Impact of a softwar...
 
Notifications
Clear all

Impact of a software?

StudentUser1995
(@studentuser1995)
New Member

If you wanted to determine/quantify the impact installing/desintalling a software has a on a system using images of a system before installing said software, and after, what are good things to look at/consider besides registry changes?

 

 

Quote
Topic starter Posted : 01/10/2021 8:16 pm
Passmark
(@passmark)
Active Member

Can create a "signature" of all files changed between the two images. Including the registry files.

https://www.osforensics.com/faqs-and-tutorials/how-to-create-a-hashset.html#method3

ReplyQuote
Posted : 05/10/2021 12:32 am
athulin
(@athulin)
Community Legend

Start by deciding what type of impact you are interested in. 'Good things' is not well defined term: you have to make your mind up. You mention registry changes. There's also filesystem changes (files created, deleted, modified, ...etc), system configuration changes (other software installed, uninstalled, updated, reconfigured, ...) including possible user changes.  And there's always file access in general, and network activity. And perhaps also file hashes of installed files

Once you know what you want, it's easier.  Only platform changes, then network activity may be uninteresting, for example.

In general, malware analyzers do most of this for installation, although they may be less useful for deinstallation. They tend to be rather costly, though. SysInternals Process Explorer allows you to collect almost everything, but you must be prepared to spend quite some time getting familiar with its capabilities

 

For a relatively easy free option, take a look at SandboxIE. (Warning: It seems to have changed since I last checked it, when Sophos developed it -- but that seems to be on Github still.)  It's easy to run a particular program (install.exe) in a sandbox, and as a result you get a directory tree where all modified (or even accessed?) files are collected, and, if I recall, also a file with registry changes.  (There used to be a utility to print out changes as a report, but it is ages since I tried it -- check the product support forum for that.)

Same thing for uninstall. 

There are several other possibilities, such as Cuckoo Sandbox, with different capabilities. Look around.

 

This post was modified 1 week ago by athulin
ReplyQuote
Posted : 06/10/2021 11:37 am
Share: