0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 3 pages modified

This commit is contained in:
CPol 2021-09-06 15:03:23 +00:00 committed by gitbook-bot
parent 534b943a3b
commit ca460fcd40
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
3 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SUMMARY.md
View File

@ -437,6 +437,7 @@
## Forensics
* [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md)
* [File Integrity Monitoring](forensics/basic-forensic-methodology/file-integrity-monitoring.md)
* [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md)
* [Docker Forensics](forensics/basic-forensic-methodology/docker-forensics.md)
* [Image Adquisition & Mount](forensics/basic-forensic-methodology/image-adquisition-and-mount.md)

6
forensics/basic-forensic-methodology/README.md
View File

@ -64,3 +64,9 @@ Keep in mind the possible use of anti-forensic techniques:
{% page-ref page="anti-forensic-techniques.md" %}
## Threat Hunting
{% page-ref page="file-integrity-monitoring.md" %}

13
forensics/basic-forensic-methodology/file-integrity-monitoring.md Normal file
View File

@ -0,0 +1,13 @@
# File Integrity Monitoring
File integrity monitoring is one of the most powerful techniques used to secure IT infrastructures and business data against a wide variety of both known and unknown threats.
The goal is to generate a **baseline of all the files** that you want monitor and then **periodically** **check** those files for possible **changes** \(in the content, attribute, metadata...\).
1. **Baseline comparison,** wherein one or more file attributes will be captured or calculated and stored as a baseline that can be compared against at some future time. This can be as simple as the time and date of the file, however, since this data can be easily spoofed, a more trustworthy approach is typically used. This may include periodically assessing the cryptographic checksum for a monitored file, \(e.g. using the MD5 or SHA-2 hashing algorithm\) and then comparing the result to the previously calculated checksum.
2. **Real-time change notification**, which is typically implemented within or as an extension to the kernel of the operating system that will flag when a file is accessed or modified.
### References
* [https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it](https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it)