virtualbox.org

I searched around a little already and didn't see any posts that answered this question directly.

I would like to take a snapshot of a machine, perform a task, and then either take another snapshot or shut down the machine. Once that process is done, I'd like to analyze the snapshots/current state to get all file writes and/or registry changes that were made by the task.

Has anyone done anything like this? I've looked at strings within the snapshot and I can see some file events, but nothing registry related. I can see the unique strings that I created in the registry, but the output is not readable in a usable form.

Essentially, I'd like to play back the changes since the snapshot.. Thoughts?

This would be very specific to the version of Windows installed as the guest. You would need software which could mount the VDI's, identify the OS within, and from that version know how to read the files which make up the registry (the registry is a binary format, not plain text).

You might consider software better suited to the specific task. Instead of using Virtual Box snapshots, install a "change tracking" program into the guest.

I know that many years ago the program "Deep Freeze" was able to take a H.D. image and track changes. I haven't used it myself, and do not know if it's still a promoted feature, but it might be something to look into:

http://www.faronics.com/enterprise/deep-freeze/

The problem with this technique is that you'll see all writes the drive, not just those directly related to the app you are interested in. E.g. you'll see pagefile writes, writes from background maintenance tools of all sorts etc. Then you have the problem that the difference file does not have a complete filesystem, so you can't just open up a file on the drive to see what it contains.

Instead of snapshots you could make before and after clones of the drive, then compare them for differences. Having found a changed sector you would have to track it backwards to find the file which owns that sector. Very complicated. I've done this sort of thing to detect where a drive image manipulation tool was corrupting the filesystem, but at least in that case there was a specific area of damage that I could limit my attention to.

IMHO, you'd have better luck applying the same idea to the registry hives, rather than whole drive images.