Solved

How can I compare the contents of a volume at two points in time?

Posted on 2011-02-22
7
512 Views
Last Modified: 2012-05-11
I have a 2003 Small Business .Sserver hard drive data partition that has recently started filling up at an unreasonable rate.  I have used every tool available to me to search for a virus or other malware and nothing was detected.
I have questioned my client and they say they have not uploaded any unusual amount of data such as pictures, audio, scans, etc.
I need a program that can take a snapshot of all the files and their sizes at two points in time so I can compare to find out specifically what is increasing in size.
Any Ideas?
0
Comment
Question by:AdminAssociates
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 5

Expert Comment

by:ChopOMatic
ID: 34957469
My first approach would probably be a File Comparison program like UltraCompare.

http://www.ultraedit.com/products/ultracompare.html

0
 
LVL 4

Expert Comment

by:racastillojr
ID: 34957497
You can try the forensic tool kit from Access Data. You can make a forensic image and compare hash values to see.

When you scan the hard drive for a virus do you install the software on the computer and scan or do you slave the hard drive to another computer and scan. I have had a lot of luck slaving a computer to scan for viruses instead of installing and scanning on the computer in question.
0
 

Author Comment

by:AdminAssociates
ID: 34957565
ChopOMatic:  Thanks, but I need to compare the smae data set at two different points in time, not against similar files at one point in time.
racasttillojr: forensic tool kit from Access Data sounds like a little overkill and an expensive one at that.
There must be a program that can take "snapshots" of a volume like before and after an event and give me a listing of what changed.
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 5

Expert Comment

by:ChopOMatic
ID: 34957679
There are a bunch of free hashing programs out there. (MD5summer comes to mind.) These will let you do what you want; at least I think I understand now what you're going for.
0
 
LVL 2

Accepted Solution

by:
Hapexamendios earned 500 total points
ID: 34960805
Agree with ChopOMatic.

Use a program which will generate hashes for each file on the volume, pumping them to a text file. That's your inital "snapshot".
After your desired interval, do the same again, to another text file. (you might wish to repeat this last step at intervals to give a view over time).

You might then use a utility to compre those two texts files; much easier and quicker than trying to directly compare all "before" files against all "after" files. Quite a few of these file compare programs exist, so I'll only recommend one if you didn't like those suggested already, and express an interest in my opinion.

The above three-step process will help you determine which file(s) are changing; that allows you to focus on those files only. You can then use a utility to see what process(es) are using the file. I'll suggest Process Monitor here, from Microsoft - http://technet.microsoft.com/en-us/sysinternals/bb896645 - because whilst I know you can do it with Windows itself, it's very tricky, and this tool is now owned by the same manufacturer as your operating system.

Hopefully, if finding out which files are involved doesn't immediately tip you off to what's happening, process monitor will show you what's accessing the files, and what username is running that process.

Good luck to you - post back if you need more assistance.
0
 
LVL 64

Expert Comment

by:btan
ID: 34985895
You may want to check out Beyond Compare (would be worth the investment) - http://www.scootersoftware.com/moreinfo.php

Actually the ideal case is to do a check balance against a pristine image but this image also has to be updated regularly after each Windows update, AV update, patched pushdown etc. This is to minimize the false positive as normally such difference can be alot though - almost like searching needle in haystack unless we shrink it into a suspected period of compromise.

Normally you will be looking at Host integrity checks (sort of "Tripwire" like). In short, it has a "baseline", that is, a reference point against which future states of the system will be compared, must be created before deployment. Moreover, the baseline must be stored outside the host, or on read-only media (whose writability is not toggle-able via software). You would check out

Samhain - http://la-samhna.de/samhain/

I also looked at it as anomaly detection where the error audit logs are checked as they are indicator of intrusion etc. E.g there can be attempts of brute force of account, port knocking etc. You can check out this article for a quick understanding

http://www.windowsecurity.com/pages/article.asp?id=1362
Quick ref - http://www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx

If a rootkit is really installed, it is tough to even reveal the "real" processes as this culprit is going to hide all the views and checks at kernel level. So instead of doing a image comparison, you can do it like RootkitRevealer style - snapshot the key resources and do a comparison on those common vulnerable area that malware will exploit and plant their traces. Microsoft also recently released a Attack Surface Analyzer which can be useful to highlight anomaly to kick start the checks.

RootKitReveler - http://technet.microsoft.com/en-us/sysinternals/bb897445
GMER - http://www.gmer.net/
Microsoft Attack Surface Analyzer - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e068c224-9d6d-4bf4-aab8-f7352a5e7d45&displaylang=en&pf=true
0
 
LVL 64

Expert Comment

by:btan
ID: 34985901
May be too cluttered but thought it give you a quick summary of what there is

 http://en.wikipedia.org/wiki/Comparison_of_file_comparison_tools
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question