I was wondering if there is an established way to tell what running a particular

Question

I was wondering if there is an established way to tell what running a particular program on a system might leave behind (in terms of changes to a filesystem, such as in Linux). I am thinking of this in similar lines to how I think a forensics investigation might take place.

The way I thought to approach this problem is to approach it like how I think Tripwire works. First by making a hash of directories, find which have been changed, then to narrow down the specific files from those directories that are changed. Then by using a VM with snapshots I can revert to the previous state of the machine and compare future changes with previously recorded changes.

I know that the logging and tmp directories will change naturally anyway. But apart from these is there any way of knowing what is left behind on a system, or is there a better (or smarter) process than the one I am thinking of using?

Explanation / Answer

One possible solution would be to take a forensically sound image of the target (entire HDD or a specific area or even the RAM) before and after the program you are wanting to analyze runs. Then simply* compare the two images.

I would start with comparing hashes just to be certain something did change (so you dont waste time 'looking'). Many times, 'artifacts' are 'left behind' in RAM and thus deleted over time when not used.

You can use a program like FTK Imager to do this.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.