Windows disk change monitoring for malware analysis
- by SuperDuck
Not sure if this question belongs to here, because it has some relations with 'serverfault' (system backups) and 'stackoverflow' (software analysis).
I'm looking for a solution to monitor disk changes on a Windows system and selectively revert them.
It should be able to handle live files like registry parts, so may need to be an offline backup software.
It shouldn't silently pass over files which the current admin user doesn't have permissions on (files with no permission entries or owned by the 'system' user)
Registry change tracking would be a bonus but is not a requirement
I use virtual machines for malware analysis, there is even no solution to list file changes in disk snapshot files (delta VMDK).
I currently use Ashampoo for monitoring changes. Though it's the best one between similars, it's not a good software and hasn't really evolved in many 'platinum', 'deluxe' versions released in the last 10 years (it even used non-resizable windows until the latest version). The real problem is it misses some disk / registry changes. Perhaps it only compares modification dates and doesn't catch a change if the dates are preserved.
So, I think the solution should compare files using hashes, or file sizes at least. There are numerous backup software out there and I'm sure one can handle this, offline or online.