IT Trenches

Aug 16 2010   6:56PM GMT

Automated file integrity monitoring using MD5 or SHA-1 hashing

Troy Tate Profile: Troy Tate

I recently had a task to monitor some file folders for changes to files and report when changes were made to the files. The reporting requirements were just to notify each day if files and what files were changed. There were no requirements to track who made the changes due to the limited access to the folders. That would have complicated matters some. I was able to design a quick and easy solution using a hashing utility called hashdeep (nice public domain utility) and then another utility called blat to send the reports.

I setup three batch files for this purpose and used Windows scheduler to automate the tasks.

The first batch file was called filehash.bat and had the following lines:

hashdeep.exe -r e:\sourcefolder\*.*>FilehashSum.txt

That process was needed to run to set a baseline of file hashing information. This created a text file with the MD5 and SHA-1 hashes of all files recursively under e:\sourcefolder. You need to make sure that hashdeep.exe is on your application search path.

After the desired period of waiting, I then ran filecheck.bat which looked like:

cd \
hashdeep.exe -r -vvv -a -k e:\FilehashSum.txt e:\sourcefolder\*.*>FileChanges.txt

This compared the values in the FilehashSum.txt file with the current files in the e:\sourcefolder location and put the very very verbose (-vvv) results into a file called FileChanges.txt.

The third part of the process is sending the file change report to an administrator or whoever is interested in tracking the changes. That third batch file is called blat-report.bat and looks like:

set body=e:\FileChanges.txt
set subj=”Server Sourcefolder file change report on %date% at %time%”

blat -bodyf %body% -to %addr% -subject %subj%

The admin will receive a detailed report showing which files have NOT changed as well as those which have been changed. The schedule I setup for this is:

filecheck.bat – 11:50 PM
blat-report.bat – 12:01 AM
filehash.bat – 12:30 AM

Hopefully this will help you with monitoring files or folders in a quick and simple way. I know that this is a PCI requirement and there are many solutions out there. This tip is here to help you understand some of what might be happening in your file/folder environment with no costs.

Share with other ITKE readers what you use for file/folder change monitoring. Your advice/insights are much appreciated! Thanks for reading and let’s continue to be good network citizens.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: