User Manual

The CyberTrap DocTracker service enables you to locate documents wherever they are openend in an office suite or document reader. The documents need to be equipped with a beacon which is done on the DocTracker server.

The service can be used on fake documents which are stored on a CyberTrap Decoy system, e.g. with a filesharing service like SMB or NFS. If an adversary steals those artificial documents and passes them on to his client and the latter opens it, then his public IP address will be sent to the DocTracker server along with other information. This way you can geo-localise where the documents ended up. Of course you can also use real (e.g. confidential) documents with the DocTracker service.

This User Manual describes how to add a beacon to a document and how to see where it was opened – the geo-localisation based on the public IP address.

The DocTracker components

DocTracker consists of several components which are described one by one here:

DocTracker Server: This central component offers two web-based frontends (BUI).

DocTracker Beacon: When opening the document an http or smb ping is sent to the sensor using the standard ports of each protocol. This is called the beacon. It is added to the document by the server.

DocTracker Sensor: The service to listen for the beacons (http and smb pings) is realised by the Sensor. Once it arrives it passes the information on to the Server (which in turn does the alerting and the geo-localisation).

DocTracker User Frontend: Listening on the standard http port 80 this BUI is for the users to add the Beacon to documents, track and geo-localise them.

Supported Document Types and Readers

pdf: Adobe Reader, Foxit Viewer, Nitro PDF Viewer, Google Chrome, Internet Explorer

Microsoft Office Word (docx), Excel (xlsx) and PowerPoint (pptx). It is important to force the user disabling the protected view to trigger a callback when opening a MS Office document on Windows!

html: Firefox, Chrome, Edge, Internet Explorer

Workflow

First a beacon needs to be added to a document. This is done by uploading the document to the DocTracker server. Afterwards it can be downloaded from there and placed e.g. on a CyberTrap Decoy system. Then the DocTracker user has to wait until he is notified that the document was opened somewhere on the internet. These are the steps in detail:

In order to add a beacon to a document a DocTracker user first needs to log in into the DocTracker User Frontend https://admin.doctracker.net
The user will find a list of documents that already have been uploaded (if any – the example screenshot below holds one uploaded document):


 

At the bottom of the page there is a button Start tracking. When clicking it a dialog window is opened where document or folder tracking can be selected. Afterwards an object can be uploaded and options selected. The Document Tracking dialog looks like this:

 

 

Under Embedded Sensors you can select up to two sensors that have been created in the DocTracker Admin Frontend under Responders. With Callback Protocols you can choose between http or smb (or both) to send the ping. In Assigned Whitelists you can specify systems on which the opening of a document should not generate an alarm.

Once a document has been uploaded the sensor is automatically attached. The frontend will show it like this:

 

 

The “Active” icon shows that the corresponding sensor is up and running, listening for signals from the beacon stored in the document. Yet there are not any, so the “Hits” column is set to 0. With the Edit button next to it the Whitelist can be edited. Then there is the Download button where the sensor equipped document can be downloaded (and e.g. placed on a CyberTrap Decoy). And with the Delete button the document can be deleted from the DocTracker server and stops the tracing of the document.

After a document has been uploaded, a sensor attached and then downloaded it can be stored in a filesystem of a computer or storage system. Then you need to wait until the document has been leaked. In that case you can get informed via email once the document gets a hit – the document is opened somewhere. The DocTracker administrator can enable this for the users individually; please see the DocTracker Installation Manual for that.

Note: The downloaded file will be compressed as a .zip-file.
7zip should be used to extract the file from the zip, otherwise the file will be marked with MoTW ( mark-of-the-web), which disables the functionality and no alarm will be triggered!

If notification for hit events has been configured you want to see when and where documents or ZIP files have been opened upon receiving the notification email. Log into the DocTracker User Frontend to see the list of all documents created. One column is names “Hits” and counts the number of alerts generated by a document. Each document has a drop-down arrow to inspect the details of the hits or alerts; upon expanding it you will see the timestamp and the public IP address. Plus there is an (Info) button which displays the client software used to open the document and a link to www.whois.com to get more information about the IP address.

Any DocTracker admin user can setup a variety of options under Account Settings.

 

Configurations are available in the Account Menu. Following settings may be changed:

  • Changing password
  • Change Userinterface to “Dark Mode”
  • Defining Whitelists: if documents are opened inside the scope of a whitelist, then no alert will be triggered. May be used for allowing internal users to open tagged documents. (i.e. internal IP range)
  • check availability of sensors
  • Creating an Upload Link to speedup the upload of multiple documents