In this article, we will be using Disk Drive Signature to identify any suspicious changes in systems’ directories or files. Creating such signatures can help us protect our data in various ways.
Table of Contents
·
Introduction
·
Creating
disk signature
·
Comparing
disk signature
Introduction
A disk
drive signature is created to identify the suspicious changes in your systems’
directories or files. This data incorporates information about a
document's path, size, and other file attributes.
To create a
disk drive signature, we will be using the OS Forensics tool
by PassMark Software. OS forensic allows you to create, compare, and analyse a
disk drive signature.
Let’s first
check what all files are present there on the Desktop as we are going to create
a disk signature on desktop only to get quick results. You can create a Disk
drive Signature of any disk or folder present on your system as per your
requirement.
We are
going to create a signature for my desktop only. To begin with let’s first
check the files present on the desktop so that you can get a clear idea after
comparison of disk drive signatures.
Creating Disk Drive Signature
To create a
Disk signature, download the OS Forensics tool if you haven’t already. You can
download it from here. You can
create the disk signature by selecting the options highlighted in the following
screenshot.
Select the desired
directory to create the signature. Here, I have selected Desktop, browse the directory, and click start. So, the signature for the data drive will be created.
It will ask for the File Name,
enter the File Name and click on Save. Now the signature for the selected drive
will be created. Select a file name for your signature as per your convenience
I will be naming the first signature “old signature” and the other one “new
signature”, just to be clear while comparing both the signatures.
Now you can
perform some modifications in the data drive like deleting or editing some
files anything that you want. You can also repeat the same steps to create
another signature after making all the alterations in the information drive.
After
creating the before and after signatures, select compare signature as
highlighted in the following screenshot. Browse the old and new signature in
the respective column and select compare.
The comparison of the disk signature helps to find any changes in the drive.
The result will
show the files with their difference status, whether the file is deleted,
modified, or created along with the date and time. The result of after comparison of both the disk
drive signature shows a total of 7 differences; 4 new files, 2 deleted, and 1
modified file.
From the bottom right, as depicted in the picture, you can separately view the files of difference as you like. For instance, if you want to view all the deleted files altogether select deleted files from the drop-down column.
Creating
and comparing the disk drive signatures helps to know suspicious changes in
your system as it creates a snapshot of the directory structure of the
drive at the point of creation
0 comments:
Post a Comment