How can I compare the contents of a volume at two points in time?

Posted on 2011-02-22
Last Modified: 2012-05-11
I have a 2003 Small Business .Sserver hard drive data partition that has recently started filling up at an unreasonable rate.  I have used every tool available to me to search for a virus or other malware and nothing was detected.
I have questioned my client and they say they have not uploaded any unusual amount of data such as pictures, audio, scans, etc.
I need a program that can take a snapshot of all the files and their sizes at two points in time so I can compare to find out specifically what is increasing in size.
Any Ideas?
Question by:AdminAssociates
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 34957469
My first approach would probably be a File Comparison program like UltraCompare.


Expert Comment

ID: 34957497
You can try the forensic tool kit from Access Data. You can make a forensic image and compare hash values to see.

When you scan the hard drive for a virus do you install the software on the computer and scan or do you slave the hard drive to another computer and scan. I have had a lot of luck slaving a computer to scan for viruses instead of installing and scanning on the computer in question.

Author Comment

ID: 34957565
ChopOMatic:  Thanks, but I need to compare the smae data set at two different points in time, not against similar files at one point in time.
racasttillojr: forensic tool kit from Access Data sounds like a little overkill and an expensive one at that.
There must be a program that can take "snapshots" of a volume like before and after an event and give me a listing of what changed.
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.


Expert Comment

ID: 34957679
There are a bunch of free hashing programs out there. (MD5summer comes to mind.) These will let you do what you want; at least I think I understand now what you're going for.

Accepted Solution

Hapexamendios earned 500 total points
ID: 34960805
Agree with ChopOMatic.

Use a program which will generate hashes for each file on the volume, pumping them to a text file. That's your inital "snapshot".
After your desired interval, do the same again, to another text file. (you might wish to repeat this last step at intervals to give a view over time).

You might then use a utility to compre those two texts files; much easier and quicker than trying to directly compare all "before" files against all "after" files. Quite a few of these file compare programs exist, so I'll only recommend one if you didn't like those suggested already, and express an interest in my opinion.

The above three-step process will help you determine which file(s) are changing; that allows you to focus on those files only. You can then use a utility to see what process(es) are using the file. I'll suggest Process Monitor here, from Microsoft - - because whilst I know you can do it with Windows itself, it's very tricky, and this tool is now owned by the same manufacturer as your operating system.

Hopefully, if finding out which files are involved doesn't immediately tip you off to what's happening, process monitor will show you what's accessing the files, and what username is running that process.

Good luck to you - post back if you need more assistance.
LVL 63

Expert Comment

ID: 34985895
You may want to check out Beyond Compare (would be worth the investment) -

Actually the ideal case is to do a check balance against a pristine image but this image also has to be updated regularly after each Windows update, AV update, patched pushdown etc. This is to minimize the false positive as normally such difference can be alot though - almost like searching needle in haystack unless we shrink it into a suspected period of compromise.

Normally you will be looking at Host integrity checks (sort of "Tripwire" like). In short, it has a "baseline", that is, a reference point against which future states of the system will be compared, must be created before deployment. Moreover, the baseline must be stored outside the host, or on read-only media (whose writability is not toggle-able via software). You would check out

Samhain -

I also looked at it as anomaly detection where the error audit logs are checked as they are indicator of intrusion etc. E.g there can be attempts of brute force of account, port knocking etc. You can check out this article for a quick understanding
Quick ref -

If a rootkit is really installed, it is tough to even reveal the "real" processes as this culprit is going to hide all the views and checks at kernel level. So instead of doing a image comparison, you can do it like RootkitRevealer style - snapshot the key resources and do a comparison on those common vulnerable area that malware will exploit and plant their traces. Microsoft also recently released a Attack Surface Analyzer which can be useful to highlight anomaly to kick start the checks.

RootKitReveler -
Microsoft Attack Surface Analyzer -
LVL 63

Expert Comment

ID: 34985901
May be too cluttered but thought it give you a quick summary of what there is

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to update Firmware and Bios in Dell Equalogic PS6000 Arrays and Hard Disks firmware update.
Know what services you can and cannot, should and should not combine on your server.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question