[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forensics
Subject:    RE: 'touch' on Win32
From:       "crazytrain.com" <subscribe () crazytrain ! com>
Date:       2002-01-11 22:15:36
[Download RAW message or body]

Carv

a couple of things here.

1) I have had just a couple of instances where touch or similiar was used 
on a system.  These were servers that were broken into.  I can't say much 
more than that.

2) I don't think you'll find this too common, as your refer. to the LE 
response shows.  For home users and most corp. users, I don't think they'll 
take the time to use such a tool.   
For a skilled person, this is where everything goes out the window.  I 
think if you look to the environment, say finance/banking, that'll be 
indicative if such a tool MAY be used.   

Sure, anything, anywhere, anytime is possible.  But, again, in most cases, 
I don't think you'll need to worry about this.   When you have a high 
profile, hush hush environment, wherein there is a purposeful and driving 
reason to mod. file times, that is where I would start to look.

hope this helps

farmerdude



> I'm failing to see the point of this response.
> 
> > A Win32 port of the Unix touch utility is available
> > at
> > http://unxutils.sourceforge.net/.  This port is a
> > native Win32
> > application and does not require Cygwin or a perl
> > interpreter.  
> 
> My original post never said, "Hey look at this new
> thing I've done."  In fact, I am fully aware that it
> isn't new at all.  The Perl script that I wrote was
> intended to show, programmatically, *how* this is
> done.  The SetFileTime() API, for example, doesn't
> seem to require Administrator privileges.
> 
> Further, the script I wrote changes all of the
> FILETIMES, not just last access and modification.
> 
> The issue I see is that this sort of functionality
> could have potentially devastating effects on
> forensics analysis and prosecution...which is the
> reason I asked the questions in my original post
> (neither of which, by the way, was "where can I get
> another touch utility?").
> 
> I have spoken to a few individuals who have experience
> in the forensics field from the LE perspective. 
> Fortunately, none of the ones I spoke to have seen
> this sort of functionality in place during an
> investigation.
> 
> Carv
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]