.

File integrity checker (Tripwire), Windows, SHA-1 changed.

<<

delusion

User avatar

Newbie
Newbie

Posts: 49

Joined: Thu Mar 18, 2010 6:04 pm

Location: London

Post Mon Apr 26, 2010 5:46 am

File integrity checker (Tripwire), Windows, SHA-1 changed.

Hey guys

This ones been plaguing my thoughts for a while.  Thus far I have chatted to peers and explored the web.

I monitor a file integrity checker and every so often the hashes change.  The hashes change when new windows patches have been installed.  So it could be that either the windows updates have been installed OR that the server has been rebooted.  Either way I am unclear of why the has would need to be changed.  ??? :o
You Cant Resolve Problems Whilst At WAR!
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Apr 26, 2010 7:18 am

Re: File integrity checker (Tripwire), Windows, SHA-1 changed.

It depends on what you are monitoring, but cryptographic hashes should not change from a simple reboot.  The exception to this are the dozens of files that do get touched when Windows boots.   

It would help to know where files you are monitoring, but Windows update does replace certain system files on your hard drive.  That's what a patch does.  Since the contents of the files have change, the hash will be different.  When the contents change, the hashes changes.  That's the purpose of a cryptographic hash algorithm. 

http://en.wikipedia.org/wiki/Cryptographic_hash_function
~~~~~~~~~~~~~~
Ketchup
<<

delusion

User avatar

Newbie
Newbie

Posts: 49

Joined: Thu Mar 18, 2010 6:04 pm

Location: London

Post Mon Apr 26, 2010 9:22 am

Re: File integrity checker (Tripwire), Windows, SHA-1 changed.

That was informative, I was being a bit of a numpty!! Cheers!
You Cant Resolve Problems Whilst At WAR!

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software