Top menu

How to use dignital signatures to search shadow database

DESCRIPTION

The data logged by DeviceLock can be checked against hash databases (collections of digital signatures of known, traceable data) and used in computer forensics.

For example, you can trace users copying signatured files, with reference to time and devices.

More information about hash databases and their samples can be found at the National Software Reference Library web site: http://www.nsrl.nist.gov

This article contains instruction on using digital signatures to search shadow database.

HOW-TO

You can progress through the following steps to create and use a database with your own digital signatures:

1. Take the confidential files, digital signatures are to be taken for;
2. Generate hash code (MD5, SHA1 or CRC32) for every file;
3. Copy the list of hashes calculated on step 2 (hash database) into your database (as a separate table);
4. Write a script scanning the table (in DeviceLock Enterprise Server database, where shadowed data is stored) and checking whether the hashes taken from the database match those from the list created on step 3;
5. In case a match is found, then the file from your database of digital signatures has been shadow copied.

*There are 'DigestSHA1', 'DigestMD5' and and 'CRC32' fields in 'DLStore' table. You can compare them with the digital signature database. You can also select the records in 'DLShadowFiles' table using the 'StoreID' key field from 'DLStore' table.