ST

Description: Most of us install software downloaded both known and unknown sources. Sometimes, we might have a reason to suspect that the software in question may be doing some malicious activity on our PC - such as modifying a registry key, overwriting an important system DLL etc. In this video we will look at how to reverse engineer a software install process by using InstallWatch.

InstallWatch is a great piece of software which creates a snapshot of your system both before and after you install the suspicious piece of software. Then it creates the "diff" and tells you what are the new / modified / deleted files, registry entries, folders, INI files etc. This allows you to immediately check if something bad has happened to your system in the course of installing the said software. The software however, does not have an "uninstall" or "revert to original snapshot" option.

It is important to note that what we have done here is a kind of "installation forensics". In later videos we will look at more advanced techniques such as memory dumping and analysis, imaging a live operating system etc.