|
Updated: August 14th, 2000: I got some feedback, and this called for an update.
First, some of the questions raised in the first versions have been answered
by InstallWatch"s author Gavin Stark, and I modified the chapters accordingly,
either by putting a note or by removing the questions because they were irrelevant
to this paper. I also added 2 appendices. Appendice A is more information about
InstallWatch as I got it from Gavin Stark/Epsilon Software. Appendice B is about
Harlan Carvey" Perl Page, in which we can find, amongst other things, a Tripwire
implementation in Perl.
You can distribute this document freely, as long as no changes are made to
the file, or as long as credit for it is not pretended by someone else. All
comments and suggestions about the material presented here should be directed
at floydian_99@yahoo.com. If future
versions of this document include add-ons coming from other people than me,
then proper credit to the various authors will be clearly identified. All version
updates of this document are to be released by me.
You can find it online at http://www.geocities.com/floydian_99/
Abstract
The goal of this paper is to present a simple and low-cost way to implement
Tripwire-like capabilities on a Microsoft Windows 95/98/NT/2000/* machine.
Preface
In my quest for better knowledge in the computer security field, I came across
a paper discussing the software Tripwire, then for Unix only but now available
for NT as well. For those who have never heard of Tripwire, it is a system integrity
checker, i.e. it checks if your system had been compromised, by comparing the
current information state of your machine to a "snapshot" previously
done that was made from when the system was considered as 100% not-compromised
machine (preferably at installation time, before the machine is put on the network).
If something"s changed, chances are that some cracker/script kiddie has compromised
your system, and what you see is the backdoors and other things like that they
left for themselves. People who have read my previous paper "Virus protection
in a Microsoft Windows network, or How to stand a chance" know my love
for batch files. It quickly came to my mind that I could probably do something
similar with some kind of batch files, and have it for free too! But then again,
I also stumbled on another piece of software (freeware) that would spare me
the trouble and have a GUI too, all at the same price.
Disclaimer
I have never used any Tripwire software on any platform. I gathered my knowledge
on Tripwire through reading documentation found on Internet. I am stating this
for two things: 1) Tripwire could have some features that I have not heard about
and that could be not covered in this paper; 2) I have no idea of the Tripwire
interface and/or command line options, and the solution covered in this paper
may (or may not) be quite different from the actual Tripwire interface.
Targeted audience
This document is presented to anyone who has interests in computer security,
network administration, intrusion detection and computing in general.
Table of contents
1. A little bit about Tripwire
2. A little bit about InstallWatch
3. Same thing, but a different way
4. The experiment
5. The pros...
6. And cons
7. In conclusion
Appendice A. A little bit more about InstallWatch
Appendice B. A lot of Perls
1. A little bit about Tripwire
Tripwire is an integrity checking software. It was first developed on the Unix
platform as a university project designed by Gene H. Kim and Eugene H. Spafford.
It is now a commercial product (www.tripwire.com,
they have an academic free version).
Tripwire works by comparing the current file system of a machine to a previous
snapshot done from when the machine was guaranteed as safe (usually, at installation
time). The snapshot is actually a database of the disk content, including (but
not necessarily limited to) tree structure, complete list of files, along with
file properties and Time/Date information, and a derived hash for each file.
(A hash could be seen as some kind of encryption scheme, or a translation function,
that translates the actual binary content of a file into something unreadable
but that uniquely identifies that content) So when you first run Tripwire (or
when you updated your machine with various patches and want to get a new snapshot),
it will build that database containing all system file information.
The logic from this is that when you installed your system base, there is no
reason that system files should be updated "by themselves" afterwards.
If it is so, then your system has probably been compromised, and an intruder
planted backdoors/trojans/sniffers in your machine. The sad news when you find
this kind of things out is there are probably more machines on your network
that may be compromised as well.
So back to Tripwire. It is strongly recommended, but not mandatory, to store
your "clean system snapshot" to a read-only media (such as CD-R disc),
because this will guarantee you that the snapshot cannot be tampered with. Tampering
is mostly prevented from the hash encryption, but this is not 100% fool proof,
since the encryption algorithm is known (i.e. vulnerable to brute force attack).
Having your database on read-only media is your best guarantee, because you
can safely store it where no intruder can have access.
So, basically, when you want to run an audit on your system (let"s say on a
weekly basis), Tripwire will re-scan the entire system, regenerating a database
similar in structure (along with derived hash) to the original snapshot. Any
difference between these databases will show file integrity compromise. Added
files can be imported tools. Modified files are trojaned system files; missing
files could be vandalism. To figure out if a file has been modified, Tripwire
does not only rely on the Date/Time stamp, but also on the derived hash.
It"s that simple.
2. A little bit about InstallWatch
Well, it"s name says pretty much what it does. It watches software installations.
InstallWatch Pro (version 2.5c at the time of this writing) can be found free
of charge at Epsilon Squared web site (www.epsilonsquared.com). This is one
utility that all network administrator/desktop support person should have. When
you first install the software, it proceeds to create a database of your current
system, i.e. directory structure, complete file list, file properties and CRC
check, along with a focus on INI files, and complete registry scan. This will
be the base system database.
InstallWatch Pro can be configured to be launched at start-up and to detect
"software setups". You can customize what portion of your system you
want to be considered for the scan, put exclusion schemes, select what registry
hives you want to include, etc. So, what happens next? Let"s say you want to
install the productivity software XYZ on your machine. When you double-click
on setup.exe, InstallWatch will detect that a software setup process has been
launched, and will overtake operations from there. It will ask you to build
a snapshot of your system in order to know the "pre-installation"
state of your machine. This can take between 30 seconds to 20 minutes depending
on your configuration (beware of cache folders, they are time-consuming to scan).
When it is done, it gives control back to the installation program, and we install
the software as we would normally do. After the installation, or after the reboot
if it required one, InstallWatch will kick in again, again to perform a similar
scan. The differences in-between the two scans are the result of the installation
procedure. You have the complete image to this software. Doing this process
for every software used in a site, IT personnel would have a complete database
of software package signatures. This can be useful for deployment/troubleshooting
purposes. Epsilon Squared also have another product called InstallRite, that
supposedly does the same thing, but also include an "installation kit"
export feature. I did not try this yet, but this apparently extracts a software
installation previously monitored into a single self-extract file, for deployement
purposes.
InstallWatch Pro can also be used through a wizard, which will ask you where
the installation file is, which can be useful for certain files (like Microsoft
patches) that install themselves without triggering InstallWatch. InstallWatch
will perform the scan before actually launching the install file. You can also
manually launch the different steps if you wish, Snapshot and Analyze.
3. Same thing, but a different way
By now, you must have found out that these two products, while being developed
for different purposes, act in a very similar way. I know it didn"t take me
long to figure this out, and I quickly forgot my silly ideas about doing a "batch
file version" of Tripwire (although I may still do it for the kick later,
if I do I"ll include it in this file). I felt more like "tweaking"
InstallWatch to see if it could truly be used as a real system integrity checker.
Well, it didn"t need that much tweaking, after all. I proceeded to perform
a snapshot of my system, which created a file called snapshot.iws. The file
varies between 5 to 10 megabytes, depending on the size of your system scan.
When you perform Snapshot and Analyze commands individually, Analyze is disabled
until a scan is performed, or more precisely when snapshot.iws is in the snapshot
directory. This also means that performing an Analyze will erase the snapshot.iws
file, so if you"re not using read-only media, be sure to keep a copy somewhere.
InstallWatch behaves like this in order not to pick up unrelated changes between
two software installations. So knowing this, it"s easy to figure out what to
do.
At the beginning, I"d say you have two options, and I can"t figure out which
one is the best option. You decide. The first option is this: you install InstallWatch
Pro first thing after the OS, and you monitor the payload of every other Service
Pack, update, software, etc. that you add afterwards. That will provide you
with a wealth of useful information about your machines. But this can be time
consuming. The second option is you prepare your system to be in the desired
configuration and software, all up to date, then install InstallWatch Pro in
order to monitor any suspicious changes from then on. After your initial snapshot
is done, you should make a copy of it on another media, in case of tampering/deletion.
I would recommend read-only media. You can then change InstallWatch snapshot
directory to point to the copy on the CD-ROM. You should also make a backup
copy of your database file, but this one still needs to be accessed on read-write
media (could this be made with Adaptec Direct CD? I don"t know. If someone out
there is willing to risk scrapping a blank CD-R to try it out, let me know about
it). And there you go. Whenever you place the CD in your CD-ROM drive, InstallWatch
Pro will be in the Analyze mode, and will compare your system with your clean
snapshot.
Here are a few recommendations, though. Since InstallWatch was not originally
intended as a security product, it is not a quiet program if you keep the default
configuration. Since you"re monitoring production machines that shouldn"t get
software installed regularly, you should disable the start-up option, so it
is not in memory when the server is in normal use. You should also disable the
"detect setup" option, because if an intruder uses a tool that let"s
him see the console, and installs himself a kit via a setup program, he"ll get
InstallWatch splash screen right on his face, shouting out that you are monitoring
your machines. Some could think it is a good thing because that would scare
them away, but I don"t believe so. I only gives them the chance to leave, figure
out what I"m using, and how to disable/bypass it, than come back. Anyway, Tripwire
isn"t built for live checking, so there"s no reason to try to pursue that fantasy
with InstallWatch. Disabling these two options will keep the program quiet.
You should also hide InstallWatch Pro somewhere else than the default directory.
You manually launch InstallWatch Pro every time you want to perform an audit,
and you close it after, until next check.
4. The experiment
So that was theory. Now I had to prove it with experimentation. And I"m glad
I did, because I found some interesting things. First, I proceeded to perform
my base system snapshot, which I then copied on a CD and erased the original
copy. I should mention that this was performed on a Windows 95 machine, equipped
with a CD burner operated with Adaptec CD-Creator software. I wanted this to
be a good test, so I chose not to be picky, scanning both of my drives in their
entirety, making only an exception for the win386.swp swap file (this one is
expected to change, so there"s no reason monitoring it.) As soon as the snapshot
file was created, I launched CD-Creator to create my CD copy of the snapshot
and database files. I then proceeded to change the location of the snapshot
file configuration in InstallWatch (btw, this should have generated perceptible
change in the system, but it didn"t. Anyone can explain why?)(Explanation from
Gavin Stark: InstallWatch doesn"t monitor it"s own directories and files, which
is a bad thing in a security context, but next release could solve this, look
Appendice A for a fix) and then closed it, and then made some baits to make
sure InstallWatch would effectively catch them.
I added a [space] character at the end of a batch file, thus modifying it"s
content. That operation also changed the date, which is too bad, because I would
have liked to be able to see if it could be fooled. In the good old days of
DOS, you could fiddle with the date and time info of a file, but now in the
Windows world, it seems like these tools have vanished. Then I erased a .gif
file from my (sloppy) "c:\windows\temporary internet files" folder.
Then I created an empty hereiam.zip file in d:\jpgs. To top it off, I removed
an entry in the registry related to the file type .shs. Who needs that scrap
anyway?
Then, I launched InstallWatch once more, with the CD containing the snapshot
in the drive, and I hit Analyze. 20 minute later, I get the results. More than
I expected, I admit. Here is the text export files from this scan (* is the
field delimiting character):
Test - All files.txt
D:\jpgs\hereiam.ZIP**1KB**A**8/1/00 4:30:04 PM****
C:\WINDOWS\TEMP\error.log*1KB*1KB*A*A*7/31/00 2:20:36 PM*8/1/00 4:24:56 PM***1659241a*be0187b8
C:\WINDOWS\Start Menu\Programs\Multimedia\Adaptec Easy CD Creator\Easy CD Creator.lnk*1KB*1KB*A*A*6/20/00
12:27:50 PM*8/1/00 4:19:36 PM***f4cc5c0e*51e02f72
C:\Program Files\Winamp\WINAMP.ini*3KB*3KB*A*A*8/1/00 3:58:32 PM*8/1/00 4:18:36
PM***b90ccdc*68aedd84
C:\Program Files\Plus!\System\SAGE.DAT*7KB*7KB*HA*HA*8/1/00 3:45:00 PM*8/1/00
4:15:00 PM***43d9e49f*85611617
C:\Program Files\PGP\PGP50\randseed.bin*1KB*1KB*A*A*8/1/00 1:18:04 AM*8/1/00
4:30:36 PM***f0cc5d0e*1d198bb6
C:\logitemp\INSTALL.BAT*4KB*4KB*A*A*8/10/95 4:15:08 PM*8/1/00 4:28:30 PM***d62eaf9c*10033e85
C:\WINDOWS\Temporary Internet Files\Content.IE5\SR0HD7NT\cl2[1].gif*1KB**A**8/1/00
3:30:36 PM****18a5cef*
Test - INI files.txt
C:\Program Files\Winamp\WINAMP.ini*WinampAgent*lastchk*01BFFBC3514DA220*01BFFBF5A67359C0
Test - Registry.txt
HKEY_CLASSES_ROOT\.shs***
HKEY_CLASSES_ROOT\.shs*@*"ShellScrap"*
HKEY_CLASSES_ROOT\AutoRun***
HKEY_CLASSES_ROOT\AutoRun\4***
HKEY_CLASSES_ROOT\AutoRun\4\Shell***
HKEY_CLASSES_ROOT\AutoRun\4\Shell*@*"AutoRun"*
HKEY_CLASSES_ROOT\AutoRun\4\Shell\AutoRun***
HKEY_CLASSES_ROOT\AutoRun\4\Shell\AutoRun*@*"Auto&Play"*
HKEY_CLASSES_ROOT\AutoRun\4\Shell\AutoRun\command***
HKEY_CLASSES_ROOT\AutoRun\4\Shell\AutoRun\command*@*"E:\AUTORUN.EXE"*
HKEY_CLASSES_ROOT\AutoRun\4\DefaultIcon***
HKEY_CLASSES_ROOT\AutoRun\4\DefaultIcon*@*"E:\nhl2000.ICO"*
HKEY_CLASSES_ROOT\AutoRun\4\name***
HKEY_CLASSES_ROOT\AutoRun\4\name*@*"NHL 2000"*
HKEY_CLASSES_ROOT\AutoRun\4\name2***
HKEY_CLASSES_ROOT\AutoRun\4\name2*@*"NHL 2000 Setup"*
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\UpgInfo***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\UpgInfo*install**"2000_08_01"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Disc Wizard***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Disc Wizard*XPos**dword:00000209
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Disc Wizard*YPos**dword:00000014
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Color***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Default Priority Levels***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\Track***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\Title***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\BoxEdge***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\Artist***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*Bars**dword:00000004
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCX**dword:00000400
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell\AutoRun*@*"Auto&Play"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell\AutoRun\command***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell\AutoRun\command*@*"E:\AUTORUN.EXE"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\DefaultIcon***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\DefaultIcon*@*"E:\nhl2000.ICO"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name*@*"NHL 2000"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name2***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name2*@*"NHL 2000 Setup"*
HKEY_LOCAL_MACHINE\SOFTWARE\Adaptec\Easy CD Creator\Devices*default**"1,0,0"
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*MRUList*"|{njzdatqh}rlbiukgpcsyvmxfweo"*"
nkgopcysvqmxfew|{jzdath}rlbiu"
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*c*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,
9a,28,8a,a2,10,80,4e,63,64,74,72,65,65,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,
23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,1a,00,31,00,00,00,00,00,74,27,2c,06,10,00,43,68,6f,72,
64,00,43,48,4f,52,44,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*e*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,14,00,31,00,00,00,00,00,
44,25,01,b2,10,80,4d,61,78,69,00,00,22,00,31,00,00,00,00,00,44,25,08,b2,10,00,42,65,6e,63,68,6d,61,72,6b,73,00,42,45,4e,43,
48,4d,7e,31,00,1e,00,31,00,00,00,00,00,44,25,08,b2,10,00,57,69,7a,4d,61,72,6b,00,57,49,5a,4d,41,52,4b,00,18,00,31,00,00,00,
00,00,44,25,09,b2,10,00,57,69,7a,31,00,57,49,5a,31,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,
9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,
72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,27,00,31,00,00,00,00,00,b7,28,e2,b3,10,00,45,70,73,69,6c,
6f,6e,20,53,71,75,61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,28,00,31,00,00,00,00,00,b7,28,e2,b3,10,00,49,6e,73,74,61,6c,6c,
57,61,74,63,68,20,50,72,6f,00,49,4e,53,54,41,4c,7e,31,00,21,00,31,00,00,00,00,00,b7,28,fa,b3,10,00,53,6e,61,70,73,68,6f,74,
73,00,53,4e,41,50,53,48,7e,31,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*f*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,14,00,31,00,00,00,00,00,
44,25,01,b2,10,80,4d,61,78,69,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,
5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,
20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,27,00,31,00,00,00,00,00,b7,28,e2,b3,10,00,45,70,73,69,6c,6f,6e,20,53,71,75,
61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*g*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,32,00,31,00,00,00,00,00,
4a,28,eb,71,10,00,57,69,6e,64,6f,77,73,20,55,70,64,61,74,65,20,53,65,74,75,70,20,46,69,6c,65,73,00,57,49,4e,44,4f,57,7e,31,
00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,8d,33,16,00,31,00,00,00,00,00,dd,28,4a,23,10,00,6c,6f,67,00,4c,4f,47,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*k*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,
44,25,d7,ab,10,80,57,69,6e,64,6f,77,73,00,00,18,00,31,00,00,00,00,00,9a,28,6e,8b,10,00,56,62,6f,78,00,56,42,4f,58,00,1c,00,
31,00,00,00,00,00,9a,28,6e,8b,10,00,43,6f,6d,6d,6f,6e,00,43,4f,4d,4d,4f,4e,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,
10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,18,00,31,00,00,00,00,
00,ce,28,90,a8,10,00,6a,70,67,73,00,4a,50,47,53,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*m*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,13,00,31,00,00,00,00,00,
44,25,8a,b2,10,80,4d,70,73,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,44,25,d7,ab,10,80,57,69,6e,64,6f,77,73,00,
00,30,00,31,00,00,00,00,00,48,25,27,00,14,00,54,65,6d,70,6f,72,61,72,79,20,49,6e,74,65,72,6e,65,74,20,46,69,6c,65,73,00,54,
45,4d,50,4f,52,7e,31,00,26,00,31,00,00,00,00,00,4a,28,68,7e,14,00,43,6f,6e,74,65,6e,74,2e,49,45,35,00,43,4f,4e,54,45,4e,54,
2e,49,45,35,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*o*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,14,00,31,00,00,00,00,00,
44,25,01,b2,10,80,4d,61,78,69,00,00,22,00,31,00,00,00,00,00,44,25,08,b2,10,00,42,65,6e,63,68,6d,61,72,6b,73,00,42,45,4e,43,
48,4d,7e,31,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,8d,33,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*p*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,18,00,31,00,00,00,00,00,
9e,28,81,be,10,00,74,65,6d,70,00,54,45,4d,50,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,
00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,20,00,31,00,00,00,00,00,da,28,c3,0b,10,00,6c,6f,67,
69,74,65,6d,70,00,4c,4f,47,49,54,45,4d,50,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*s*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,20,00,31,00,00,00,00,00,
55,28,86,06,10,00,4d,79,20,4d,75,73,69,63,00,4d,59,4d,55,53,49,7e,31,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,
d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,20,00,31,00,00,00,00,00,1f,
27,85,b5,10,00,41,63,72,6f,62,61,74,33,00,41,43,52,4f,42,41,54,33,00,1c,00,31,00,00,00,00,00,1f,27,85,b5,10,00,52,65,61,64,
65,72,00,52,45,41,44,45,52,00,00,00,
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCY**dword:00000300
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Optimizer***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Track_Writer***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*BarID**dword:0000e800
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*XPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*YPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*Docking**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockID**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockLeftPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockTopPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockRightPos**dword:000001ae
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockBottomPos**dword:0000001e
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatStyle**dword:00002000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatXPos**dword:80000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatYPos**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1*BarID**dword:0000e801
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*BarID**dword:0000e8ff
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*Visible**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*BarID**dword:0000e81b
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bars**dword:00000003
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#0**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#1**dword:0000e800
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#2**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Advanced*TrackBufferThresholdInKB**dword:00000064
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*CDROM_Drive**"E"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*bMustRunSysTest**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*WindowPos**"0,5,-1,-1,-1,-1,64,44,960,670"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*DefView**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*HorizBar**dword:000000c0
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*UpperBar**dword:000000fd
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*LowerBar**dword:000000fd
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioCol0**dword:00000063
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioCol1**dword:0000003d
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioCol2**dword:00000040
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*NameWidth**dword:00000060
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*SizeWidth**dword:00000046
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*TypeWidth**dword:000000f0
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*DateWidth**dword:00000088
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*PriorWidth**dword:000000f0
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioHorizBar**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioUpperBar**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*SourceAutoArrange**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*SourceViewMode**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioViewMode**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Margin*JewelCaseBorders**dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shs***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shs*@*"ShellScrap"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell*@*"AutoRun"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell\AutoRun***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*BarID**dword:0000e800
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*XPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*YPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*Docking**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockID**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockLeftPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockTopPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockRightPos**dword:000001ae
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockBottomPos**dword:0000001e
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatStyle**dword:00002000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatXPos**dword:80000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatYPos**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1*BarID**dword:0000e801
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*BarID**dword:0000e8ff
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*Visible**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*BarID**dword:0000e81b
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bars**dword:00000003
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#0**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#1**dword:0000e800
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#2**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Advanced*TrackBufferThresholdInKB**dword:00000064
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*CDROM_Drive**"E"
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*bMustRunSysTest**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*WindowPos**"0,5,-1,-1,-1,-1,64,44,960,670"
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*DefView**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*HorizBar**dword:000000c0
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*UpperBar**dword:000000fd
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*LowerBar**dword:000000fd
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioCol0**dword:00000063
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioCol1**dword:0000003d
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioCol2**dword:00000040
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*NameWidth**dword:00000060
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*SizeWidth**dword:00000046
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*TypeWidth**dword:000000f0
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*DateWidth**dword:00000088
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*PriorWidth**dword:000000f0
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioHorizBar**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioUpperBar**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*SourceAutoArrange**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*SourceViewMode**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioViewMode**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Margin*JewelCaseBorders**dword:00000001
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*v*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,13,00,31,00,00,00,00,00,
44,25,38,af,10,80,4d,74,6d,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,16,00,31,00,00,00,00,00,5b,28,2d,18,10,00,6c,68,78,00,4c,48,58,00,
00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*w*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,14,00,31,00,00,00,00,00,
44,25,01,b2,10,80,4d,61,78,69,00,00,22,00,31,00,00,00,00,00,44,25,08,b2,10,00,42,65,6e,63,68,6d,61,72,6b,73,00,42,45,4e,43,
48,4d,7e,31,00,1e,00,31,00,00,00,00,00,44,25,08,b2,10,00,57,69,7a,4d,61,72,6b,00,57,49,5a,4d,41,52,4b,00,00,00,*hex:14,00,
1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,27,00,
31,00,00,00,00,00,b7,28,e2,b3,10,00,45,70,73,69,6c,6f,6e,20,53,71,75,61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,28,00,31,00,
00,00,00,00,b7,28,e2,b3,10,00,49,6e,73,74,61,6c,6c,57,61,74,63,68,20,50,72,6f,00,49,4e,53,54,41,4c,7e,31,00,21,00,31,00,00,
00,00,00,b7,28,f8,b3,10,00,44,61,74,61,62,61,73,65,73,00,44,41,54,41,42,41,7e,31,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*x*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,1a,00,31,00,00,00,00,00,
6f,25,d9,b9,10,00,6d,6f,75,73,65,00,4d,4f,55,53,45,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,
9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,
72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*y*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,
a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,
7f,28,61,14,10,80,4d,76,70,63,72,69,62,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,
23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,20,00,31,00,00,00,00,00,1f,27,85,b5,10,00,41,63,72,6f,
62,61,74,33,00,41,43,52,4f,42,41,54,33,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\10*ViewView*hex:1c,00,60,81,04,00,00,00,00,
00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,*hex:1c,00,60,81,04,00,00,00,00,00,0a,04,00,00,1c,00,00,00,00,00,
01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\16*ViewView*hex:1c,00,60,81,04,00,00,00,00,
00,26,01,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,*hex:1c,00,60,81,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,
01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\UpgInfo***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\UpgInfo*install**"2000_08_01"
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Disc Wizard***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Disc Wizard*XPos**dword:00000209
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Disc Wizard*YPos**dword:00000014
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Color***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Default Priority Levels***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\Track***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\Title***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\BoxEdge***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\Artist***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*Bars**dword:00000004
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCX**dword:00000400
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCY**dword:00000300
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Optimizer***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Track_Writer***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0***
WHOAA!!! Where does all this shit comes from? Welcome to the Microsoft world
buddy. First of all, you can export data in Text format, or in HTML. But this
format just gives you raw information. In the GUI, you can break down these
to Added, Modified, and Deleted, for all three categories. If you want that
granularity in your output, you have to generate a separate output file at each
breakdown. (Note: this should be solved in next release) Now, about the results.
The steps I did between the two scans are exactly as described above and are
complete, and it all occurred within a 5-minute window. So what happened?
First, we can see at the top of the All files.txt file that it spotted my dummy
.zip file. The second to last line is the batch file that I added one [space]
character at the end of it (notice the big difference in the CRC check, the
last two fields of the line). And the last line is the .gif file I erased in
my temp folder. The rest results from Windows activity. Error.log was created
by CD-Creator when I copied the files on CD. The same with the .lnk file (interesting
note, .lnk files have a field in them for last accessed date and time, which
means that when you double-click on a shortcut, you actually modify the file
by updating this field). System agent apparently updates it"s .dat file, WinAmp
does the same with it"s .ini file (remember this is not a server, it is my home
PC), and PGP does I-don"t-know-what with a .bin file. I didn"t use WinAmp, System
Agent or PGP during the testing period, although they were installed and active.
The Registry gives even more intriguing results: first, we see the entry I
removed (HKEY_CLASSES_ROOT\.shs***), and the rest is pure gravy. If you look
closely, there are some more entries related to .shs that have been removed
also, which probably means that the Windows Registry is self-updating. Then,
you view a bunch of registry entries relating again to CD-Creator, resulting
from when I burned the CD. The rest intrigues me and I hope someone out there
can shed more light as to what really went on. Several entries relating to Autorun
have been erased from the registry, and a bunch of entries related to stream
in Explorer (video streaming?) have been modified. And I want to precise that
the machine was not connected to any network during this time.
So, it works, but you need to tailor your configuration to make sure you don"t
get too many false alarms. You should scan your temp folders, but try to keep
them clean.
5. The pros...
Well, the pros are pretty obvious. You spare 595$ US (700$ with one year premium
support) per copy of Tripwire for NT you would have needed, since InstallWatch
Pro is provided free of charge. But it could sell for 30$-40$ and it would still
be a good purchase, even if you were to limit it"s use to it"s original design.
With very little effort, a good file integrity checker will protect your servers.
What could you ask more?
6. And the cons
Well, not much, but still a few things. First, the CRC check algorithm used
by InstallWatch is not as strong as the one implemented in Tripwire. If you
require the best of the best in your security choices, then go for the absolute
best, there is no trade off for that. But I still consider that the CRC check
is still good enough for the vast majority of us (but don"t let your CD carelessly
on your desk). Another point, Tripwire supports networks, meaning that several
servers running Tripwire report to a management console, providing a single
point of access. Since InstallWatch was not designed as a security suite, it
would be unfair to blame it on Epsilon Squared. But InstallWatch can export
its data in HTML, and you could save it on an intranet page to view all your
results. What would be a nice add-on is the ability to have an auto-export feature
that export to files according to your specifications after every audit. That"s
about it. If you have some imagination, you could have your audits to run as
scheduled tasks (which would involve leaving the CD in the machine, it"s OK
if your server is in a safe location).
7. In conclusion
I wanted to have an integrity checker that works in the same fashion than Tripwire
on the Windows platform, but as I was to attempt to do this with batch files,
I laid my hands on InstallWatch Pro, a good piece of software that could very
well do the trick. With some quick experimenting, I came to the conclusion that
this setup provides efficient system integrity checking, even uncovering some
unexpected file activity. I leave to the reader to figure out the best configuration,
common sense should rule. I hope this will help many people at securing their
systems for the best price in the world.
Appendice A. A little bit more about Installwatch
Shortly after I first released this paper, I was contacted by Gavin Stark,
author of InstallWatch Pro and President of Epsilon Squared. I actually sent
him an e-mail that didn"t get through, apparently because of ISP problems. But
my paper generated quite ebough traffic to his site to get his attention, and
that"s how he found out about this paper. We have exchanged a few e-mails, mainly
for answering questions araised in the first version and thinking of ideas for
a future release of InstallWatch. Some questions that proved to be irrelevant
from InstallWatch Pro were simply dropped, others have been annotated in the
text. Here is some more info that we exchanged on this project that might be
if interest to the reader.
From:Gavin Stark
Floydman, As the author of InstallWatch, I read with interests your discussion
of InstallWatch Pro. You were very accurate and reasonable in your review and
I am intrigued with the idea of using InstallWatch as a security application.
We did not, as you accurately ascertained, originally design the application
for such but I am always looking for ways to improve
the software. I"d like to respond to several things in your document and perhaps
solicit some input from you on ways to improve the software.
(snip)
The CRC algorithm is CRC-32 compatible with the version used by WinZip, etc.
Perhaps not as strong as MD5 or something, but sufficient for the current use
which is to find files that are content-different but have the same date/time,
etc. Some sneaky install programs do this to you) I would like to get feedback
from you, and the community, on how to make InstallWatch more useful in the
scenario you are documenting. For example, we have the following command line
options available in InstallWatch:
-snapshot (perform a snapshot)
"-analyze=Name of Install" (perform an analyze - quotes are required
if you want a space in the install name)
-configure (configure)
-wizard (go through an install in wizard mode)
- I have added a "-quiet" option to the command line switches which
will prevent InstallWatch from displaying any UI during the various batch processes
the other command line switches offer.
(snip)
Here is a list of the default files we skip:
Anything in the \RECYCLED directory (The directory named RECYCLED in the ROOT
directory)
Anything in the EPSILON SQUARED directory (This is any directory named EPSILON
SQUARED - not very secure for an intrusion detection system as the
hacker could put his tools there...)
Anything in the "TEMPORARY INTERNET FILES" directory
Any files named: FFASTUN, WIN386.SWP, PAGEFILE.SYS, *.IWT, *.IWC, *.IWS, *.IW_,
*.IWK, *.LDB, *.TMP, SYSTEM.DAT, USER.DAT, SYSTEM.DA0, USER.DA0, NTUSER.DAT,
NTUSER.DAT.LOG, DEFAULT, DEFAULT.LOG, SAM, SAM.LOG, SECURITY, SECURITY.LOG,
SOFTWARE, SOFTWARE.LOG, SYSTEM, SYSTEM.DAT.
As an intrusion detection system I would recommend removing the file "skipit.dll"
from the installation directory and we will not skip any files by default. SkipIt.DLL
is a plugin where we can update the list of skipped files dynamically. If you
don"t want us to skip any of the default files, just zap skipit.dll.
(snip)
The "All Files" / "All Registry" listing will now (when
2.5d is released) show as the first column the action that happened to the item
(added, deleted, modified) (note: this will improve output clarity in text or
html files)
--------
Although the -quiet switch could help improve stealth of InstallWatch or be
useful to regular users, it is still not ideal for an IDS file integrity checker.
Even if no visual output is shown, an intruder could still notice decrease in
performance as InstallWatch works. To solve this, I suggested an -ids switch
that could do the following:
- implement correct configuration for IDS purpose (i.e.: does not launch on
startup, does not detect "setup procedures")
- that means that Install Watch Pro can only be launched manually
- a time-out could then close InstallWatch if left open and unnantended for
5 minutes (removing it form memory until it is manually started again)
This may come in a future release, but nothing is confirmed yet.
Comments and questions about InstallWatch and InstallRite should be directed
to Epsilon Squared inc. (www.epsilonsquared.com), unless it also relates to
it"s use as a Tripwire-like system, then I"d like to know about it too (floydian_99@yahoo.com)
Appendice B. A lot of Perls
I was also contacted by Harlan Carvey, who told me about his own implementation
of a Tripwire-like system in Perl. Harlan"s motives are the same as mine, improving
the security of Windows boxes out there. I try to help by writing these text
files, he does so by having a rather complete security suite for NT all written
in Perl and available on the web at http://patriot.net/~carvdawg/perl.html.
Make sure also to read his paper "System Security Administration for NT"
presented recently at the Usenix LISA-NT "00 conference, in Seattle, WA. On
his pages, you will find numerous links to Perl resources for the NT platform,
along with the tools he designed. These tools let you do things like extracting
info from the event viewer, collect information through the network, parse log
files, and... perform integrity checking just like Tripwire. Notice that these
Perl scripts use MD5 encryption for the hash, same as the original Tripwire,
which is a stronger algorithm than the CRC-32 used by InstallWatch Pro.
I still didn"t have a chance to learn Perl yet, but I plan to do so soon. In
the meanwhile, I am unable to comment the scripts, but I will put the code here
anyway. I think it is short enough to be self explanatory (2 scripts, filesentry.pl
and verify.pl). Be sure to go to http://patriot.net/~carvdawg/perl.html
for the other goodies.
#! c:\perl\bin\perl.exe
##############################################################
#
# filesentry.pl
# Generate MD5 checksums on files in the md5_conf file
# (example at end of script)
#
# Use with system files, web pages, etc. Can also use files
# on mapped drives, but must use complete path.
#
# copyright 1999 H. Carvey
##############################################################
use Digest::MD5;
use File::stat; usage();
# config file
$config = "md5_conf"; # log file for checksums...this is the file
that will
# be verified by verify.pl
$log = "md5_log"; open (CONF, "$config") || die "Could
not open config file: $!\n";
open (LOG,"> $log") || die "Could not open log file: $!\n";
while () {
$file = $_;
chomp $file;
if (-d $file) {
print "$file is a directory. Skipping...\n";
}
else {
if (-e $file) {
$base = baseline($file);
$size = stat($file)->size;
$atime = stat($file)->atime;
$mtime = stat($file)->mtime;
$ctime = stat($file)->ctime;
print "$file $base $size $atime $mtime $ctime\n";
print LOG "$file $base $size $atime $mtime $ctime\n";
}
else {
print "$file does not exist.\n";
}
}
} close(CONF);
close(LOG); sub baseline {
my ($file) = @_;
open (FILE, $file) or die "Can"t open $file: $!\n";
binmode(FILE);
$digest = Digest::MD5->new->addfile(*FILE)->b64digest;
return $digest;
} sub usage {
print "FileSeNTry, by H. Carvey\ncopyright 1999 H. Carvey\n\n"
} # Example md5_conf file...remove comment delimiters (#)
# File must contain only the filenames and paths
# No spaces
#
# c:\io.sys
# c:\config.sys
# c:\autoexec.bat
# c:\winnt\system32\fpnwclnt.dll
-------------
#! c:\perl\bin\perl.exe
##############################################################
#
# verify.pl
# Verify MD5 checksums on files in the md5_logf file
# (generated by filesentry.pl)
#
# Use with system files, web pages, etc. Can also use files
# on mapped drives, but must use complete path.
#
# copyright 1999 H. Carvey
##############################################################
use Digest::MD5; usage(); $log = "md5_log"; print "Verifying
data...\n";
open (LOG,"$log") || die "Could not open log file: $!\n";
while () {
($f,$md) = split();
if (verify($f,$md)) {
print "$f verified.\n";
}
else {
print "$f not verified.\n";
}
} sub baseline {
my ($file) = @_;
open (FILE, $file) or die "Can"t open "$file": $!\n";
binmode(FILE);
$digest = Digest::MD5->new->addfile(*FILE)->b64digest;
return $digest;
} sub verify {
my ($file,$md5) = @_;
if (baseline($file) eq $md5) { return 1;}
else { return 0;}
} sub usage {
print "FileSeNTry -> verify, by H. Carvey\ncopyright 1998 H. Carvey\n"
}
|
