Skip to content

Creating File Fingerprints

Robert Nowotny edited this page Nov 30, 2018 · 12 revisions

Create Fingerprint for files :

Fingerprint creates a csv file with the metadata for the selected files on Your harddisk. Each fingerprint result is completely indipendent from previouse fingerprints - the difference between two fingerprints need to be analyzed with another command or third party program.

For fingerprinting files, fp.exe needs to run with elevated rights (as Administrator) to get access to some files and directories, which would not be accessible otherwise. You can override this, but it is not recommended and only intended for testing.

fp.exe files --fp_dir=<dirname> --f_output=<filename> [--batchmode --no_admin --no_hashing --no_mp]

If You do not pass any commandline parameter, fp_files will ask You for the directory to fingerprint (e.g. c:, c:\windows) and the location of the results (e.g. c:\fingerprints\fp_files_1.csv)

fp.exe calculates a hash for each file, what can take a very long time, especially if You have a lot of very large files in the directory You fingerprint. Either move those files to a save location or turn hashing off (not recommended, You might miss something). Filtering (ignoring) of some files is not implemented yet.

Commandline Parameters:

fp.exe --version           # show the version
fp.exe --help              # show the help
fp.exe <command> --help    # show the help for a specific command

fp.exe files [arguments and flags]
  --fp_dir=<dirname>       # the directory to fingerprint, e.g. c:\windows or c:\
  --f_output=<filename>    # the resultfile, e.g. c:\fingerprint\fp_files_1.csv
                           # missing directories will be created, c:\fingerprint\fp_files_1.log will be created
  --batchmode              # do not ask for missing or wrong parameters, but exit
  --no_admin               # make it able to run without admin rights, not recommended You will miss a lot
  --no_hashing             # do not calculate file hashes, not recommended You might miss some changes
  --no_mp                  # no multiprocessing - much slower, but the order of entries in the result file is preserved.
                           # this can be used if You want to use third party tools to compare result files, but it might
                           # be better to use multiprocessing and sort the resultfile afterwards.

The Result :

the result is a csv file what can be opened with excel or Your texteditor. the csv file might look like this :

c:\fingerprints\fp_files_1.csv :

path,size,created,modified,accessed,hash,change,remark
C:\testfiles\file7_change_accessed_date.txt,0,2018-11-14 13:47:39.020319,2018-11-14 13:47:39.013345,2018-11-14 13:47:39.013345,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,,

path     : the path to the file 
size     : the filesize in bytes
created  : the creation date (can be spoofed by malicious programs)
modified : the date of the last modification (can be spoofed by malicious programs)
accessed : the date of the last access (can be spoofed by malicious programs)
hash     : a SHA256 hash of the data in the file - that cant be spoofed, You will spot changes for sure here
change   : what has changed (this field is only used in diff files created by fp.exe files_diff and described there)
remark   : remark (this field is only used in diff files created by fp.exe files_diff and described there)

Now You are already able to create file fingerprints before and after installing some software and track the changes between the csv files with some tools like Meld, FC, diff, etc. (take care for the ordering in the result file, use sorting for third party tools). But there is a better option, using fp.exe files_diff what will be explained later.