-
Notifications
You must be signed in to change notification settings - Fork 11
Home
fp_files.exe creates a csv file with the metadata for the selected files on Your harddisk. Each fingerprint result is completely indipendent from previouse fingerprints - the difference between two fingerprints need to be analyzed with another program.
fp_files.exe needs to run with elevated rights (as Administrator) to get access to some files and directories, which would not be accessible otherwise. You can override this, but it is not recommended and only intended for testing.
fp_files.exe [commandline parameters]
If You do not pass any commandline parameter, fp_files will ask You for the directory to fingerprint (e.g. c:, c:\windows) and the location of the results (e.g. c:\fingerprints\fp_files_1.csv)
fp_files.exe calculates a hash for each file, what can take a very long time, especially if You have a lot of very large files in the directory You fingerprint. Either move those files to a save location or turn hashing off (not recommended, You might miss something). Filtering (ignoring) of some files is not implemented yet.
Commandline Parameters:
fp_files.exe [commandline parameters]
--fp_dir=<dirname> # the directory to fingerprint, e.g. c:\windows or c:\
--resultfile=<filename> # the resultfile, e.g. c:\fingerprint\fp_files_1.csv
# missing directories will be created, c:\fingerprint\fp_files_1.log will be created
--batchmode # do not ask for missing or wrong parameters, but exit
--no_admin # make it able to run without admin rights, not recommended You will miss a lot
--no_hashing # do not calculate file hashes, not recommended You might miss some changes
--no_mp # no multiprocessing - much slower, but the order of entries in the result file is preserved.
# this can be used if You want to use third party tools to compare result files, but it might
# be better to use multiprocessing and sort the resultfile afterwards.
The Result :
the result is a csv file what can be opened with excel or Your texteditor. the csv file might look like this :
c:\fingerprints\fp_files_1.csv :
path,size,created,modified,accessed,hash,change,remark
C:\testfiles\file7_change_accessed_date.txt,0,2018-11-14 13:47:39.020319,2018-11-14 13:47:39.013345,2018-11-14 13:47:39.013345,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
path : the path to the file
size : the filesize in bytes
created : the creation date (can be spoofed by malicious programs)
modified : the date of the last modification (can be spoofed by malicious programs)
accessed : the date of the last access (can be spoofed by malicious programs)
hash : a SHA256 hash of the data in the file - that cant be spoofed, You will spot changes for sure here
change : what has changed (this field is only used in diff files created by fp_files_diff.exe and described there)
remark : remark (this field is only used in diff files created by fp_files_diff.exe and described there)
Now You are already able to create file fingerprints before and after installing some software and track the changes between the csv files with some tools like Meld, FC, diff, etc. (take care for the ordering in the result file, use sorting for third party tools). But there is a better option, using fp_files_diff.exe what will be explained later.
fp_files_diff.exe compares the data stored in two fingerprint csv files. The result is a csv File with all changes between the two fingerprints.
fp_files_diff.exe [commandline parameters]
If You do not pass any commandline parameter, fp_files will ask You for the name of the two fingerprints to compare (e.g. c:\fingerprints\fp_files_1.csv, c:\fingerprints\fp_files_2.csv) and the location of the results (e.g. c:\fingerprints\diff_fp_files_1-2.csv)
Commandline Parameters:
fp_files_diff.exe [commandline parameters]
--fp1=<filename> # the fingerprint #1, e.g. c:\fingerprints\fp_files_1.csv
--fp2=<filename> # the fingerprint #2, e.g. c:\fingerprints\fp_files_2.csv
--resultfile=<filename> # the resultfile, e.g. c:\fingerprint\fp_files_diff_1-2.csv
# missing directories will be created, c:\fingerprint\fp_files_diff_1-2.log will be created
--batchmode # do not ask for missing or wrong parameters, but exit
The Result :
the result is a csv file what can be opened with excel or Your texteditor. the csv files might look like this :
c:\fingerprints\fp_files_1.csv :
path,size,created,modified,accessed,hash,change,remark
.\testfiles\file1_no_changes.txt,0,2018-11-14 22:49:05.216676,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file3_change_data.txt,0,2018-11-14 22:49:05.218671,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file4_change_data_silently.txt,0,2018-11-14 22:49:05.221674,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file5_change_creation_date.txt,0,2018-11-14 22:49:05.221674,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file6_change_modified_date.txt,0,2018-11-14 22:49:05.222659,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file7_change_accessed_date.txt,0,2018-11-14 22:49:05.223658,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file8_deleted.txt,0,2018-11-14 22:49:05.223658,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
c:\fingerprints\fp_files_2.csv :
path,size,created,modified,accessed,hash,change,remark
.\testfiles\file1_no_changes.txt,0,2018-11-14 22:49:05.216676,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file2_added.txt,0,2018-11-14 22:49:05.217699,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file3_change_data.txt,9,2018-11-14 22:49:05.218671,2018-11-14 22:49:05.242633,2018-11-14 22:49:05.242633,9347cf5e62ad7dabebd7f6cb4d0a06858f63e7ed4ed7b5bf9537b6c670d79ea3,,
.\testfiles\file4_change_data_silently.txt,9,2018-11-14 22:49:05.221674,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,9347cf5e62ad7dabebd7f6cb4d0a06858f63e7ed4ed7b5bf9537b6c670d79ea3,,
.\testfiles\file5_change_creation_date.txt,0,2018-11-14 22:49:05.221674,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file6_change_modified_date.txt,0,2018-11-14 22:49:05.222659,2018-11-14 22:49:15.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
.\testfiles\file7_change_accessed_date.txt,0,2018-11-14 22:49:05.223658,2018-11-14 22:49:05.213710,2018-11-14 22:49:15.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,
c:\fingerprint\fp_files_diff_1-2.csv :
path,size,created,modified,accessed,hash,change,remark
.\testfiles\file2_added.txt,0,2018-11-14 22:49:05.217699,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,ADDED,
.\testfiles\file3_change_data.txt,9,2018-11-14 22:49:05.218671,2018-11-14 22:49:05.242633,2018-11-14 22:49:05.242633,9347cf5e62ad7dabebd7f6cb4d0a06858f63e7ed4ed7b5bf9537b6c670d79ea3,CHANGED,"Size changed from 0 to 9, modified changed from 2018-11-14 22:49:05.213710 to 2018-11-14 22:49:05.242633, hash (data) changed"
.\testfiles\file4_change_data_silently.txt,9,2018-11-14 22:49:05.221674,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,9347cf5e62ad7dabebd7f6cb4d0a06858f63e7ed4ed7b5bf9537b6c670d79ea3,CHANGED_SILENT,"Size changed from 0 to 9, hash (data) changed"
.\testfiles\file6_change_modified_date.txt,0,2018-11-14 22:49:05.222659,2018-11-14 22:49:15.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,CHANGED,modified changed from 2018-11-14 22:49:05.213710 to 2018-11-14 22:49:15.213710
.\testfiles\file8_deleted.txt,0,2018-11-14 22:49:05.223658,2018-11-14 22:49:05.213710,2018-11-14 22:49:05.213710,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,DELETED,
The diff files contains only the difference between the two fingerprints. Unchanged Files are not included.