Greetings,
I'm starting to do more analysis of the effect of various tools on the filesystem and am looking for a tool to show the changes quickly. I can use a variety of things I already own to do a diff - pulling the MFT and using MFT Ripper for example. But it'd be nice to do this in one step.
One option seems to be http//
Any thoughts on it, or other options?
-David
Overview of Process Monitor Capabilities
Process Monitor includes powerful monitoring and filtering capabilities, including-More data captured for operation input and output parameters
-Non-destructive filters allow you to set filters without losing data
-Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation
-Reliable capture of process details, including image path, command line, user and session ID
-Configurable and moveable columns for any event property
-Filters can be set for any data field, including fields not configured as columns
-Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
-Process tree tool shows relationship of all processes referenced in a trace
-Native log format preserves all data for loading in a different Process -Monitor instance
-Process tooltip for easy viewing of process image information
-Detail tooltip allows convenient access to formatted data that doesn't fit in the column
-Cancellable search
-Boot time logging of all operations
David
Take a look (and listen) to Cyber Speak CyberSpeak November 14th 2009
Ovie did a "File Saving saving process" that was very interesting. He mentioned tools and methods for system snapshots and comparing.
The grand-daddy of file-system change-management tools is Tripwire. Originally, open-source, now a commercial product, it was developed for Unix and has been ported to various *nix flavors, Linux, AS400 and, yes, Windows!
You probably want