Welcome to The Integrity Project
This website is a working repository of information generated and/or
maintained by The Integrity Project.
Incident response is fraught with constraints. Often, response
handlers must work around the constraints imposed by the surrounding
environment. For example, lack of physical or shell access, untrusted
diagnostic programs, lack of encryption, many machines in need of
investigation, et cetera. Therefore, tool designers need to take
into account these issues and compensate, where possible. Further,
tool builders need to design their tools with Daubert principles
in mind. Specifically, such tools need to have open architectures
and utilize open data formats so that other practitioners and tool
builders may thoroughly understand and appreciate their operation.
Managing many systems and networks in parallel can be difficult
and time consuming. Generally speaking, the more diverse these
systems and networks are, the harder it becomes to manage them
effectively and efficiently. Therefore, administrators need reliable
tools that work well in centralized management schemes.
The goal of The Integrity Project is to build high quality tools
that meet the needs of both incident response handlers and system
FTimes, short for File Topography and Integrity Monitoring on an
Enterprise Scale, is system baselining and evidence collection
tool that is lightweight, flexible, and conducive to intrusion
analysis. FTimes was designed to support the following initiatives:
content integrity monitoring, incident response, intrusion analysis,
and computer forensics.
HashDig technology is a collection of utilities designed to help
practitioners automate the process of resolving MD5 hashes. In
the early stages of an investigation, it is not typically possible
or practical to examine all subject files. Therefore, practitioners
need reliable methods that can quickly reduce the number of files
requiring examination. One such method is to group files into
two general categories: known and unknown. This method can be
implemented quite effectively by manipulating hashes and comparing
them to one or more reference databases. Even that, however, can
take a significant amount of effort. HashDig technology attempts
to reduce this burden through automation and the use of lightweight,
open, and verifiable techniques.
A Payload and Delivery (PaD) file is a self-extracting executable
which can be implemented as either a script or a program. In
addition to extracting their payload, PaD executables support
flexible payload delivery. In other words, the user controls if,
when, and how a given payload will be delivered. Within the PaD
framework, delivery refers to the act of running one or more
commands to manipulate or otherwise make use of the extracted
WebJob downloads a program or script from a remote WebJob server and
executes it in one unified operation. Any output produced by the
program/script is packaged up and sent to a remote, possibly
different, WebJob server. WebJob is useful because it provides a
mechanism for running known good programs on damaged or potentially
compromised systems. This makes it ideal for remote diagnostics,
incident response, and evidence collection. WebJob also provides a
framework that is conducive to centralized management. Therefore, it
can support and help automate a large number of common
administrative tasks and host-based monitoring scenarios such as
periodic system checks, file updates, integrity monitoring,
patch/package management, and so on.
The top line of logos represent links to related projects. The
location bar displays your current location within the site. It
also allows you to navigate to higher locations within the site.
The menu bar on the left lets you navigate the site in a hierarchical
fashion. It expands and contracts as you move about the site.