[THIN] Re: OT - Win2k Forensics

• From: "Andrew Rogers" <Andrew.Rogers@xxxxxxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Wed, 30 Jul 2003 14:16:04 +0100

Check the event log, see if theres any time discrepancies in there? Perhaps 
also do a search for other files modified around that date? Also, what IS the 
file? Just a plain text log or a document of some sort? Office documents can 
store all sorts of extra details, but I'd guess you'd have found them if it 
was! :)
Presumably this file is in an existing folder, so you cant check the folders 
creation date..?

>>> rlambert@xxxxxxxxxxxxxxx 30/07/03 13:23:57 >>>
Anyone out there with a security background able to answer this
question:

 I'm trying to determine when a file was actually created, since the
attributes say the year 2024. The system clock has never been wrong on
this box, so I cannot see this being the case. 

Considering what is IN the file, I would say whoever generated these
logs used some type of access gained to change the attributes so that it
was harder to track back to a time to this particular exploit.




***************************************************************
IMPORTANT NOTICE
This e-mail and any files transmitted with it are confidential and are
intended solely for the use of the intended recipient(s). If you are
not the intended recipient, you must not copy, distribute or take
any action based on this communication. If you have received this
communication in error please notify us immediately and delete this
communication and any copies of it.

The views expressed in the email are those of the author and need not
necessarily represent the views held by Rennie Evans
Chartered Accountants and its associated companies
******************************************************************  
Rennie Evans Chartered Accountants. 
3-4 Statham Court, Statham St, Macclesfield, SK11 6XN, 01625 666700
******************************************************************

********************************************************
This weeks sponsor - RTOSoft TScale 
Complaints about applications response time - DO SOMETHING ABOUT IT!
TScale 2.0 improves applications response time and increases terminal
server capacity. Really get MORE from your existing servers! Free eval:
http://www.rtosoft.com/enter.asp?id=130
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

• » [THIN] OT - Win2k Forensics
• » [THIN] Re: OT - Win2k Forensics
• » [THIN] Re: OT - Win2k Forensics
• » [THIN] Re: OT - Win2k Forensics
• » [THIN] Re: OT - Win2k Forensics
• » [THIN] Re: OT - Win2k Forensics
• » [THIN] Re: OT - Win2k Forensics

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription