Testing for changes made by software to your drive

Discussion in 'other security issues & news' started by syncmaster913n, Apr 18, 2012.

Thread Status:
Not open for further replies.
  1. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Hi guys

    Let's say that I would like to do some testing to find out how a certain piece of software affects my drive; what kind of new files appear on my disk after using the software, what files change, and as much similar information as possible.

    Is there a way I could go about it without having to purchase special equipment? I would imagine this kind of analysis cannot be made on a Windows level as the OS itself might be making changes to the drive which would be difficult to distinguish from changes made by the software being tested. What I have available is my stationary PC, two laptops, and one external USB 2.0 200GB drive.

    Specifically, I am looking to find out exactly what happens on my drive when using Google Chrome and certain instant messaging software, outside of a sandbox.

    I realize that this might be difficult to do, but any input which could get me going in the right direction will be appreciated.
  2. ronjor
    Offline

    ronjor Global Moderator

  3. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Thanks for the link. Some interesting things there, particularly this:

    http://blogs.technet.com/b/sysinter...sysinternals-rammap-v1-0.aspx?Redirected=true

    However I was not able to find anything that would help me do what I am trying to do - most of the software/updates over there have to do with monitoring active processes and RAM-related issues, as opposed to analyzing changes on the hard drive. Perhaps I missed something?
  4. FanJ
    Offline

    FanJ Updates Team

  5. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Process Monitor allows to track individual processes. It's helpful.

    There are a few tools, including open-source, which I'm bad remembering the names :D, but they allow you to take snapshots of the system. Including of the registry.

    You can then verify the changes. They will highlight them.

    Is this what you're looking for?
  6. EASTER
    Offline

    EASTER Registered Member

    A very useful system change monitor in "real-time" complete with saved reports to review later if something of concern needs going over.

    It goes in all my units no matter what. Feather-lite! but razor accurate!

    I can post a link for it if need be.

    Regards EASTER
  7. syncmaster913n
    Offline

    syncmaster913n Registered Member

    yes M00nbl00d, that's exactly what I'm looking for.

    Thanks for the suggestions guys, I will take a look at everything that was mentioned (and the stuff that were only referenced, too! :))
  8. noone_particular
    Offline

    noone_particular Registered Member

    What you describe sounds like an install monitor. On XP and older systems, Inctrl5 would have done what you want. It took a snapshot of your system before the event, then took another after. Then it compared them and listed all registry changes and all new, modified, or deleted files and folders. Reports could be saved in multiple formats. It worked equally well on installs, config changes, and monitoring changes made my websites or apps. The only thing it didn't cover well is services. Install Spy is another. Not sure if it's still around or which OS it's compatible with.
  9. BrandiCandi
    Online

    BrandiCandi Guest

    Sounds like you want to look for digital forensics tools that will compare pre and post hashes/ MD5sums. I haven't used them but it would do exactly what you want. None of them are particulary user friendly from what I understand.
  10. syncmaster913n
    Offline

    syncmaster913n Registered Member

    I gave ADinf32 a try, and unfortunately it didn't deliver, although it's a really nice tool.

    Here is what I did.

    - Cleared my drive with CCleaner and a custom-made batch file.
    - Created a drive "snapshot" using ADinf32
    - Launched Chrome in non-incognito, non-sandboxed mode
    - Browsed around for 10-15 minutes, visiting all the websites that leave tons of rubbish on your drive (facebook, cnn, yahoo, some local websites and a bunch of random stuff)
    - Instructed ADinf32 to check my drive for changes. The only thing it was able to find was the change of a single file, that was related to some background services running.
    - I ran CCleaner just to confirm - 20MB of temp files/cookies/various other stuff were detected.

    This software appears to only check important windows files / folders / processes for changes, but doesn't monitor everything that happens on a hard drive (which makes sense given the purpose Adinf32 was created to serve.)

    Let me stress again: I need to check for ALL changes that happen to my hard drive. I do not expect a single piece of software to do that for me (although that would be awesome), so I am prepared to do some work myself, if only I knew how to go about it.

    Basically what I am trying to do: I want to see exactly what traces do various software leave on my hard drive, so I can update my custom batch file to always delete those artifacts after I am done working. Sandboxing could be a solution to this, but I cannot run everything inside of a sandbox, and definitely not always.

    So I am still without a solution at the moment.
    Last edited: Apr 20, 2012
  11. jdd58
    Offline

    jdd58 Registered Member

    Maybe directory monitor will work for you. -http://www.brutaldev.com/page/Directory-Monitor.aspx

    If not go to -http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm

    and go to section 7.10.
  12. CloneRanger
    Offline

    CloneRanger Registered Member

    Inctrl5 should do it, as noone_particular says :thumb: If you search hard enough you can still get it :)

    The other alternative i would have suggested is, using something like ShadowDefender/Returnil etc, but i see you already use VirtualBox !

    I guess you are attempting to track who/what does what to your comp whilst online, rather than just drop all changes without knowing what they were etc ;)

    Hope you find it & can use it :)
  13. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Thanks guys, will try all of those today.

    Yup, precisely :) This way I can apply what I learn to every machine I use, which doesn't always need to be configured for my particular taste. Plus it's fun!

    EDIT: Inctrl5 definitely doesn't cut it, it can basically only monitor things strictly related to a particular installation file that you choose from your drive before the program takes it's snapshot. It doesn't offer the flexibility I would require.

    http://www.brutaldev.com/page/Directory-Monitor.aspx - seems like it MIGHT be the right tool, but I can't for the life of me figure out how to view the logs showing changes. I can only see the words "xxx changes made" but no way to check what those changes are. I'll keep looking, but the programis so straightforward that I am not sure what I might have missed.
    Last edited: Apr 21, 2012
  14. jdd58
    Offline

    jdd58 Registered Member

    Try Moo0 File Monitor -http://www.moo0.com/?top=http://www.moo0.com/software/FileMonitor/
  15. ichito
    Offline

    ichito Registered Member

    TinyWatcher is very useful and nice app...but now I can recommend another app...it's System Explorer with nice feature in context of this thread
    http://systemexplorer.net/onlinehelp.php?t=sections
  16. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Bingo! Thanks a lot.
  17. m00nbl00d
    Offline

    m00nbl00d Registered Member

    This one may also prove useful for this kind of monitoring.

    -https://blogs.technet.com/b/askperf/archive/2010/01/12/an-introduction-to-the-windows-system-state-analyzer.aspx?Redirected=true
  18. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Nice, I'm actually looking for something that would monitor the registry in a reliable manner; most apps out there only take notice if entries are added or removed, but do not inform you if the value of any key is changed. Maybe this will deliver.

    Thanks to Moo0 FileMonitor, I noticed something I do not understand today. I've described it here: http://www.wilderssecurity.com/showthread.php?t=322696

    Overal, it's an excellent tool, extremely reliable and informs you of absolutely ANY change that happens to the harddrive. The only thing it lacks is an option to exclude certain directories from the monitoring process. But you can get used to its absence or simply close certain programs if they are particularly annoying and you need to focus.

    Overal my impression is that when browsing in Chrome, the only folders to be worried about are AppData\Local\Google\Chrome\User Data\Default (I've set my batch file to clear that folder completely, excluding the Bookmarks and Preferences files) and AppData\Roaming\Microsoft\Windows\Recent (I clear this one completely). Some changes to Windows\Prefetch and the Temp folders as well. Other than that I haven't noticed anything unusual, at least for Chrome.

    EDIT: Sysinternals Process Monitor is an awesome registry and HDD monitor.
    Last edited: Apr 23, 2012
  19. CloneRanger
    Offline

    CloneRanger Registered Member

    @ jdd58

    Thanks for reminding me about the Moo0 File Monitor :thumb:

    @ syncmaster913n

    Yeah you're right about Inctrl5, my bad memory :oops:

    A very good registry App is RegDefend by www.ghostsecurity.com I tried to visit them just now but it's not what i expected to see ? This is how it used to look http://web.archive.org/web/20101023024423/http://www.ghostsecurity.com/regdefend You can still download it from there, or for eg here http://www.brothersoft.com/regdefend-36038.html if you want to try it. Let us know if you do :)
  20. Athletic
    Offline

    Athletic Registered Member

    There is one more portable app that gives even more live info
    FileMon 7.04

    LINK:----http://www.softpedia.com/get/Programming/Other-Programming-Files/Filemon.shtml----

    It is something like Moo0 FileMonitor 1.07
Thread Status:
Not open for further replies.