Results 1 to 6 of 6

Thread: System MD5

  1. #1

    System MD5

    I'm setting up a 2 box hobbyist test enviroment, I am planning on installing some bogus tools that are advertised in pop ups and whatever else I feel like.

    So far, here is my planned process:

    1. Install Windows and update.
    2.
    3. Launch filemon, regmon, procexpnt, tcpview from a cd | Launch sniffer
    4. Install and use target software
    5. Save logs to usb drive and shutdown.
    6.

    For steps 2 and 6, I'm looking for a bootable tool that will MD5 hash all the files on the drive. So for step 2, I'll hash, step 6, I'll verify. Then step six will tell me which file have been modified.
    I'm looking for some kind of boot disc that will allow me to save to a USB key with those results, because my bootable networking luck hasn't been too hot.

    Step 3, I am looking for possibly better (and free) options to monitor activity.

    Any other ideas / suggestions will be awesome too.
    Thanks

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Sounds like a fun experiment.

    What you might want to do is do an extended tree view or some other recursive directory and file listing and pipe that into some file or another. Beware and play safe by piping onto something on your HDD, since it will take a while to do this and you will get a lot of output. So, do it before, and after. Then find a program to compare the two files for differences, and you will know which files are new, along with where they are. (You can't MD5 a file that doesn't exist yet )

    Code:
    TREE C: /f /a
    
    or
    
    DIR C: /b /s
    You should probably use some regular expressions like [a-zA-Z0-9_.\]$ in a PERL script to put together a list of all of the files that doesn't break every 80 characters (I think piping DIR breaks every 80 chars, not sure), and then put it into a batch script to MD5 all of the files on your test machine from this list. My explanation might not be the best, but just something to consider that could automate it.

    Anyways, I want to see how this goes. I've never even touched those advertised "tools"...and pop-ups? What are those?

  3. #3
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Helix..install and use Helix...it's the only way to fly!
    There is also F.I.R.E.

    Helix can be installed on a HDD as well.

    e-fense.com/helix

    or just install autopsy/sleuthkit
    -hog
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Maybe you can use the knoppix cd. I don't know if it's on there but you could use tripwire.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    May I recommend, if you have licences, using Vmware or virtual PC, and using undoable discs.

    Otherwise, you will need to reinstall the machine between tests

    Slarty

  6. #6
    One other suggestion would be to use Osiris Host Integrity system. It MD5 hashes whatever directorys and file types (.EXE, DLL, etc) you want and will alert you to changes (adds, deletes, chgs to hash, etc).

    All you do is setup the server/management portion on one box and install the agent on your test machine and add the test machine to the list of hosts to monitor inside the app. I use it at work and it is very nice.

    http://osiris.shmoo.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •