Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: fingerprinting servers--md5deep problem

from [Jerry Shenk] Network Security [Permanent Link]
Subject: RE: fingerprinting servers--md5deep problem
Date: Fri, 8 Apr 2005 10:27:23 -0400 
Have you considered running Tripwire (http://www.tripwire.com/).  It's
designed to run on a "running" machine and even run periodically (daily,
hourly, whatever) and do the comparisons and alert on changes.  In the
config file, you can specify which files should be included and ignored.
It also monitors registry changes.  It does require a fair amount of
tuning since so much stuff changes on a Windows box all the time.

Another possibility is WFT (Windows Forensic Toolkit).  One easy place
to get that is on the Helix Forensic CD
(http://www.e-fense.com/helix/index2.html).  WFT doesn't give you
exactly what you're asking for but it's in the area.  It does (can)
catalog all the files on the drive.  No md5sums though...at least not
for each file in the default WFT run.

-----Original Message-----
From: Jeff Bryner [mailto:jbryner1@yahoo.com] 
Sent: Thursday, April 07, 2005 5:01 PM
To: forensics@securityfocus.com
Subject: Re: fingerprinting servers--md5deep problem


--- Tom Stowell <> wrote:

Booting from a Knoppix CD is a way to work around the immediate
symptom


Should have said in the first post that I'm aware of this option; but
I'm working on live servers that need to stay up. 

I'm less concerned about 'missing' files that are bound to change
(appevent.evt, SAM, pagefile.sys, etc). 

I'm more concerned about getting something, anything that's a snapshot
of the server without being a full image or running tripwire, etc.

Here's what I did: 

find ./ -type f -exec md5sum {} \; > outputfile.txt

Simple. Worked fine, it skipped the 'busy text files' like SAM,
pagefile.sys, etc. 

Anyone know why md5deep can't skip these as well? 



I'm actually working on a related project at the moment:

Your project sounds interesting! It would be nice to see how a server
changes over time. Especially when patching, backing out patches, etc.
I'll look for it on freshmeat ;-) 

Jeff.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: fingerprinting servers--md5deep problem, H Carvey
Next by Date:  Re: Destroying filesystems, Brian Carrier
Previous by Thread:  Re: fingerprinting servers--md5deep problem, Jeff Bryner
Next by Thread:  Re: fingerprinting servers--md5deep problem, Jesse Kornblum
Indexes:  [Date] [Thread] [Top] [All Lists]