How do I identify if any changes were made

Posted on 2009-07-13
Last Modified: 2012-05-07
Hi All,

According to our change management policy, all changes to production servers should be supported by supporting documents.  I would like to perform a test by looking for files that have been created/changed recently and comparing with supporting documents.  What is the best way of doing this on Windows and Unix servers?  Can I use the create date or modified date?  fyi there is no auditing of changes to files and system objects.

Question by:ISS_Expert
  • 2
  • 2

Accepted Solution

Phateon earned 250 total points
ID: 24869473
For Linux/Unix, there is Tripwire -
AIDE - Advanced Intrusion Detection Environment -

Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.

Tripwire has two versions - Free & Semi-Free. AIDE is based on Tripwire and is free.

For Windows, many open source options:
DirGuard -
Directory Monitor -
BlackWire (Incomplete, based on Tripwire) -
BcwanBlue (Sends alerts to Bluetooth enabled devices) -

Many more. I have used TripWire for Unix & Directory Monitor for Win32.
LVL 61

Assisted Solution

btan earned 250 total points
ID: 24884752
Since you are looking for existence to files existences in compliance to the workflow (and not auditing to file content, etc). Hence, the simple solution is just to set up the baseline and thereafter compare the differences made thereafter. Correlation of workflow and difference automatically is challenging but solution can ease the direct approach - you create your desired profile (identify the storage folders, etc) and the tracking reports are generated on the target with parameters like
- Filename, Date timestamp on creation, User  

You may like to take a look at the below solution:

a) Security Manager Plus 5.3 (Free Edition for windows and Linux, in Security Manager Plus, Change Management of Windows machines is governed by Profiles. Profiles are nothing but custom templates that are defined by users to capture a list of important files, folders and registry entries that need to be periodically tracked for changes during every scan. Change tracking can be done on Assets or Asset Groups. Multiple profiles can be associated to the same asset or asset group.

On the other thoughts, you may also want to monitor folders and sub folders for additional following changes:-
>File/Folder Attributes (read only or write/read - live doc)
>File/Folder Last Write Time (trace back actions)
>File/Folder Security Attributes (encrypt, compressed, specific group can access, etc)

For enterprise level (don't mind $$), check out FileSystemAuditor -

There is a free tool CDirectoryChangeWatcher doing similar - but no scalar

Last words, I see that change management should be automated as much but not forgetting security log collation - various log collation will help (if may server) and looking thru the report to flag any alert. Also having preventing external storage device connecting to server will have better constraint any hiccups to change mgmt....just my two cents.

Hope it helps

Author Comment

ID: 24901463
Thanks guys.  At the moment I am not looking for a solution, but am trying to investigate changes that were made to files on certain servers (IIS web server).  Also, wouldn't enabling the audit object access in windows provide the same result as using a host based IDS?
LVL 61

Expert Comment

ID: 24904077
Check out this this link talking about the possible auditing capability on servers. The key things are that there can be granular tracking for objects, events, access and etc. I will say that the Windows audit serve as baseline as whole platform and the rest of the software will be value add by doing correlation or having more details instead.

For example, in the tools mentioned above it can track specfic target folder/file you want to track but (at least to best knowledge) not for Window Audit whcih tends to be the whole OS. At least searching through will be easier using the 'focused' tools. The Windows will complement to check the other 'non-focused' events for correlation (in investigation like who is the last user that have login and etc).

Overall, they are complementary and good to have both - just like security pitch "defense in depth"


Author Closing Comment

ID: 31602749
Thanks guys.

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Memory Dump Tools for Windows 7 5 1,795
Network Hard Drive Image 2 442
forensics seizure and imaging documentation 4 557
windows 8 files from disc image 5 214
The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now