Name of tool: Sam Spade 1.14
Company name: Steve Atkins
Platforms supported: Windows (95 and above) Strom-meter:
**** = Very cool, very useful
The ability to investigate users through the tracks they leave around the Internet has never been easier.
Very easy to setup and use
A wide variety of network query tools at your fingertips
Software hasn't been updated for several years
Your network is under attack. Someone is scanning your servers and you want to find out more about them. But you have a problem: All you know is the IP address that the attack is coming from, or perhaps a domain name. You want to know who owns that particular IP address, what path they took to get to your network and the location of their name server. To whom do you send a complaint? True, there are a number of tools available to track down the identities of hackers and attackers, and some are included in various versions of Windows and Unix. But it would be nice to have a collection of them in one place so that your job is made easier. You need Sam Spade.
The tool, named after the famous Bogart detective character, is precisely that: a network detective agency. It is fast, it is lean and mean, and it does the job. I recently saw the tool on an analyst's workstation at Symantec's security operations center. With the millions of dollars' worth of tools and equipment this company has deployed, it is nice to know that a freeware utility has its place and can still be useful for tracking down intruders.
So, what is included in the package? There are utilities for pinging an address, either by name or by numerical IP address. There is a graphical version of traceroute that is faster and more fun than the command-line versions that come with Windows and Unix. There is a WHOIS query tool that very quickly finds who owns a particular domain name, and there is another tool that can tell you who owns a particular block of IP addresses. You can examine the HTML coding of any particular Web page, including how the Web server sets cookies on your browser and what version of software is running on the server itself. You can check to see if a particular domain is listed on the Real Time Blackhole Spam lists or if a particular domain has an actual "abuse" e-mail address. There are other tools to scan IP address ranges, crawl Web sites, harvest e-mail addresses and more. It is designed to work easily and simply, including a nice click and paste feature where you can click on particular information in one window and have it automatically copied into another working window as you proceed to track things down.Sam Spade is one of those tools that the more you use it, the more uses you discover for it. All of its component tools together represent one of the most comprehensive collections of utilities that a network administrator would use to track down a hacker or a spammer. Call it self-defense. Call it self-preservation. Sure, this kind of detective work takes time, but it is indispensable if you want to keep your networks healthy and free from attackers. There are even short -- and sometimes humorous -- tutorials on how to use all of these tools incorporated into the help screens of the software. And if you prefer not to or can't download the software, you can go to the samspade.org home page and perform most of these analyses directly by typing in information on a Web form. Sam Spade is a great product. My only complaint is that the current version is somewhat old (1999) and development appears to have been halted for several years. It is a minor beef, however, on an otherwise fine and useful product.
**** = Very cool, very useful
*** = Hey, not bad. One notch below very cool
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.
About the author
David Strom is the technology editor for VARBusiness magazine. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at firstname.lastname@example.org.
For more information on this topic, visit these other resources:
- Web Security Tip: Computer forensics: Tracking an offender
- News & Analysis: Veteran sleuth on cutting edge of cybercrime investigation
- Expert Advice: Certifications in computer forensics
This was first published in May 2003