hacktricks/forensics/basic-forensic-methodology/file-integrity-monitoring.md
2023-04-07 10:52:01 +02:00

5.2 KiB

☁️ HackTricks Cloud ☁️🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Baseline

A baseline consists of taking a snapshot of certain parts of a system to compare it with a future status to highlight changes.

For example, you can calculate and store the hash of each file of the filesystem to be able to find out which files were modified.
This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all.

File Integrity Monitoring

File integrity monitoring is one of the most powerful techniques used to secure IT infrastructures and business data against a wide variety of both known and unknown threats.
The goal is to generate a baseline of all the files that you want to monitor and then periodically check those files for possible changes (in the content, attribute, metadata, etc.).

1. Baseline comparison, wherein one or more file attributes will be captured or calculated and stored as a baseline that can be compared against in the future. This can be as simple as the time and date of the file, however, since this data can be easily spoofed, a more trustworthy approach is typically used. This may include periodically assessing the cryptographic checksum for a monitored file, (e.g. using the MD5 or SHA-2 hashing algorithm) and then comparing the result to the previously calculated checksum.

2. Real-time change notification, which is typically implemented within or as an extension to the kernel of the operating system that will flag when a file is accessed or modified.

Tools

References

☁️ HackTricks Cloud ☁️🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥