System Snapshot - Then List System Changes


I have been looking for programs that can passively monitor an operating system and list all changes to file structure and registry. The monitoring has to be done passively, (without installing any software on the OS). The idea is to track all changes made to the OS after installing a program in order to detect any payloads attached to an EXE.

I was thinking of two options -

- either a program which takes a snapshot at a point in time creating an image, then at a later stage another image is taken and these are compared.

- a method logging registry and file structure changes to a log file.

Does anyone know of programs that are capable of this?



I have no idea of any specific softwares that would perform this task. However, I suspect that if you used some forensic packages, remote image acquisition and post-acquisition analysis should be able to enumerate the differences between the images. It will most likely be expensive, though. Perhaps AccessData (FTK) or Encase offerings do this?

There are a few programs, that I know of that is capable of informing you of any changes made to your computer. Will try looking for them and then I'll post them in here.

Edit: By the way, there is a Hak5 episode of a guest, who did some Malware analysis and he used some tools to demonstrate what changes were made to the system, before and after the malwares were executed, you might want to check that out.

