On Mon, 07 Jan 2002 08:16:01 PST, H C <keydet89at_private> said: > This weekend, I wrote a simple Perl script that > implements *nix 'touch' functionality on Win32 > What effect would such a utility have on an > investigation, particularly one being prosecuted? > (this question is primarily to the expert witnesses, > but I'd be glad to hear from anyone) The first thing out of the defense attorney's mouth should be: "Prove that you didn't use this 'touch' utility to backdate an altered logfile to incriminate my client". It may be a very useful tool during the *repair/recovery* phase, to reset corrupted timestamps on files. You may even need it while actively fighting an ongoing attack (for instance, a number of automated worm program will roll over and die if you do a 'touch some_critical_flag_file' to create the poison pill). However, I can't conceive of a time you'd be using it during an investigation, with one exception: If you have cloned a hacked/infected machine and are doing a forensics analysis of it on a testbed network to analyse the inner workings of a captured tool/virus/worm, you may be using 'touch' to simulate various runtime conditions. For instance, a tool may check "has file XYZ been modified in last 24 hours?", and touch could give you the ability to test different code paths. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 11:39:25 PST