Slashdot Mirror
Good Freeware System Snapshot Tool For Windows?
Khyber writes "I'm doing a little personal research into a project that tracks what changes get made to your system every time you install a program. I know there are ways of checking through Windows Restore Points, but that's not what I'm trying to do. Instead, I'm going to start with an absolutely fresh Windows XP install, take a full snapshot of the entire installation on the hard drive, and burn that to a DVD (somewhat like a backup disc with an entire snapshot of my hard drive's current contents.) With every program I install, I'm going to take another snapshot, burn to DVD, and repeat the process until I have recreated every step taken to get to my current system state (all programs installed on a separate hard drive, all registry entries etc on the OS drive, with only snapshots of the OS drive being recorded.) The purpose for all of this I'm not legally allowed to talk about, due to confidentiality requirements. Does anybody know of such a program, preferably freeware, that will accomplish my objective, and are there tools that can be used to compare the difference in drive images?"
Wow, quiet in here.
FOG, aka Free Open Ghosting, at www.fogproject.org, will certainly take images of your hard drives; that's not a problem.
And, I haven't played with it, but it has the capability to do install packages, so that meets the bit-by-bit portion of things.
Like most open-source packages, FOG improves constantly, and recently, it's getting better by leaps and bounds.
stored on computers from birth to the grave
If all you need is an indication of what files
have changed, then just use rsync --only-write-batch=FILE
http://samba.anu.edu.au/ftp/rsync/rsync.html
If you need more detailed descriptions (especially for registry changes) you may want to export the registry files in a pre-script, then diff the registry entries.
WinINSTALL LE
Download
More
I was looking into taking a snapshot of a fresh+patched windows install because I was tired of reformatting and then spending hours reinstalling+patching.
I checked out http://www.partimage.org/ which seems to be the tool targeting what you're trying to do.
For me, it didn't work out because the only apparent way to burn an image to disc is to have DVD+RW media and I didn't have the patience to wait until I could get to the store to buy the rewritables.
There is very little future in being right when your boss is wrong.
What you're aiming to do is perfectly valid but the method you describe in order to achieve your goal is horribly inefficient; I'd be hard pushed to think of a more time-consuming and difficult way to achieve your goal. My tip:
This sounds like an absolutely ideal scenario where you could benefit from virtualisation technology. Install the system you wish to "monitor" in a virtual machine. I come from the VMware world, and I can say that the snapshots feature of VMware Workstation would do exactly what it sounds like you want. Whenever you wish to capture an image of the present state of the machine, take a snapshot. Further, you can take as many snapshots as you please, these snapshots can be built on previous snapshots, and you can even have branching snapshots. Icing on the cake: only the differences since the last snapshot will be saved, so you'll save a huge amount of data versus burning complete snapshots to DVD.
What next? Simple, mount the snapshots as a drive on the host machine and diff them using the tool of your choice. I use WinDiff for basic directory/file comparison, but there's a multitude of options out there. The only problem I can imagine would be you probably can't mount multiple snapshots simultaneously from the same virtual disk, but you could get around this by just making a copy of the VHD on your HD and mounting the second snapshot off that.
By the way, there's likely other virtualisation products out there (e.g. VirtualBox) that can achieve what I described above, I'm purely using VMware Workstation as an example as it's my virtualiser of choice. Further, VMware Workstation is not free, VBox is.
It is called the Shadow Copy. It will give you snapshots of the drive state periodically and all the changes (this is not Restore Points). More info can be found here...
http://sansforensics.wordpress.com/2008/10/10/shadow-forensics/
Ditto. In my opinion, your methodology is insane and unlikely to produce anything of value -- Windows really is huge, and much of the data you're interested is locked away past the filesystem level of abstraction -- but doing it with a VM makes a lot more sense than doing it on actual hardware. You can switch between states easily. You can retain easily-bootable, read-only copies of previous states (say, if you want to dump the registry). In any event, you don't tie up an entire computer for this project, and you don't rely on booting the target computer to fish information out of it.
Seriously, virtualize.
i Use http://www.clonezilla.org/ to backup the HD. nomaly i only backup the patision were the system is on, a 100GB HD i take 20 GB for the backup then it don't take me 3-10h to install windows + programmers + setup then it only take 10 mins. to get back on and the children can play agen. fist time i say to my border nothing can go rung it took him 10 mins to fuck windows up :) he was 6 at that time
Is free for personal use, makes images, creates a boot cd for recovery. very slick program.
*tap tap tap* this thing on?
Try http://www.feyrer.de/g4u/ It does full drive imaging at block level, and is free. It gzips the image, but you can unzip them and do a binary compare against them. Though storing complete drive images like this is going to be awfully painful, especially if you plan to burn them off to DVD.. As for the compare, there are a few free tools around there.
There's a tool called Ghost 4 Linux that might do what you need. You boot with the g4l disk on your backup target. You can then specify a remote server or a local storage device to create the image backup. It doesn't matter what OS is being stored as it's a physical image.
Files can be very large because it copies sectors, not files, so even deleted files can take space. To minimize this there are some disk zero utilities that will zero out the unused space on your drive.
I use it often for backing up my Windows laptops.
I agree, this is a poor choice if your only goal is a typical black box Windows image. However, listen to what the author was trying to do:
I'm doing a little personal research into a project that tracks what changes get made to your system every time you install a program.
As you know from using it, Prism Deploy allows you to see every single file change, registry change, file deletion, and file modification that has been made since the last snapshot. Sure, you could put all of that into an executable if you want and distribute that, but you could also save it as a prism image, and use that information to create your own package, or in the author's case, whatever undisclosed nefarious purpose he has in mind.
I'm going to start with an absolutely fresh Windows XP install, take a full snapshot of the entire installation on the hard drive, and burn that to a DVD... With every program I install, I'm going to take another snapshot... all programs installed on a separate hard drive, all registry entries etc on the OS drive. [emphasis mine]
I think that prism deploy (or a similar tool) would allow him to do this with minimal work.
The newer versions of Acronis do in fact use BartPE/WinPE for building the bootable media, so this might no longer be an issue.
Live Linux CD + dd + sdiff
How tough was that?
The question is "Livecd + dd + sdiff what?"
It's easy to get a dd image of a running machine this way (and just as easy to do it using virtualisation-solution-of-your-choice, as everyone who isn't saying "just use dd" is saying).
It's slightly less easy to work out which files have been added, which modified, and which deleted , since you last did it. You'll also need to work out which were changes due to the new software that you installed, and which due to stuff that happens anyway. Changes to text files you may be able to work out what they're for by looking at them, but changes to binary files you can't.
You also need to treat the Windows registry as one or more "files", which you can read with dd, but if you want to get any sense out of it you're going to need to dump it to text first and compare those
The really difficult bit is going through the sheer volume of data that you'll create doing this. How do you know that application a requires component c but didn't install it according to your diff because application b had already installed it?
As part of my job I'll occasionally need to test the effect of a bit of new software in slightly different configurations and then retest it in the same configurations to make sure that it still does what it's supposed to do. Something like VMware is great for this (quicker than dd, because you're not booting off a CD every time you want to make a copy). Neither will help you analyze what's changed between image a and image b though.
No, I do not need a virtual environment.
I want to do this on a level THE REGULAR COMPUTER USER CAN ACHIEVE. This needs to be easily and SIMPLY explained and proven in a court of law. As the machine I will be doing this test on will be the same machine admitted as evidence, it will be much simpler to have it all contained within a pure windows environment.
ANYTHING requiring Linux or Unix will not be that simple, period, as this only involves the Windows OS and the BEST evidence is a direct comparison through the Windows OS itself (i.e. what Windows reports as having changed)
I've almost gotten what I need from a built-in windows tool - the ol' DIR command. DIR /b /s /A:AHRS > File.txt but I need a comparison tool that will show me the differences (like a grep for windows) so I can track what got changed, how it was changed, and WHY.
Registry comparison tools would be helpful as well.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.