WhatChanged ? : A Digital Forensics and Incident Response Suite

 

One of the primary goals of a security analyst or incident responder is to answer critical questions like: What changed? What happened? They aim to recreate the cyber intrusion and understand the behavior of malicious files used for initial access on a compromised device.

There are many tools available for these operations such as Regshot, RegFromApp, and others. However, there's another powerful tool that is often overlooked in cybersecurity investigations: WhatChanged.

So, what is the WhatChanged tool?

WhatChanged is a simple utility that detects modified files and registry entries on a system. It's particularly useful for tracking changes made during software installations or potential malicious activity. The process involves two basic steps:

1. Take an initial snapshot of the system's current state.

2. Run WhatChanged again later to compare and view differences from the previous snapshot.

This approach can help analysts identify unauthorized changes and gain deeper insights into system compromises.

While both WhatChanged and Regshot are used to take snapshots of the Windows registry and compare changes, there are some key differences that make WhatChanged particularly versatile for incident response and malware analysis.

• Registry Snapshot Customization: With Regshot, you typically capture a full snapshot of the registry. In contrast, WhatChanged allows you to select specific registry keys you're interested in. This targeted approach can save time and make the analysis more focused, especially when investigating initial access vectors.

• File System Monitoring: The most significant difference is that WhatChanged can also take snapshots of the file system : before and after executing a suspicious file. This allows you to track file-level changes, such as new files being created, deleted, or modified, which Regshot does not support.

• User-Friendly Interface: WhatChanged provides a GUI that allows you to choose exactly which components (registry or file system locations) you want to include in your snapshot. This flexibility makes it more convenient and customizable for various use cases.

In summary, while Regshot is great for simple registry comparisons, WhatChanged offers a more comprehensive view by also monitoring file system changes, making it better suited for forensic investigations involving executable files and malware behavior analysis.