File integrity in IT refers to the process of protecting a file from unauthorized changes, including cyber-attacks. In other words, a file’s ‘integrity’ is validated to determine whether or not it has been altered after its creation, curation, archiving or other qualifying event. This is why track file system changes is a very important step in any forensics.
Today, I will show you a pretty simple cli tool written on Python called IntegrityCheck. This is a part of my Forensics Tools repository.
Clone repo and find file-integrity-check.py script.
I created dump folder just for needs of the test:
First, we need to audit all of file using w (write) mode. It will create database csv file with hashes calculated. Use -v for verbose mode for mode details:
$ python3 file-integrity-check.py -f ~/tmp/*.txt -o ~/tmp/db.csv -m w -v
Next, let’s create a new file:
$ echo "nothing interesting here" > leavemealone.txtand read changes:
$ python3 file-integrity-check.py -f ~/tmp/*.txt -o ~/tmp/db.csv -m r -v
As you can see, new entry was detected, calculated hash sum, timestamp and UID of creator (this case it is me 1000).
To simulate file system change, I modified one of the file and delete another:
Now, run file-integrity-check.py.
$ python3 file-integrity-check.py -f ~/tmp/*.txt -o ~/tmp/db.csv -m r -v
next, modifying existed:
As you can see, a small change in file content results to totally different SHA256 hash sum. We could find the date and time when the file was created of modified together with user UID.
I showed you a very simple Python script which tracks any changes in file system on both Windows and Linux OS. I suppose, it was interesting information. If yes, please subscribe on newsletter for more content like this, like post below or leave comment.
Be an ethical, save your privacy!