This is an IIS logfile. Plain text. No event log entries that are off. Everything appears to be recorded in the IIS logs ... but there's no indication of file modification/renames anywhere in them. Almost like somebody did a great job covering their tracks. -----Original Message----- From: Andrew Rogers [mailto:Andrew.Rogers@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, July 30, 2003 9:16 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT - Win2k Forensics Check the event log, see if theres any time discrepancies in there? Perhaps also do a search for other files modified around that date? Also, what IS the file? Just a plain text log or a document of some sort? Office documents can store all sorts of extra details, but I'd guess you'd have found them if it was! :) Presumably this file is in an existing folder, so you cant check the folders creation date..? >>> rlambert@xxxxxxxxxxxxxxx 30/07/03 13:23:57 >>> Anyone out there with a security background able to answer this question: I'm trying to determine when a file was actually created, since the attributes say the year 2024. The system clock has never been wrong on this box, so I cannot see this being the case. Considering what is IN the file, I would say whoever generated these logs used some type of access gained to change the attributes so that it was harder to track back to a time to this particular exploit. *************************************************************** IMPORTANT NOTICE This e-mail and any files transmitted with it are confidential and are intended solely for the use of the intended recipient(s). If you are not the intended recipient, you must not copy, distribute or take any action based on this communication. If you have received this communication in error please notify us immediately and delete this communication and any copies of it. The views expressed in the email are those of the author and need not necessarily represent the views held by Rennie Evans Chartered Accountants and its associated companies ****************************************************************** Rennie Evans Chartered Accountants. 3-4 Statham Court, Statham St, Macclesfield, SK11 6XN, 01625 666700 ****************************************************************** ******************************************************** This weeks sponsor - RTOSoft TScale Complaints about applications response time - DO SOMETHING ABOUT IT! TScale 2.0 improves applications response time and increases terminal server capacity. Really get MORE from your existing servers! Free eval: http://www.rtosoft.com/enter.asp?id=130 ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This weeks sponsor - RTOSoft TScale Complaints about applications response time - DO SOMETHING ABOUT IT! TScale 2.0 improves applications response time and increases terminal server capacity. Really get MORE from your existing servers! Free eval: http://www.rtosoft.com/enter.asp?id=130 ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm