9

I was wondering if there is an established way to know what a running particular program on a system might leave behind (in terms of changes to a filesystem, such as in Linux). I am thinking of this in similar lines to how I think a forensics investigation might take place.

The way I thought to approach this problem is similar to how I believe Tripwire works. First by making a hash of directories, find which have been changed, then to narrow down the specific files from those directories that are changed. Then by using a VM with snapshots I can revert to the previous state of the machine and compare future changes with previously recorded changes.

I know that the logging and tmp directories will change naturally anyway. But apart from these is there any way of knowing what is left behind on a system, or is there a better (or smarter) process than the one I am thinking of using?

KDEx
  • 4,981
  • 2
  • 20
  • 34
user45195
  • 137
  • 3
  • 1
    It tends to be OS-specific, do you have an OS in mind or are you looking for a general approach? – schroeder Oct 27 '14 at 17:58
  • OverlayFS would be a good start, but you need to make sure to prevent any IPC as well to avoid unwanted communications. You can also use a network namespace to ease sniffing the app's traffic. The biggest issue would be mediating / monitoring actions on DBus channels for Linux. This isn't yet possible with userland DBus. – Steve Dodier-Lazaro Dec 22 '15 at 14:10

3 Answers3

1

Assuming it's not a malicious software, then the easiest way to do this is to use an overlay filesystems (e.g. UnionFS, OverlayFS). The changed files will be basically be in the overlay.

Another option is to make use of filesystem that have snapshot capability (e.g. btrfs) or LVM snapshot.

If the software is a malicious software, you may need to use virtual machine snapshot, since you may no longer be able to trust the kernel in case of advanced malicious software/root kit.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • Agree with your answer, though you also need to account for actions undertaken by other principals that the monitored software can talk to. You'd need to use kdbus and log all DBus calls, and also monitor network traffic. – Steve Dodier-Lazaro Dec 22 '15 at 14:12
1

In Windows you can use software as Process Monitor that intercepts all system calls including filesystem modifications. This way you don't need to calculate the hash of all the files.

Also you can use Wireshark in order to intercept traffic and Regshot for discovering changes in the register and thus discovering useful forensic artifacts.

Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
1

One possible solution would be to take a forensically sound image of the target (entire HDD or a specific area or even the RAM) before and after the program you are wanting to analyze runs. Then simply* compare the two images.

I would start with comparing hashes just to be certain something did change (so you dont waste time 'looking'). Many times, 'artifacts' are 'left behind' in RAM and thus deleted over time when not used.

You can use a program like FTK Imager to do this.

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39