How do I identify if any changes were made

Posted on 2009-07-13
Last Modified: 2012-05-07
Hi All,

According to our change management policy, all changes to production servers should be supported by supporting documents.  I would like to perform a test by looking for files that have been created/changed recently and comparing with supporting documents.  What is the best way of doing this on Windows and Unix servers?  Can I use the create date or modified date?  fyi there is no auditing of changes to files and system objects.

Question by:ISS_Expert
  • 2
  • 2

Accepted Solution

Phateon earned 250 total points
ID: 24869473
For Linux/Unix, there is Tripwire -
AIDE - Advanced Intrusion Detection Environment -

Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.

Tripwire has two versions - Free & Semi-Free. AIDE is based on Tripwire and is free.

For Windows, many open source options:
DirGuard -
Directory Monitor -
BlackWire (Incomplete, based on Tripwire) -
BcwanBlue (Sends alerts to Bluetooth enabled devices) -

Many more. I have used TripWire for Unix & Directory Monitor for Win32.
LVL 62

Assisted Solution

btan earned 250 total points
ID: 24884752
Since you are looking for existence to files existences in compliance to the workflow (and not auditing to file content, etc). Hence, the simple solution is just to set up the baseline and thereafter compare the differences made thereafter. Correlation of workflow and difference automatically is challenging but solution can ease the direct approach - you create your desired profile (identify the storage folders, etc) and the tracking reports are generated on the target with parameters like
- Filename, Date timestamp on creation, User  

You may like to take a look at the below solution:

a) Security Manager Plus 5.3 (Free Edition for windows and Linux, in Security Manager Plus, Change Management of Windows machines is governed by Profiles. Profiles are nothing but custom templates that are defined by users to capture a list of important files, folders and registry entries that need to be periodically tracked for changes during every scan. Change tracking can be done on Assets or Asset Groups. Multiple profiles can be associated to the same asset or asset group.

On the other thoughts, you may also want to monitor folders and sub folders for additional following changes:-
>File/Folder Attributes (read only or write/read - live doc)
>File/Folder Last Write Time (trace back actions)
>File/Folder Security Attributes (encrypt, compressed, specific group can access, etc)

For enterprise level (don't mind $$), check out FileSystemAuditor -

There is a free tool CDirectoryChangeWatcher doing similar - but no scalar

Last words, I see that change management should be automated as much but not forgetting security log collation - various log collation will help (if may server) and looking thru the report to flag any alert. Also having preventing external storage device connecting to server will have better constraint any hiccups to change mgmt....just my two cents.

Hope it helps

Author Comment

ID: 24901463
Thanks guys.  At the moment I am not looking for a solution, but am trying to investigate changes that were made to files on certain servers (IIS web server).  Also, wouldn't enabling the audit object access in windows provide the same result as using a host based IDS?
LVL 62

Expert Comment

ID: 24904077
Check out this this link talking about the possible auditing capability on servers. The key things are that there can be granular tracking for objects, events, access and etc. I will say that the Windows audit serve as baseline as whole platform and the rest of the software will be value add by doing correlation or having more details instead.

For example, in the tools mentioned above it can track specfic target folder/file you want to track but (at least to best knowledge) not for Window Audit whcih tends to be the whole OS. At least searching through will be easier using the 'focused' tools. The Windows will complement to check the other 'non-focused' events for correlation (in investigation like who is the last user that have login and etc).

Overall, they are complementary and good to have both - just like security pitch "defense in depth"


Author Closing Comment

ID: 31602749
Thanks guys.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
forensic review 6 322
HELP!! Hard Drive Issues 15 579
How to determine if a screenshot was manipulated. 11 1,215
Forensic work for Exchange 2010 6 278
The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now