Beginner looking for tool advice


New Member
Sep 6, 2008
Hi all,

I hope this is the correct forum for this...

I am a pentester by trade, but have been asked to do a forensics-like job. The job involves determining whether a specific application leaves any sensitive data behind on a laptop after use. The application is basically a Citrix-like application, which uses a VPN to communicate back to a restricted and sensitive network.

I am assuming the types of tools I would be looking for include the following:
- a tool that snapshots the harddrive before and after use of the application, so that I can look at the "diff"/difference/delta for anything sensitive,
- a tool that does the same as above, but for memory, and/or
- a tool that monitors and records all writes to the harddrive and memory for a specific application, so that I can investigate later.

Are there specific tool suggestions that do the above? Are there any other suggestions for how I might approach this job?

Some more info:
- I have one Windows XP laptop and one Windows Vista laptop that will be provided for the job with the application installed. I have other Windows based laptops if needed.
- I would much prefer freely downloadable tools, as this job doesn't pay that much and I don't want to spend money for a tool that I may only use once. I may consider purchasing a tool though.

Any help greatly appreciated!


Aug 19, 2006
Regshot will snapshot the registry for you and report on changes. Process Monitor will record all activity and has powerful filtering to narrow things down. Memory DD will help capture memory which you can use something like Volatility to help parse through. All are free.


New Member
Jul 18, 2006
Registry analysis will certainly be part of the analysis. You also may want to look for logs, events, and other foot prints. Certainly one approach would be to hash all the files on the drive before you start, run the application and hash all the files afterward. The problem that I see is how do you eliminate changes made by normal boot and shutdown from those made by the application in question?

Certainly a partial solution would be to run the hash process through boot and shutdown without the application running then repeat the process but run the application. You'll have an idea of the files normally modified by booting and those modified by booting and running the application. Not fool-proof, but might meet your needs.

Anyone have any refinements?

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu