It starts with a baseline. So you'll need to have run this against a clean image originally. To do so run it against a folder of your choosing (or the entire C:\ drive for that matter). Notice in the command below you choose what file types you want to look for (instead of just doing every file).
fciv.exe -xml hashdb-original.xml -r c:\windows\temp\SuspiciousFiles -type *.dll -type *.zip -type *.png
Let's say in this folder there were originally 3 untouched files
Now the malware touched 1 of them and compromised it's integrity
Let's say in this folder there were originally 3 untouched files Then after an incident run this command to compare the original hashdb against the current state of the system. As you see below it identified the change, original hash and new hash.
fciv.exe -xml hashdb-original.xml -v -bp c:\windows\temp\SuspiciousFiles
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment