can be recovered by data recovery software. ER2 can scan local free disk space for persistent files that contain sensitive data, and flag them for remediation.

    To scan the free disk space on all drives:

    1. Select All local free disk space.
    2. Click Done.

    To scan the free disk space of a specific drive:

    1. Click Customise next to All local free disk space.
    2. Enter the drive letter to scan and click + Add Customised.

    Recommended Least Privilege User Approach

    Data discovery or scanning of data requires read access. Remediation actions that act directly on supported file systems including Delete Permanently, Quarantine, Encryption and Masking require write access in order to change, delete and overwrite data.

    To reduce the risk of data loss or privileged account abuse, the Agent user provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.

Local Process Memory

During normal operation, your systems, processes store and accumulate data in memory. Scanning Local Process Memory allows you to check it for sensitive data.

To scan local process memory:

  1. From the New Search page, Add Targets.
  2. In the Enter New Target Hostname field, enter the host name of the server or workstation.
  3. Click Test. If the host name is resolved, the Test button changes to a Commit button.
  4. Click Commit.
  5. In Select Types, select Local Memory > All local process memory.
  6. Click Done.

To scan a specific process or process ID (PID):

  1. From the New Search page, Add Targets.
  2. In the Enter New Target Hostname field, enter the host name of the server or workstation.
  3. Click Test. If the host name is resolved, the Test button changes to a Commit button.
  4. Click Commit.
  5. In Select Types, select Local Memory. Next to All local process memory, click Customise.
  6. Enter the process ID or process name in the Process ID or Name field.
  7. Click + Add Customised.

ER2 does not follow or scan symbolic links or junctions. Each symbolic link or junction point that is skipped during a scan will have a log entry in the Scan Trace Log (if enabled).