Cross-view detection

Subversive Technologies & Countermeasures

Jump to: navigation, search
Development
Author Jason Todd
Information Proof of concept
Maturity Developed
Status No disputes
Legend

Cross-view detection typically compares a low level view of a system with a high level view noting any discrepancies between the two indicating possible activity.

[edit] Simple windows file system cross-view

This technique will obtain the high level view of the file system in the normal operative state of the machine. The low level view will be obtained by booting from a device that has no dependencies on the installed operating system and viewing the file system. On a windows machine a very simple cross-view of the file system can be preformed with the following steps:

  1. Open a command shell; on modern windows implementations you can click run and type cmd. Older versions of windows would require you to open a dos prompt. Navigate to the root directory which is typically c:\ on a windows system by entering cd\
  2. Enter the following command: dir /b /ah /s > hfile1.txt
    • /b for bare formatting, we do not need all the extra details
    • /ah for showing files with the attribute hidden set
    • /s To display file entries in the specified directory and all sub directories located below it hierarchically.
    • > hfile1.txt will pipe the results out into a text file name hfile1.txt
  3. Enter the following command: dir /b /s > file1.txt
    • /b for bare formatting, we do not need all the extra details
    • /s To display file entries in the specified directory and all sub directories located below it hierarchically.
    • > file1.txt will pipe the results out into a text file name file1.txt
  4. You should now have two files named file1.txt and hfile1.txt.
    • file1.txt will contain a listing of files and directory from the partition.
    • hfile1.txt will contain a listing of files and directory with the hidden attribute bit set from the partition.
  5. Boot the system using a windows boot floppy, CD/DVD, or flash device.
    • If you are using the NTFS file system NTFS DOS or another package will be needed to access the file system. Knoppix is another option but will require knowledge of Linux shell commands.
  6. After boot you should be placed in the root directory but should execute cd\ just to be sure. Repeat steps #1 and #2 but change hfile1.txt in step 1 to hfile2.txt and file1.txt in step 2 to file2.txt.
  7. You should now have four files named hfile1.txt, hfile2.txt, file1.txt, and file2.txt.
  8. You can use any program that will compare files such as windiff to check for discrepancies between the two files. Compare hfile1.txt against hfile2.txt and file1.txt and file2.txt looking for any differences between the files.

[edit] Appendix

Retrieved from "http://www.wikistc.org/wiki/Cross-view_detection"
Personal tools