Security Basics mailing list archives
RE: Detecting File Alteration
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Tue, 5 Sep 2006 14:57:38 -0400
Jordan Jason wrote:
You could try AIDE. I believe it does mostly the same thing as Tripwire. I've never used it, but in the SANS course I took, they spoke highly of it. http://sourceforge.net/projects/aide -----Original Message----- From: Mister Dookie [mailto:misterdookie () gmail com] Sent: Thursday, August 31, 2006 11:44 PM To: security-basics () securityfocus com Subject: Re: Detecting File Alteration Tripwire is awfully expensive for a small company... there must be something in the freeware realm or at least something cheaper that accomplishes the same thing as Tripwire. On 8/31/06, Peter Marshall <petermmarshall () hotmail com> wrote:Tripwire as well . . .
You can use a manual process. Within Windows, you can drop to a CMD prompt and do a DIR /s >> dir.txt (add switches as desired) of the entire drive. If you are 100% certain of the integrity of the system, then use that file as the baseline. You can run scheduled tasks to complete future DIR's on the drives then use the FC command to compare your baseline against your current. Anything that shows up will be the discrepancy and may require further investigation. A twist on this idea is to run the process, first on the live system, then again from a Bootable CD, like BARTPE. Any discrepancies there may be the result of a rootkit and again warrant further investigation. As programs are installed by you, new baselines will be needed. If this is at all confusing, the procedure is outlined in MS's Strider article here: http://research.microsoft.com/rootkit/\ Use similar tools for *nix systems. JMB. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Detecting File Alteration, (continued)
- RE: Detecting File Alteration Dan Tesch (Sep 05)
- Re: Detecting File Alteration Jon Wallace (Sep 05)
- Re: Detecting File Alteration irado furioso com tudo (Sep 05)
- Re: Detecting File Alteration offset (Sep 05)
- Re: Detecting File Alteration Daniel Cid (Sep 06)
- Re: Detecting File Alteration Mister Dookie (Sep 06)
- Message not available
- Re: Detecting File Alteration Mister Dookie (Sep 08)
- Re: Detecting File Alteration Fósforo (Sep 06)
- RE: Detecting File Alteration Dan Tesch (Sep 05)
- Re: RE: Detecting File Alteration krymson (Sep 05)
- RE: Detecting File Alteration Jordan Jason (Sep 05)
- RE: Detecting File Alteration Beauford, Jason (Sep 05)
- RE: Detecting File Alteration Young, Randy (Sep 05)
- RE: Detecting File Alteration Sorin Petre (Sep 05)
- Re: RE: Detecting File Alteration thomas . jones (Sep 06)
- Re: RE: Detecting File Alteration josh . g . parker (Sep 07)
- RE: Detecting File Alteration Beauford, Jason (Sep 07)