[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


How can I compare the contents of a volume at two points in time?

Posted on 2011-02-22
Medium Priority
Last Modified: 2012-05-11
I have a 2003 Small Business .Sserver hard drive data partition that has recently started filling up at an unreasonable rate.  I have used every tool available to me to search for a virus or other malware and nothing was detected.
I have questioned my client and they say they have not uploaded any unusual amount of data such as pictures, audio, scans, etc.
I need a program that can take a snapshot of all the files and their sizes at two points in time so I can compare to find out specifically what is increasing in size.
Any Ideas?
Question by:AdminAssociates
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 34957469
My first approach would probably be a File Comparison program like UltraCompare.



Expert Comment

ID: 34957497
You can try the forensic tool kit from Access Data. You can make a forensic image and compare hash values to see.

When you scan the hard drive for a virus do you install the software on the computer and scan or do you slave the hard drive to another computer and scan. I have had a lot of luck slaving a computer to scan for viruses instead of installing and scanning on the computer in question.

Author Comment

ID: 34957565
ChopOMatic:  Thanks, but I need to compare the smae data set at two different points in time, not against similar files at one point in time.
racasttillojr: forensic tool kit from Access Data sounds like a little overkill and an expensive one at that.
There must be a program that can take "snapshots" of a volume like before and after an event and give me a listing of what changed.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!


Expert Comment

ID: 34957679
There are a bunch of free hashing programs out there. (MD5summer comes to mind.) These will let you do what you want; at least I think I understand now what you're going for.

Accepted Solution

Hapexamendios earned 2000 total points
ID: 34960805
Agree with ChopOMatic.

Use a program which will generate hashes for each file on the volume, pumping them to a text file. That's your inital "snapshot".
After your desired interval, do the same again, to another text file. (you might wish to repeat this last step at intervals to give a view over time).

You might then use a utility to compre those two texts files; much easier and quicker than trying to directly compare all "before" files against all "after" files. Quite a few of these file compare programs exist, so I'll only recommend one if you didn't like those suggested already, and express an interest in my opinion.

The above three-step process will help you determine which file(s) are changing; that allows you to focus on those files only. You can then use a utility to see what process(es) are using the file. I'll suggest Process Monitor here, from Microsoft - http://technet.microsoft.com/en-us/sysinternals/bb896645 - because whilst I know you can do it with Windows itself, it's very tricky, and this tool is now owned by the same manufacturer as your operating system.

Hopefully, if finding out which files are involved doesn't immediately tip you off to what's happening, process monitor will show you what's accessing the files, and what username is running that process.

Good luck to you - post back if you need more assistance.
LVL 65

Expert Comment

ID: 34985895
You may want to check out Beyond Compare (would be worth the investment) - http://www.scootersoftware.com/moreinfo.php

Actually the ideal case is to do a check balance against a pristine image but this image also has to be updated regularly after each Windows update, AV update, patched pushdown etc. This is to minimize the false positive as normally such difference can be alot though - almost like searching needle in haystack unless we shrink it into a suspected period of compromise.

Normally you will be looking at Host integrity checks (sort of "Tripwire" like). In short, it has a "baseline", that is, a reference point against which future states of the system will be compared, must be created before deployment. Moreover, the baseline must be stored outside the host, or on read-only media (whose writability is not toggle-able via software). You would check out

Samhain - http://la-samhna.de/samhain/

I also looked at it as anomaly detection where the error audit logs are checked as they are indicator of intrusion etc. E.g there can be attempts of brute force of account, port knocking etc. You can check out this article for a quick understanding

Quick ref - http://www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx

If a rootkit is really installed, it is tough to even reveal the "real" processes as this culprit is going to hide all the views and checks at kernel level. So instead of doing a image comparison, you can do it like RootkitRevealer style - snapshot the key resources and do a comparison on those common vulnerable area that malware will exploit and plant their traces. Microsoft also recently released a Attack Surface Analyzer which can be useful to highlight anomaly to kick start the checks.

RootKitReveler - http://technet.microsoft.com/en-us/sysinternals/bb897445
GMER - http://www.gmer.net/
Microsoft Attack Surface Analyzer - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e068c224-9d6d-4bf4-aab8-f7352a5e7d45&displaylang=en&pf=true
LVL 65

Expert Comment

ID: 34985901
May be too cluttered but thought it give you a quick summary of what there is


Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question