Diffing
This feature compares two Case(.ppc) files and highlights the differences between each other.
In this way, users can compare the base(clean) image with the latest version of the taken image and all the changes will be easily observable to the analysts.
It is supported in CLI mode and tower mode.
  • CLI mode; User specifies a flag for starting the compassion process and then provides two Case files. As a result, the user can see the report.
DRONE.exe -n --compare CompareCases/CaseA.ppc CompareCases/CaseB.ppc
  • Tower mode;
    • In the first step, the user selects DiFFer from the UI and then clicks “Next”.
    • In the second step, the user uploads Case files for comparison and then clicks the “Start” button. As a result, the user can see the report. In this mode, reporting works dynamically so when DRONE finds a diff the report is visible immediately.

What do we compare?

We compare the same operating system image with each other.
For Windows images, we compare these sections below;
  • AutorunsServices
  • AutorunsScheduledTasks
  • AutorunsRegistry
  • AutorunsStartupFolder
  • InstalledApps
  • Drivers
  • Firewall
  • Hosts
  • NetworkAdapters
  • System DNS servers
  • System Proxy address
For Linux images, we compare these sections below;
  • System Proxy address
  • CronJobs
  • DNSResolvers
  • IPRoutes
  • IPTables
  • Hosts
  • KernelModules
  • Mounts
  • NetworkInterfaces
  • SystemArtifacts
  • Users
Copy link