NOTE: This may not be the best or most appropriate list, but I've been having an issue in a test/learning environment and I'm trying to clear it. BACKGROUND: As many of the *NIX gurus probably know, with a default install of Solaris on a telnet session from a Windows workstation, Backspace does not delete the previous character but rather displays the control character ^H. Well, when messing about on a fresh install I was copying a file and not paying attention and typed: cp filename newd^Hfilename (I ment to delete the 'd' as a mistype) I wasn't really paying attention and noticed when I did a ls of the directory it listed the file as 'newfilename'. However if I tried to delete, rename, or do anything with 'newfilename', the OS would report file not found. However, I could refer to it as 'newd^Hfilename'. QUESTION: My question from a forensics standpoint is, if someone got onto a system and placed a file using that naming scheme, how could you determine its ACTUAL name? As a relative novice, all the tools I know of seem to interpret the filename and display in the edited form. If I had to access or read a file to determine what they were doing, and they had named it 'x^Hsecret'. How would I know or be able to access it since it would always show up as 'secret'? Any help is greatly appreciated. Thanks! -K ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 14:04:03 PDT