[THIN] Re: OT - Win2k Forensics
- From: "Ryan Lambert" <rlambert@xxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 30 Jul 2003 09:42:05 -0400
This is an IIS logfile. Plain text.
No event log entries that are off. Everything appears to be recorded in
the IIS logs ... but there's no indication of file modification/renames
anywhere in them. Almost like somebody did a great job covering their
tracks.
-----Original Message-----
From: Andrew Rogers [mailto:Andrew.Rogers@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, July 30, 2003 9:16 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT - Win2k Forensics
Check the event log, see if theres any time discrepancies in there?
Perhaps also do a search for other files modified around that date?
Also, what IS the file? Just a plain text log or a document of some
sort? Office documents can store all sorts of extra details, but I'd
guess you'd have found them if it was! :)
Presumably this file is in an existing folder, so you cant check the
folders creation date..?
>>> rlambert@xxxxxxxxxxxxxxx 30/07/03 13:23:57 >>>
Anyone out there with a security background able to answer this
question:
I'm trying to determine when a file was actually created, since the
attributes say the year 2024. The system clock has never been wrong on
this box, so I cannot see this being the case.
Considering what is IN the file, I would say whoever generated these
logs used some type of access gained to change the attributes so that it
was harder to track back to a time to this particular exploit.
***************************************************************
IMPORTANT NOTICE
This e-mail and any files transmitted with it are confidential and are
intended solely for the use of the intended recipient(s). If you are
not the intended recipient, you must not copy, distribute or take
any action based on this communication. If you have received this
communication in error please notify us immediately and delete this
communication and any copies of it.
The views expressed in the email are those of the author and need not
necessarily represent the views held by Rennie Evans
Chartered Accountants and its associated companies
******************************************************************
Rennie Evans Chartered Accountants.
3-4 Statham Court, Statham St, Macclesfield, SK11 6XN, 01625 666700
******************************************************************
********************************************************
This weeks sponsor - RTOSoft TScale
Complaints about applications response time - DO SOMETHING ABOUT IT!
TScale 2.0 improves applications response time and increases terminal
server capacity. Really get MORE from your existing servers! Free eval:
http://www.rtosoft.com/enter.asp?id=130
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This weeks sponsor - RTOSoft TScale
Complaints about applications response time - DO SOMETHING ABOUT IT!
TScale 2.0 improves applications response time and increases terminal
server capacity. Really get MORE from your existing servers! Free eval:
http://www.rtosoft.com/enter.asp?id=130
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
