Larry, I am curious. Did you investigate the nature of the files whose state had changed? I reviewed your list and did not find any surprises. Most of the files were users' profiles (more later) and the registry files, along with some debug and system state snapshot information. This is all documented by Microsoft in the KB, the Resource Kit, and other sources. However, your work is an extremely useful validation of Microsoft's documentation. I suspect the user SUT's profile in your XP Home and Pro tests changed not because of the reboot, but because someone logged in as that user. Your data may be flawed here. Can you confirm if you actually logged on as a SUT in-between reboots? The Local Service and Network Service accounts were added to XP, and are not present in Windows 2000 or earlier versions of Windows. John -----Original Message----- From: Larry.Leibrockat_private [mailto:Larry.Leibrockat_private] Sent: Friday, August 02, 2002 12:20 PM Subject: Announcement: Microsoft Windows XP Hash Set - File State Changes after Rebooting - XP Net, XP Home, XP Pro Colleagues, The University of Texas McCombs Business School has completed an experimental research project dealing with the known Windows XP variants - file enumeration, signatures and state changes after normal rebooting. This research contains the MD5 and SHA1 digital signatures for all files in the default XP installation. The file set constitute the "known good" XP files. This work is a basis for the clinical digital evidence examination of systems that may be suspected with compromised - potentially malicious - Trojan binaries. The work also enumerates those specific files that are changed in terms of time/dates after every Windows XP Restart. I want to note that the work was done by three excellent University of Texas students with special interest in digital forensics. I wish to thank these students, Dell and Microsoft Corporations for supporting this research particularly in this homeland defense - counter-terrorism era. We hope IT professionals, IT security and forensics specialists find this research of value. Please go to http://praetor.bus.utexas.edu/leibrock/projectfiles/ for the final report and enumerated file set for this research effort. Larry ________________________________________________________________________ ____ Larry Leibrock, Ph.D Associate Dean, Chief Technology Officer McCombs School of Business Administration 21st and Speedway Street - The University of Texas Austin, Texas 78712-1178 email Larry.Leibrockat_private public key at http://praetor.bus.utexas.edu Voice (512) 471-1650 Fax (512)232-1831 SkyPager 1-800-858-4316 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 04 2002 - 12:26:39 PDT