Changing file times, was -> Re: Trojan of somesort - Update

• Previous message: Harlan Carvey: "Re: Trojan of somesort - Update"
• In reply to: Gadi Evron: "Re: Trojan of somesort - Update"
• Next in thread: Gadi Evron: "Re: Changing file times, was -> Re: Trojan of somesort - Update"
• Reply: Gadi Evron: "Re: Changing file times, was -> Re: Trojan of somesort - Update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 May 2004 09:55:58 -0700 (PDT)
To: incidents@securityfocus.com

> Although looking at the dates of files is one of the
> simpler and more
> important tool when investigating a possible issue,
> we need to keep in
> mind how easy it is to change it.

This is definitely something to keep in mind, but it's
not the whole story. When performing incident
response and forensics, one should never rely on one
piece of information/evidence exclusively.

There's another distinction to keep in mind. It's
relatively easy to throw out things like this that are
trivial...but the question remains, *is* it being
done? Can anyone out there demonstrate, with proof,
that a compromised box that they responded to had file
times that were tampered with? I suppose one example
might be a CP case in which the perp altered the last
access times of the files to when he was on vacation,
or to 1979, or to 2153. Has anyone actually seen a
case in which the MAC times of the file were altered,
and if so, can you show proof of this?

Just b/c something *can* happen, doesn't mean that it
*does* happen.

> It's easier on some systems than others, and
> practically ridiculous on FAT file systems.

To be honest, I'm not aware that there's any real
distinction with regards to file system. On both NTFS
and FAT, as long as you have write access to the file
in question, the file times can be changed. I've
demonstrated this time and again, in presentations as
well as in my book.

If I'm missing something with regards to the
distinction with regards to how easy it is to change
MAC times on FAT vs NTFS, please let me know.

• Previous message: Harlan Carvey: "Re: Trojan of somesort - Update"
• In reply to: Gadi Evron: "Re: Trojan of somesort - Update"
• Next in thread: Gadi Evron: "Re: Changing file times, was -> Re: Trojan of somesort - Update"
• Reply: Gadi Evron: "Re: Changing file times, was -> Re: Trojan of somesort - Update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Changing file times, was -> Re: Trojan of somesort - Update ... That is how the world of security is built. ... >>practically ridiculous on FAT file systems. ... > distinction with regards to file system. ... (Incidents) THUS ATE ZARATHUSTRA -- Woody Allen on "Friedrich Nietzsches Diet Book" ... There's nothing like the discovery of an unknown work by a great thinker to ... Fat itself is a substance or essence of a substance or mode of that essence. ... It took the mind of Aristotle to put the weight problem in scientific terms, ... potato chips while one engaged in other activities. ... (alt.gathering.rainbow) Re: Does Evolution teach that might makes right? ... catshark made the point that Darwin himself distinquished his views ... Obviously if there is a distinction, ... to keep in mind that even where science merely tries to observe ... hebrew) and the Testament (in greek) essentially a message of ethics, ... (talk.origins) Re: The Voice of Religion. ... Of many Wheels I view, wheel without wheel, with cogs tyrannic, ... saying/knowing what is on the mind of the human who bred him. ... sure you do not try to justify the motions of the Earth by using the ... distinction between the failings of denominational Christianity and ... (sci.physics.relativity) Re: OT: Evidence ... Your assumption that the god mechanism is the only other possible ... >> Never mind - I already know your answer. ... > (Why do professional tea-leaf readers advertise for customers?) ... >> Doesn't matter if you or I understand the distinction. ... (comp.dsp)