Do you have backups you can check? Otherwise the creation date is something you can manipulate, with either code, or utility. Neil -----Original Message----- From: Ryan Lambert [mailto:rlambert@xxxxxxxxxxxxxxx] Sent: 30 July 2003 13:24 To: thin@xxxxxxxxxxxxx Subject: [THIN] OT - Win2k Forensics Anyone out there with a security background able to answer this question: I'm trying to determine when a file was actually created, since the attributes say the year 2024. The system clock has never been wrong on this box, so I cannot see this being the case. Considering what is IN the file, I would say whoever generated these logs used some type of access gained to change the attributes so that it was harder to track back to a time to this particular exploit. *********************************************** This e-mail and its attachments are confidential and are intended for the above named recipient only. If this has come to you in error, please notify the sender immediately and delete this e-mail from your system. You must take no action based on this, nor must you copy or disclose it or any part of its contents to any person or organisation. Statements and opinions contained in this email may not necessarily represent those of Littlewoods. Please note that e-mail communications may be monitored. The registered office of Littlewoods Limited and its subsidiaries is 100 Old Hall Street, Liverpool, L70 1AB. Registered number of Littlewoods Limited is 262152. ************************************************