Security Basics mailing list archives

RE: Hard Drive Intergrety Status

From: "dave kleiman" <dave () isecureu com>
Date: Wed, 28 Sep 2005 20:57:33 -0400

Nico,

Are these workstations?
If yes do they get rebooted?
There are quite a few file changes on a reboot of NT system.

If you download Log Parser from MSFT you could do either of the following:

LogParser "SELECT Path, HASHMD5_FILE(Path) INTO Hashes.csv FROM C:\*.*"
-i:FS -recurse:0 -preserveLastAccTime:ON -o:CSV
(NOTE:Recurse the number of directories you want the results from -1 is no
limit and the preserveLastAccTime keeps you from changing the files)


Now if you kept a copy of all the files you could do a match hashes of files
with something like this.


LogParser "SELECT HASHMD5_FILE(Path) AS Hash, COUNT(*) AS NumberOfCopies
INTO CompareHashes.csv FROM C:\*.* GROUP BY Hash HAVING NumberOfCopies > 1"
-i:FS -recurse:1 -preserveLastAccTime:ON -o:CSV

But many files will be changing on your systems all the time, not sure if
this will help, but you asked for a way to MD5 sums on the files.

Regards,


__________________________________________________
Dave Kleiman, CAS,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

www.SecurityBreachResponse.com

-----Original Message-----
From: Nicolas Kramer [mailto:nicolaskf () gmail com]
Sent: Wednesday, September 28, 2005 12:28
To: security-basics () securityfocus com
Subject: Hard Drive Intergrety Status

Can anyone help me with an aplication or method that can
succeed in the following task.

Check about 60 computers on LAN and all same workgroup the local C:
harddisk for changes. And if any changes found (as minimal as
possible, like new folder or new suspisious files or
something) be reported to the server.

All the local hdd are almost exactly the same if not exactly the same.
Server is running win2003 and the clients are all WinNT

Any idea how i can accomplish this task? (mayb like a MD5 sum
or somthing in that way(though md5 is for files) or an
integrety checker, i heard about it but have no knowledge
about it, and google isnt helping me out atm)

Thank you very much.
Nico

--
Nico

Current thread:

Hard Drive Intergrety Status Nicolas Kramer (Sep 28)
- RE: Hard Drive Intergrety Status dave kleiman (Sep 30)
- Re: Hard Drive Intergrety Status IRCGNet (Sep 30)
  - RE: Hard Drive Intergrety Status Dan Tesch (Sep 30)
- Re: Hard Drive Intergrety Status Kenton Smith (Sep 30)
  - Re: Hard Drive Intergrety Status Nicolas Kramer (Sep 30)
    - Re: Hard Drive Intergrety Status Kenton Smith (Sep 30)