On Sat, Oct 05, 2002 at 02:28:46AM +0200, InfoEmergencias - Luis Gmez wrote: > > Despite the drive being formatted, I've been able to build a timeline on > it. Everything *seems* to be OK 'til September the 13th, there are for > instance lots of C-, A- and M-times for gif, htm and doc files - I think > the gif and htm would mean iexplore sessions writing to the cache, and > obviously (obviously?) the docs would correspond to someone working on > msword. However, I was annoyed at one fact: I thought that iexplore.exe > and winword.exe would have an A-time of the last time they were run, but > I can't see them in my timeline (at least not at the final pages). Note that in FAT, the access time is only accurate to the day (not time), so it will show up in the timeline at 00:00:00 no matter what time it was run. That could be why you do not see it in the final pages. > Also, I must have messed a bit with the "timezone" parm in the fsmorgue > file, because there seems to be a gap between the normal working hours > here in Spain and the times reflected in the timeline. But I think that > it doesn't matter right now (if I'm wrong please let me know). FAT does not care about timezones. FAT stores the date and time as a static value (not a delta as NTFS and UNIX do). So, you should not see a change in times when you change the timezone. > Well, anyway I think I've come to the moment of the formatting. It seems > to have happened at 14:38h on Sept the 13th (as I've said, the 14:38h > might be wrong, maybe it was 13:38 or 15:38...). At that moment I get > (And sorry for the mess with long lines): > > Fri Sep 13 2002 12:45:14 0 ..c -rwxrwxrwx 0 0 > 11781 <dicad_c.dd-_-dead-11781> > > Fri Sep 13 2002 12:45:16 0 m.. -rwxrwxrwx 0 0 > 11781 <dicad_c.dd-_-dead-11781> > > Fri Sep 13 2002 12:51:24 710144 ..c -rwxrwxrwx 0 0 > 41556 <dicad_c.dd-_BTEMP.CAB-dead-41556> > > Fri Sep 13 2002 12:51:34 710144 m.. -rwxrwxrwx 0 0 > 41556 <dicad_c.dd-_BTEMP.CAB-dead-41556> > > Fri Sep 13 2002 12:51:44 1536 ..c -rwxrwxrwx 0 0 > 8975033 <dicad_c.dd-_B32D0.TMP-dead-8975033> > > Fri Sep 13 2002 12:51:46 0 ..c -rwxrwxrwx 0 0 > 8975034 <dicad_c.dd-_DF785D.TMP-dead-8975034> > > Fri Sep 13 2002 12:51:48 1536 m.. -rwxrwxrwx 0 0 > 8975033 <dicad_c.dd-_B32D0.TMP-dead-8975033> > > 0 m.. -rwxrwxrwx 0 0 > 8975034 <dicad_c.dd-_DF785D.TMP-dead-8975034> > > Fri Sep 13 2002 13:03:20 0 ..c -rwxrwxrwx 0 0 > 8975032 <dicad_c.dd-_-dead-8975032> > > Fri Sep 13 2002 13:03:22 0 m.. -rwxrwxrwx 0 0 > 8975032 <dicad_c.dd-_-dead-8975032> > > Fri Sep 13 2002 14:38:06 0 m.. -rwxrwxrwx 0 0 > 5079740 <dicad_c.dd-_NBOOTNG.STS-dead-5079740> The above entries correspond to files in a directory that were deleted, and the parent directory is not longer around either. FAT does not update any times when a file is deleted, so these times do not mean that the files were deleted on Sep 13. Based on the .CAB and .TMP extensions, it could have been from an installation. > > And next is: > > Fri Sep 20 2002 00:00:00 32768 .a. d/dr-xr-xr-x 0 0 > 5 C:/Recycled (RECYCLED) > > 65 .a. -/-r-xr-xr-x 0 0 > 519 C:/RECYCLED/desktop.ini > > 65 .a. -/-r-xr-xr-x 0 0 > 517 C:/RECYCLED/_esktop.ini (deleted) > > 20 .a. -/-r-xr-xr-x 0 0 > 518 C:/RECYCLED/INFO2 > > 65 .a. -r-xr-xr-x 0 0 > 517 <dicad_c.dd-_esktop.ini-dead-517> These are the access times for any accesses on Sep 20. Are you sure the user didn't just try to delete all the files on the system and then shutdown (but some where not deleted because the OS had them open)? If the system was formatted, then you would not get the above reference to 'C:\RECYCLED\INFO2', which appears to be an allocated file. It is hard to say much more w/out the full timeline or image, but I would say that they did not format it. brian ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 15:26:00 PDT