Moo0 File Monitor : DFIR File Monitoring Toolkit

 

Security researchers and malware analysts often need to monitor file and directory changes. These changes can involve specific operations such as:

1. Deleting files

2. Creating files

3. Renaming files

4. Accessing files

5. Moving files

There are many toolkits available that perform these types of operations, but they can sometimes be limited in functionality. In this article, I’ll introduce a powerful tool. Although it was developed many years ago, it remains highly effective for monitoring files and directories.

This versatile tool allows you to select which operations to monitor, such as:

1. Create

2. Write

3. Rename

4. Delete

Among these, Create, Write, and Delete are especially important artifacts for malware analysts and forensic investigators. These actions can help identify which files have been created, modified, or deleted.

You might ask: If the computer has already been seized, how can we monitor these actions if the tool wasn’t installed beforehand? It’s a valid concern. However, malware analysts and incident responders can still benefit from this tool during controlled execution of a malicious sample . such as in a sandbox or test environment . to observe file system changes that occur during initial access.