I would like to run some program, preferably in a sandbox, and see exactly what it does/did. I'm currently puzzled by disk access and network, since there's so much other stuff happening there at the same time.
I'm mostly curious about Windows, but also Mac, Linux and Android. Are there any good tools to sandbox/analyze a program?
My Windows "application analysis procedure" consists of the following (all freeware):
Windows virtual machine using VirtualBox to run the application.
Microsoft Network Monitor to analyze some basic network activities per application.
Wireshark to dig deeper into the packets.
TinyWatcher to take snapshots of before and after installing/running the application and "subtract" them to find out what exactly happened in the files, registry, and everything.
Please note that whole rig isn't for actual deep analysis but rather for analysis on a higher level.
I second what Adnan said about virtual box and Network Monitor for higher level analysis. Windows specific: For disk access, registry access, memory usage and events, You should look into the System Internals tools developed by Mark Russinovitch, especially process monitor, which absorbed the functionality that regmon and others used to have. There are many videos that show the power of this set of tools, including some by the creator.
For deeper analysis, you are entering reverse engineering territory and you will have to learn to use a debugger. There is even a stack exchange site devoted to reversing. Examples are: Immunity, Ollydbg, IDA, and WinDBG. A debugger is what a malware analyst would use. (I am just name dropping here. I have no experience with any debugger.)
Also, for binaries to practice on, there are crackmes. A benefit is that there are published solutions to all of them, so you can compare your results to others and see what you missed. I have done a few of the easy ones and even those provide so much insight.
