Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bitranox/fingerprint

Monitoring Registry and File Changes in Windows
https://github.com/bitranox/fingerprint

forensic forensic-analysis forensic-examinations forensics forensics-investigations hacking hacking-code hacking-tool hacking-tools hackingtool hackingtools procmon python3 registry registry-data registry-hacks registry-scripts windows windows-10 windows-7

Last synced: 23 days ago
JSON representation

Monitoring Registry and File Changes in Windows

Host: GitHub
URL: https://github.com/bitranox/fingerprint
Owner: bitranox
License: mit
Created: 2018-11-06T20:18:21.000Z (almost 6 years ago)
Default Branch: master
Last Pushed: 2024-07-10T05:06:54.000Z (4 months ago)
Last Synced: 2024-09-28T22:41:19.435Z (about 1 month ago)
Topics: forensic, forensic-analysis, forensic-examinations, forensics, forensics-investigations, hacking, hacking-code, hacking-tool, hacking-tools, hackingtool, hackingtools, procmon, python3, registry, registry-data, registry-hacks, registry-scripts, windows, windows-10, windows-7
Language: Python
Size: 5.61 MB
Stars: 67
Watchers: 3
Forks: 11
Open Issues: 2
Metadata Files:
- Readme: README.rst
- Changelog: CHANGES.rst
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

awesome-hacking-lists - bitranox/fingerprint - Monitoring Registry and File Changes in Windows (Python)

README

fingerprint
=================
Monitoring Registry and File Changes in Windows - forensic analytics for windows registry and files

"fingerprint" records the state of a windows system, in terms of files and registry.
Such fingerprints can be compared to find all changed data.
The data can be narrowed with procmon logfiles, in order to see which process caused the changes.
Procmon Logfiles can be filtered to show only events for changed Files or Registry Entries.
This makes it much more easy to find the cause of system changes.

All fingerprints are stored in csv, Excel compatible format, for convenient filtering, sorting, etc.
You can also use third party tools like "Meld", "FC", "diff" to compare fingerprints.

You can use fingerprint in batchfiles to automatically filter out events of Your interest - its batch friendly

sources are included, but You just might use the fp.exe file created with pyinstaller from `Releases `_

Usage Scenarios
---------------
Monitor honeypots, monitor system changes, find "hidden" registry entries or files, like expiration of demo versions,
analyze virus activities, analyze if Your privacy was compromised. You will be able to find every Spy Program, Worm,
or hack into Your system, unless the program ONLY resides in memory and does not alter anything - but that is very unlikely

Usage
-----
check the `Wiki `_

Installation
------------
no installation required, just use the fp.exe file from `Releases `_

Requirements
---------------
following Packets will be installed / needed (when using .py files):

click

python-registry

pyinstaller (if You want to create Your own .exe Files)

Acknowledgement
---------------
Inspired by Regshot, InstallWatch Pro, SpyMe Tools, RegDiff, WhatChanged, RegFromApp, Uninstaller Pro and others

Contribute
----------
I would love for you to fork and send me pull request for this project.
Please contribute.

License
-------
This software is licensed under the `MIT license `_

See `License file `_

SAMPLE SESSION
--------------
Lets make s walk-through by example. Lets assume we have a software with "Trial Period" and the Software stops working after the trial period.

After uninstalling and reinstalling the software, it still shows "Trial Period ended" - so this software is not completely uninstalling, leaving some files or registry entries behind.

all programs are started from the commandline. Use fp.exe [command] --help for showing the help with all commandline parameters.

STEP1: create fingerprint of drive c:\\ on a clean system:
fp.exe files --fp_dir=c:\\ --f_output=c:\\fp\\fp1.csv
fp.exe reg --f_output=c:\\fp\\reg1.csv

STEP2: create fingerprint after installing, running and uninstalling the software:
fp.exe files --fp_dir=c:\\ --f_output=c:\\fp\\fp2.csv
fp.exe reg --f_output=c:\\fp\\reg2.csv

STEP3: create diff files. In that files all changes between clean and uninstalled state are stored:
fp.exe files_diff --fp1=c:\\fp\\fp1.csv --fp2=c:\\fp\\fp2.csv --f_output=c:\\fp\\fp1-fp2.csv
fp.exe reg_diff --reg1=c:\\fp\\reg1.csv --reg2=c:\\fp\\reg2.csv --f_output=c:\\fp\\reg1-reg2.csv

STEP4: reinstall the software
use procmon to log all system activity and save the log as csv file "c:\\fp\\reinstall_procmon.csv"

Filtering Procmon Logfiles will be explained soon, since it is in refractoring stage now.
If You are inpatient You might use the old Version 1.6 (from releases) .

REMARKS
-------

You might record quite some noise - there is no filter to sort it out at the moment. On the other hand - I would hide exactly in the noise, so I left it

Procmon Logfiles can get quite big - You might set some appropriate filters there (for the processes or programs You examine).

TODO
----

- travis windows