Monday, October 24, 2011

A Quick and Dirty Method For Laptop Tamper Detection

Let's put on our James Bond had for a minute. You're off traveling in an exotic location, and while there you've got a romantic dinner planned with your wife (what can I say, in my universe James Bond is happily married). It would be a real downer to bring your laptop along for the evening, but if you leave it in the hotel room, how can you be sure it wasn't tampered with? Perhaps you should cancel your date?

Of course not. What you need is a simple way of detecting what, if any files, were changed while you were off smooth talking your wife. What you really want, it turns out, is Tripwire, but you want it in a Windows context. After poking around, I found a surprisingly simple (and dated?) solution to this need: FCIV: Microsoft's File Checksum Integrity Checker. This tiny little app does exactly what you'd want it to do.

First off, download FCIV and copy it to your thumb drive. Say, d:\bin. It's portable, so you don't have to worry about copying it to the thumb drive.

While you're sure the computer is in a sane state, run:

  d:\bin\fciv -add c:\ -r -xml d:\db\snapshot.xml

The above command does what you'd expect it would do - it recursively (-r) descends the C:\ drive, building up a database of checkums to a file on your thumb drive.

My laptop, which has 47Gigs of used space, took a little over an hour to index. Run this command and head off to bed.

As a bonus, I'd also suggest running regedit and going to File > Export ... to dump the registry to D: as well. That way, by dumping the registry later, and doing a diff, you can tell what's changed.

Grab the thumb drive and head out to your hot date. As long as the thumb drive is within your control, you'll be able to verify your computer later.

After the big night out, you'd return to your computer, plug in the thumb drive and enter:

  d:\bin\fciv -v -xml d:\db\snapshot.xml

This command runs the verification routine. It will again scan all of C:\ and this time spit out what has changed. Again, this isn't exactly fast, but it'll get the job done.

The good news is that no matter which files get changed, you'll get notified about them. Also, you're running the command from your thumb drive, so there's no way for an attacker to mess with fciv itself, a neat little trick which would have made this all for naught.

But, with that said, an attacker may have installed his own nefarious version of cmd.exe or some performed some other wicked trick that I can't even imagine. So alas, if you were really a super agent, you wouldn't want to use the above technique. At the very least, you'd need to boot your computer into a safe (maybe read-only) operating system, and check it there. However, if you're a mere mortal like myself, and just want to know what files an installation of software may have tweaked, or what files get modified when a particular command is run, fciv is handy. And who knows, one day you may find yourself in a situation where you want to do tamper detection on a computer, and this little hack may be better than nothing.

No comments:

Post a Comment