SANS Digital Forensics and Incident Response Blog

What Programs Do - Part 1

The project and the "What Programs Do" series

Digital Forensics is a technical and scientific field dependent on the research each of us does every day. Our community shares information openly when asked. Unfortunately we don't have a central authoritative repository of information we can all contribute to and refer to, so we often duplicate work already done others.

"What Programs Do" is a project intended to begin, in a small way at first, to address this need for a central repository of information. When a program is installed on a computer, it makes changes to the registry and adds files to the system. When it is run, it similarly updates the registry and writes files. When it is uninstalled, it removes most of the registry keys and files it installed, but often not all.

This concept and process is trained in detail during the SANS Computer Forensics, Investigation, and Response course on Day 6 - Application Forensics.

This project is about program analysis and detailed documentation on what a program writes to disk at each stage. I want to provide the community a quick reference that answers questions such as these:

  • What keys and files are added to the registry when the program is installed?
  • If the program does things of forensic interest, where is such information stored?
  • What registry keys or files are left behind when a program is uninstalled?
  • Where can I look for evidence that this program was once installed?


The analysis will be done on VMware Workstation running virgin copies of Windows XP SP2 and Windows Vista x32. The only changes made to the operating system are (1) tweaking a few user preference features like showing file extensions, systems and hidden files, etc. and (2) the installation of Active Registry Monitor, File Monitor and Process Monitor.

Each analysis will begin with the virgin VM snapshot. I will start up the monitoring tools and perform the following steps, taking a snapshot of the registry and recording the details provided by FileMon and ProcessMon between each step:

  1. Perform the installation
  2. Run the program and perform various actions of interest. For example, saving passwords or changing settings like "don't save history".
  3. Uninstall the program

I will write a detailed report of the results to share with community via this blog (look for titles beginning "What Programs Do") and will record useful registry key details in RiKeR [more on this "What Programs Do - Part 2 - The Registry Key Reference Tool (RiKeR)"]

None of us is smarter than all of us. If you have any thoughts about this project?things that you think might improve the process or make the results more useful to the community?please contact me. This process will evolve as it moves forward and someday (once I can commoditize the process) perhaps others may be interested in joining the work.

Quinn Shamblin (, GCFA Silver #2801, Investigator, University of Cincinnati Information Security


Posted November 29, 2008 at 8:38 AM | Permalink | Reply


I've tried to do this in the past, and noticed that for the most part, the community at large simply waited for someone else to do everything. Good luck with this, and feel free to contact me at keydet89 at yahoo dot com if you want to chat about this''

Posted November 29, 2008 at 4:46 PM | Permalink | Reply


Another thought came to mind with respect to regulatory compliance, specifically PCI. There have been discussions about the need for some means of performing application testing with respect to PCI, to see how the application manages ''sensitive data'''this same framework can be applied to other applications, as well, to include those the store/process other ''sensitive' (per FISMA, HIPAA, NCUA, etc.) data.