File integrity in IT refers to the process of protecting a file from unauthorized changes, including cyber-attacks. In other words, a file’s ‘integrity’ is validated to determine whether or not it has been altered after its creation, curation, archiving or other qualifying event. This is why track file system changes is a very important step in any forensics.
Today, I will show you a pretty simple cli tool written on Python called IntegrityCheck. This is a part of my Forensics Tools repository.
Clone repo and find file-integrity-check.py script.
I created dump folder just for needs of the test:
![track file system changes](https://i0.wp.com/www.techtalk.andriejsazanowicz.com/wp-content/uploads/2023/04/1.tmp_.png?resize=529%2C301&ssl=1)
First, we need to audit all of file using w (write) mode. It will create database csv file with hashes calculated. Use -v for verbose mode for mode details:
$ python3 file-integrity-check.py -f ~/tmp/*.txt -o ~/tmp/db.csv -m w -v
![](https://i0.wp.com/www.techtalk.andriejsazanowicz.com/wp-content/uploads/2023/04/2.create_db.png?resize=856%2C817&ssl=1)
Next, let’s create a new file:
$ echo "nothing interesting here" > leavemealone.txt
and read changes:
$ python3 file-integrity-check.py -f ~/tmp/*.txt -o ~/tmp/db.csv -m r -v
![](https://i0.wp.com/www.techtalk.andriejsazanowicz.com/wp-content/uploads/2023/04/3.read_.png?resize=945%2C540&ssl=1)
As you can see, new entry was detected, calculated hash sum, timestamp and UID of creator (this case it is me 1000).
To simulate file system change, I modified one of the file and delete another:
![](https://i0.wp.com/www.techtalk.andriejsazanowicz.com/wp-content/uploads/2023/04/4.1edit.png?resize=594%2C242&ssl=1)
Now, run file-integrity-check.py.
$ python3 file-integrity-check.py -f ~/tmp/*.txt -o ~/tmp/db.csv -m r -v
![](https://i0.wp.com/www.techtalk.andriejsazanowicz.com/wp-content/uploads/2023/04/5.add_delete.png?resize=940%2C504&ssl=1)
next, modifying existed:
![](https://i0.wp.com/www.techtalk.andriejsazanowicz.com/wp-content/uploads/2023/04/4.edit_.png?resize=595%2C127&ssl=1)
![](https://i0.wp.com/www.techtalk.andriejsazanowicz.com/wp-content/uploads/2023/04/6.mod_.png?resize=944%2C578&ssl=1)
As you can see, a small change in file content results to totally different SHA256 hash sum. We could find the date and time when the file was created of modified together with user UID.
I showed you a very simple Python script which tracks any changes in file system on both Windows and Linux OS. I suppose, it was interesting information. If yes, please subscribe on newsletter for more content like this, like post below or leave comment.
Be an ethical, save your privacy!