How can I compare the contents of a volume at two points in time?

Posted on 2011-02-22
Last Modified: 2012-05-11
I have a 2003 Small Business .Sserver hard drive data partition that has recently started filling up at an unreasonable rate.  I have used every tool available to me to search for a virus or other malware and nothing was detected.
I have questioned my client and they say they have not uploaded any unusual amount of data such as pictures, audio, scans, etc.
I need a program that can take a snapshot of all the files and their sizes at two points in time so I can compare to find out specifically what is increasing in size.
Any Ideas?
Question by:AdminAssociates

Expert Comment

ID: 34957469
My first approach would probably be a File Comparison program like UltraCompare.


Expert Comment

ID: 34957497
You can try the forensic tool kit from Access Data. You can make a forensic image and compare hash values to see.

When you scan the hard drive for a virus do you install the software on the computer and scan or do you slave the hard drive to another computer and scan. I have had a lot of luck slaving a computer to scan for viruses instead of installing and scanning on the computer in question.

Author Comment

ID: 34957565
ChopOMatic:  Thanks, but I need to compare the smae data set at two different points in time, not against similar files at one point in time.
racasttillojr: forensic tool kit from Access Data sounds like a little overkill and an expensive one at that.
There must be a program that can take "snapshots" of a volume like before and after an event and give me a listing of what changed.
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.


Expert Comment

ID: 34957679
There are a bunch of free hashing programs out there. (MD5summer comes to mind.) These will let you do what you want; at least I think I understand now what you're going for.

Accepted Solution

Hapexamendios earned 500 total points
ID: 34960805
Agree with ChopOMatic.

Use a program which will generate hashes for each file on the volume, pumping them to a text file. That's your inital "snapshot".
After your desired interval, do the same again, to another text file. (you might wish to repeat this last step at intervals to give a view over time).

You might then use a utility to compre those two texts files; much easier and quicker than trying to directly compare all "before" files against all "after" files. Quite a few of these file compare programs exist, so I'll only recommend one if you didn't like those suggested already, and express an interest in my opinion.

The above three-step process will help you determine which file(s) are changing; that allows you to focus on those files only. You can then use a utility to see what process(es) are using the file. I'll suggest Process Monitor here, from Microsoft - - because whilst I know you can do it with Windows itself, it's very tricky, and this tool is now owned by the same manufacturer as your operating system.

Hopefully, if finding out which files are involved doesn't immediately tip you off to what's happening, process monitor will show you what's accessing the files, and what username is running that process.

Good luck to you - post back if you need more assistance.
LVL 61

Expert Comment

ID: 34985895
You may want to check out Beyond Compare (would be worth the investment) -

Actually the ideal case is to do a check balance against a pristine image but this image also has to be updated regularly after each Windows update, AV update, patched pushdown etc. This is to minimize the false positive as normally such difference can be alot though - almost like searching needle in haystack unless we shrink it into a suspected period of compromise.

Normally you will be looking at Host integrity checks (sort of "Tripwire" like). In short, it has a "baseline", that is, a reference point against which future states of the system will be compared, must be created before deployment. Moreover, the baseline must be stored outside the host, or on read-only media (whose writability is not toggle-able via software). You would check out

Samhain -

I also looked at it as anomaly detection where the error audit logs are checked as they are indicator of intrusion etc. E.g there can be attempts of brute force of account, port knocking etc. You can check out this article for a quick understanding
Quick ref -

If a rootkit is really installed, it is tough to even reveal the "real" processes as this culprit is going to hide all the views and checks at kernel level. So instead of doing a image comparison, you can do it like RootkitRevealer style - snapshot the key resources and do a comparison on those common vulnerable area that malware will exploit and plant their traces. Microsoft also recently released a Attack Surface Analyzer which can be useful to highlight anomaly to kick start the checks.

RootKitReveler -
Microsoft Attack Surface Analyzer -
LVL 61

Expert Comment

ID: 34985901
May be too cluttered but thought it give you a quick summary of what there is

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Solid State Drive Performance Tips: Solid state storage technology is now a standard.  After testing and using several different brands and revisions of SSD's over the years I have put together a collection of tips,tools and suggestions that I ha…
Having issues meeting security compliance criteria because of those pesky USB drives? Then I can help you! This article will explain how to disable USB Mass Storage devices in Windows Server 2008 R2.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now