At 04:22 AM 1/8/2002, H C wrote: >Further, the script I wrote changes all of the >FILETIMES, not just last access and modification. >... >I have spoken to a few individuals who have experience >in the forensics field from the LE perspective. >Fortunately, none of the ones I spoke to have seen >this sort of functionality in place during an >investigation. While I can't comment on the law enforcement perspective, this functionality is well-known to Windows NT/2K/XP programmers and its use is commonplace in utilities. Try unzipping a file with winzip onto an NTFS drive. The unpacked file will have create, write and access times all set to the date stored in the archive. (Consider the implications for a trojan program shipped around by archive.) Microsoft's hotfixes also fiddle the create and write times to match Redmond's copies. I believe Office programs routinely save files in a way that causes working copies to take on the create times of the just-deleted original. My impression is that the only filetime information that is not routinely falsified on NTFS file systems is the MFT Record Change time. ========================== Steve McMahon Anzuru Technologies mcmahonat_private office: (530) 757-7082 mobile: (530) 304-5548 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 10:45:17 PST