hacktricks/forensics/basic-forensic-methodology/file-integrity-monitoring.md
2024-12-12 11:39:29 +01:00

3.6 KiB

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Baseline

A baseline consists of taking a snapshot of certain parts of a system to compare it with a future status to highlight changes.

For example, you can calculate and store the hash of each file of the filesystem to be able to find out which files were modified.
This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all.

File Integrity Monitoring

File Integrity Monitoring (FIM) is a critical security technique that protects IT environments and data by tracking changes in files. It involves two key steps:

  1. Baseline Comparison: Establish a baseline using file attributes or cryptographic checksums (like MD5 or SHA-2) for future comparisons to detect modifications.
  2. Real-Time Change Notification: Get instant alerts when files are accessed or altered, typically through OS kernel extensions.

Tools

References

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}