hacktricks/forensics/basic-forensic-methodology/file-integrity-monitoring.md
Carlos Polop 245b50b5a0 a
2024-02-08 22:36:35 +01:00

3.6 KiB

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Baseline

A baseline consists of taking a snapshot of certain parts of a system to compare it with a future status to highlight changes.

For example, you can calculate and store the hash of each file of the filesystem to be able to find out which files were modified.
This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all.

File Integrity Monitoring

File Integrity Monitoring (FIM) is a critical security technique that protects IT environments and data by tracking changes in files. It involves two key steps:

  1. Baseline Comparison: Establish a baseline using file attributes or cryptographic checksums (like MD5 or SHA-2) for future comparisons to detect modifications.
  2. Real-Time Change Notification: Get instant alerts when files are accessed or altered, typically through OS kernel extensions.

Tools

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: