Welcome to The Integrity Project
This website is a working repository of information generated and/or
maintained by The Integrity Project.
Incident response is fraught with constraints. Often, response
handlers must work around the constraints imposed by the surrounding
environment. For example, lack of physical or shell access, untrusted
diagnostic programs, lack of encryption, many machines in need of
investigation, et cetera. Therefore, tool designers need to take
into account these issues and compensate, where possible. Further,
tool builders need to design their tools with Daubert principles
in mind. Specifically, such tools need to have open architectures
and utilize open data formats so that other practitioners and tool
builders may thoroughly understand and appreciate their operation.
Managing many systems and networks in parallel can be difficult
and time consuming. Generally speaking, the more diverse these
systems and networks are, the harder it becomes to manage them
effectively and efficiently. Therefore, administrators need reliable
tools that work well in centralized management schemes.
The goal of The Integrity Project is to build high quality tools
that meet the needs of both incident response handlers and system
FTimes, short for File Topography and Integrity Monitoring on an
Enterprise Scale, is system baselining and evidence collection
tool that is lightweight, flexible, and conducive to intrusion
analysis. FTimes was designed to support the following initiatives:
content integrity monitoring, incident response, intrusion analysis,
and computer forensics.
HashDig technology is a collection of utilities designed to help
practitioners automate the process of resolving MD5 hashes. In
the early stages of an investigation, it is not typically possible
or practical to examine all subject files. Therefore, practitioners
need reliable methods that can quickly reduce the number of files
requiring examination. One such method is to group files into
two general categories: known and unknown. This method can be
implemented quite effectively by manipulating hashes and comparing
them to one or more reference databases. Even that, however, can
take a significant amount of effort. HashDig technology attempts
to reduce this burden through automation and the use of lightweight,
open, and verifiable techniques.
A Payload and Delivery (PaD) file is a self-extracting executable
which can be implemented as either a script or a program. In
addition to extracting their payload, PaD executables support
flexible payload delivery. In other words, the user controls if,
when, and how a given payload will be delivered. Within the PaD
framework, delivery refers to the act of running one or more
commands to manipulate or otherwise make use of the extracted
WebJob downloads a program over HTTP/HTTPS and executes it in one
unified operation. The output, if any, may be directed to
stdout/stderr or a Web resource. WebJob may be useful in incident
response and intrusion analysis as it provides a mechanism to run
known good diagnostic programs on a potentially compromised system.
It can also support a variety of centralized management and
host-based monitoring solutions (e.g., active processes, file
integrity, patch level, package installation, etc.).
The top line of logos represent links to related projects. The
location bar displays your current location within the site. It
also allows you to navigate to higher locations within the site.
The menu bar on the left lets you navigate the site in a hierarchical
fashion. It expands and contracts as you move about the site.