A file integrity monitor (FIM) is a security tool that detects and alerts on any changes made to important files on a computer or network. This includes changes to the contents of a file as well as changes to the file’s attributes such as permissions, ownership and timestamps. FIMs work by creating a baseline of important files, which is used as a reference point to compare against any changes that occur. If a change is detected, the FIM can alert the system administrator or take other actions to mitigate potential security threats.

The process:

• The user is prompted to decide whether they want to collect a new baseline or begin monitoring files with a saved baseline.
• If collecting a new baseline, any existing one is deleted and the process begins by calculating the hashes of the target files in a specific directory. The calculated hash is then written to the baseline.txt file, creating the new baseline.
• If monitoring with a saved baseline, the files and their corresponding hash are loaded from the baseline and stored in a dictionary.
• The files are then continuously monitored against the saved baseline by comparing the calculated hashes against the dictionary. This allows for the detection of new files, changes to existing files, and deleted files.

You can find the script here.

This powershell script scans all mounted volumes, detects bitlocker encrypted drives and extracts their recovery keys. If a drive is not protected by bitlocker, it notifies the user. The script then allows the user to save the extracted keys to a CSV via a simple GUI based file picker.

You can find the code here.

The following script retrieves information about all connected disk drives using the Win32_DiskDrive WMI class. It outputs key details such as the drive ID, model, media type, serial number and size (converted to GB).

You can find the code here.

Useful if used with the following (see here) which retrieves all mounted volumes and checks their BitLocker encryption status using manage-bde -status.

Creating a simple write blocker in windows registry.

Using Azure to build and host my own web application - securing it with a SSL certificate and applying Azure’s security features to protect it.

The following is a summary of work I completed in Splunk which included creating custom reports, alerts and dashboards.