I'm setting up a 2 box hobbyist test enviroment, I am planning on installing some bogus tools that are advertised in pop ups and whatever else I feel like.
So far, here is my planned process:
1. Install Windows and update.
3. Launch filemon, regmon, procexpnt, tcpview from a cd | Launch sniffer
4. Install and use target software
5. Save logs to usb drive and shutdown.
For steps 2 and 6, I'm looking for a bootable tool that will MD5 hash all the files on the drive. So for step 2, I'll hash, step 6, I'll verify. Then step six will tell me which file have been modified.
I'm looking for some kind of boot disc that will allow me to save to a USB key with those results, because my bootable networking luck hasn't been too hot.
Step 3, I am looking for possibly better (and free) options to monitor activity.
Any other ideas / suggestions will be awesome too.
August 26th, 2004, 07:15 AM
Sounds like a fun experiment.
What you might want to do is do an extended tree view or some other recursive directory and file listing and pipe that into some file or another. Beware and play safe by piping onto something on your HDD, since it will take a while to do this and you will get a lot of output. So, do it before, and after. Then find a program to compare the two files for differences, and you will know which files are new, along with where they are. (You can't MD5 a file that doesn't exist yet :p)
TREE C: /f /a
DIR C: /b /s
You should probably use some regular expressions like [a-zA-Z0-9_.\]$ in a PERL script to put together a list of all of the files that doesn't break every 80 characters (I think piping DIR breaks every 80 chars, not sure), and then put it into a batch script to MD5 all of the files on your test machine from this list. My explanation might not be the best, but just something to consider that could automate it.
Anyways, I want to see how this goes. I've never even touched those advertised "tools"...and pop-ups? What are those? :D
September 16th, 2004, 12:53 AM
Helix..install and use Helix...it's the only way to fly!
There is also F.I.R.E.
Helix can be installed on a HDD as well.
or just install autopsy/sleuthkit
September 16th, 2004, 12:36 PM
Maybe you can use the knoppix cd. I don't know if it's on there but you could use tripwire.
September 16th, 2004, 03:27 PM
May I recommend, if you have licences, using Vmware or virtual PC, and using undoable discs.
Otherwise, you will need to reinstall the machine between tests
September 16th, 2004, 03:54 PM
One other suggestion would be to use Osiris Host Integrity system. It MD5 hashes whatever directorys and file types (.EXE, DLL, etc) you want and will alert you to changes (adds, deletes, chgs to hash, etc).
All you do is setup the server/management portion on one box and install the agent on your test machine and add the test machine to the list of hosts to monitor inside the app. I use it at work and it is very nice.