Testing for changes made by software to your drive

[syncmaster913n]

Hi guys

Let's say that I would like to do some testing to find out how a certain piece of software affects my drive; what kind of new files appear on my disk after using the software, what files change, and as much similar information as possible.

Is there a way I could go about it without having to purchase special equipment? I would imagine this kind of analysis cannot be made on a Windows level as the OS itself might be making changes to the drive which would be difficult to distinguish from changes made by the software being tested. What I have available is my stationary PC, two laptops, and one external USB 2.0 200GB drive.

Specifically, I am looking to find out exactly what happens on my drive when using Google Chrome and certain instant messaging software, outside of a sandbox.

I realize that this might be difficult to do, but any input which could get me going in the right direction will be appreciated.

[ronjor]

Several free tools here. https://blogs.technet.com/b/sysinter...edirected=true

Autoruns

[syncmaster913n]

Thanks for the link. Some interesting things there, particularly this:

http://blogs.technet.com/b/sysintern...edirected=true

However I was not able to find anything that would help me do what I am trying to do - most of the software/updates over there have to do with monitoring active processes and RAM-related issues, as opposed to analyzing changes on the hard drive. Perhaps I missed something?

[FanJ]

ADinf32
http://www.adinf.com/
http://www.wilderssecurity.com/showthread.php?t=320057
http://www.wilderssecurity.com/showthread.php?t=72131


TinyWatcher
http://www.donationcoders.com/kubicl...her/index.html
http://www.wilderssecurity.com/showthread.php?t=319874
Ask bellgamin about it.


NIS File Check
No more available (as far as I know)

File Change Alarm
Maybe still available, not sure however

[m00nbl00d]

Process Monitor allows to track individual processes. It's helpful.

There are a few tools, including open-source, which I'm bad remembering the names , but they allow you to take snapshots of the system. Including of the registry.

You can then verify the changes. They will highlight them.

Is this what you're looking for?

[EASTER]

Quote:

File Change Alarm
Maybe still available, not sure however

A very useful system change monitor in "real-time" complete with saved reports to review later if something of concern needs going over.

It goes in all my units no matter what. Feather-lite! but razor accurate!

I can post a link for it if need be.

Regards EASTER

[syncmaster913n]

yes M00nbl00d, that's exactly what I'm looking for.

Thanks for the suggestions guys, I will take a look at everything that was mentioned (and the stuff that were only referenced, too! )

[noone_particular]

What you describe sounds like an install monitor. On XP and older systems, Inctrl5 would have done what you want. It took a snapshot of your system before the event, then took another after. Then it compared them and listed all registry changes and all new, modified, or deleted files and folders. Reports could be saved in multiple formats. It worked equally well on installs, config changes, and monitoring changes made my websites or apps. The only thing it didn't cover well is services. Install Spy is another. Not sure if it's still around or which OS it's compatible with.

Sounds like you want to look for digital forensics tools that will compare pre and post hashes/ MD5sums. I haven't used them but it would do exactly what you want. None of them are particulary user friendly from what I understand.

[syncmaster913n]

I gave ADinf32 a try, and unfortunately it didn't deliver, although it's a really nice tool.

Here is what I did.

- Cleared my drive with CCleaner and a custom-made batch file.
- Created a drive "snapshot" using ADinf32
- Launched Chrome in non-incognito, non-sandboxed mode
- Browsed around for 10-15 minutes, visiting all the websites that leave tons of rubbish on your drive (facebook, cnn, yahoo, some local websites and a bunch of random stuff)
- Instructed ADinf32 to check my drive for changes. The only thing it was able to find was the change of a single file, that was related to some background services running.
- I ran CCleaner just to confirm - 20MB of temp files/cookies/various other stuff were detected.

This software appears to only check important windows files / folders / processes for changes, but doesn't monitor everything that happens on a hard drive (which makes sense given the purpose Adinf32 was created to serve.)

Let me stress again: I need to check for ALL changes that happen to my hard drive. I do not expect a single piece of software to do that for me (although that would be awesome), so I am prepared to do some work myself, if only I knew how to go about it.

Basically what I am trying to do: I want to see exactly what traces do various software leave on my hard drive, so I can update my custom batch file to always delete those artifacts after I am done working. Sandboxing could be a solution to this, but I cannot run everything inside of a sandbox, and definitely not always.

So I am still without a solution at the moment.

[jdd58]

Maybe directory monitor will work for you. -http://www.brutaldev.com/page/Directory-Monitor.aspx

If not go to -http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm

and go to section 7.10.

[CloneRanger]

Inctrl5 should do it, as noone_particular says If you search hard enough you can still get it

The other alternative i would have suggested is, using something like ShadowDefender/Returnil etc, but i see you already use VirtualBox !

I guess you are attempting to track who/what does what to your comp whilst online, rather than just drop all changes without knowing what they were etc

Hope you find it & can use it

[syncmaster913n]

Thanks guys, will try all of those today.

Quote:

Originally Posted by CloneRanger

I guess you are attempting to track who/what does what to your comp whilst online, rather than just drop all changes without knowing what they were etc

Yup, precisely This way I can apply what I learn to every machine I use, which doesn't always need to be configured for my particular taste. Plus it's fun!

EDIT: Inctrl5 definitely doesn't cut it, it can basically only monitor things strictly related to a particular installation file that you choose from your drive before the program takes it's snapshot. It doesn't offer the flexibility I would require.

http://www.brutaldev.com/page/Directory-Monitor.aspx - seems like it MIGHT be the right tool, but I can't for the life of me figure out how to view the logs showing changes. I can only see the words "xxx changes made" but no way to check what those changes are. I'll keep looking, but the programis so straightforward that I am not sure what I might have missed.

[jdd58]

Try Moo0 File Monitor -http://www.moo0.com/?top=http://www.moo0.com/software/FileMonitor/

[ichito]

TinyWatcher is very useful and nice app...but now I can recommend another app...it's System Explorer with nice feature in context of this thread

Quote:

Snapshots

Provides tool for making snapshot of file system and registry state. You can easily compare two snapshots and see differences made between capturing of snapshots. This tool is usefull for analyzing changes made in computer.

http://systemexplorer.net/onlinehelp.php?t=sections

[syncmaster913n]

Quote:

Originally Posted by jdd58

Try Moo0 File Monitor -http://www.moo0.com/?top=http://www.moo0.com/software/FileMonitor/

Bingo! Thanks a lot.

[m00nbl00d]

This one may also prove useful for this kind of monitoring.

-https://blogs.technet.com/b/askperf/archive/2010/01/12/an-introduction-to-the-windows-system-state-analyzer.aspx?Redirected=true

[syncmaster913n]

Nice, I'm actually looking for something that would monitor the registry in a reliable manner; most apps out there only take notice if entries are added or removed, but do not inform you if the value of any key is changed. Maybe this will deliver.

Thanks to Moo0 FileMonitor, I noticed something I do not understand today. I've described it here: http://www.wilderssecurity.com/showthread.php?t=322696

Overal, it's an excellent tool, extremely reliable and informs you of absolutely ANY change that happens to the harddrive. The only thing it lacks is an option to exclude certain directories from the monitoring process. But you can get used to its absence or simply close certain programs if they are particularly annoying and you need to focus.

Overal my impression is that when browsing in Chrome, the only folders to be worried about are AppData\Local\Google\Chrome\User Data\Default (I've set my batch file to clear that folder completely, excluding the Bookmarks and Preferences files) and AppData\Roaming\Microsoft\Windows\Recent (I clear this one completely). Some changes to Windows\Prefetch and the Temp folders as well. Other than that I haven't noticed anything unusual, at least for Chrome.

EDIT: Sysinternals Process Monitor is an awesome registry and HDD monitor.

[CloneRanger]

@ jdd58

Thanks for reminding me about the Moo0 File Monitor

@ syncmaster913n

Yeah you're right about Inctrl5, my bad memory

A very good registry App is RegDefend by www.ghostsecurity.com I tried to visit them just now but it's not what i expected to see ? This is how it used to look http://web.archive.org/web/201010230....com/regdefend You can still download it from there, or for eg here http://www.brothersoft.com/regdefend-36038.html if you want to try it. Let us know if you do

[Athletic]

There is one more portable app that gives even more live info
FileMon 7.04

LINK:----http://www.softpedia.com/get/Programming/Other-Programming-Files/Filemon.shtml----

It is something like Moo0 FileMonitor 1.07