[prev in list] [next in list] [prev in thread] [next in thread]
List: forensics
Subject: RE: 'touch' on Win32
From: "crazytrain.com" <subscribe () crazytrain ! com>
Date: 2002-01-11 22:15:36
[Download RAW message or body]
Carv
a couple of things here.
1) I have had just a couple of instances where touch or similiar was used
on a system. These were servers that were broken into. I can't say much
more than that.
2) I don't think you'll find this too common, as your refer. to the LE
response shows. For home users and most corp. users, I don't think they'll
take the time to use such a tool.
For a skilled person, this is where everything goes out the window. I
think if you look to the environment, say finance/banking, that'll be
indicative if such a tool MAY be used.
Sure, anything, anywhere, anytime is possible. But, again, in most cases,
I don't think you'll need to worry about this. When you have a high
profile, hush hush environment, wherein there is a purposeful and driving
reason to mod. file times, that is where I would start to look.
hope this helps
farmerdude
> I'm failing to see the point of this response.
>
> > A Win32 port of the Unix touch utility is available
> > at
> > http://unxutils.sourceforge.net/. This port is a
> > native Win32
> > application and does not require Cygwin or a perl
> > interpreter.
>
> My original post never said, "Hey look at this new
> thing I've done." In fact, I am fully aware that it
> isn't new at all. The Perl script that I wrote was
> intended to show, programmatically, *how* this is
> done. The SetFileTime() API, for example, doesn't
> seem to require Administrator privileges.
>
> Further, the script I wrote changes all of the
> FILETIMES, not just last access and modification.
>
> The issue I see is that this sort of functionality
> could have potentially devastating effects on
> forensics analysis and prosecution...which is the
> reason I asked the questions in my original post
> (neither of which, by the way, was "where can I get
> another touch utility?").
>
> I have spoken to a few individuals who have experience
> in the forensics field from the LE perspective.
> Fortunately, none of the ones I spoke to have seen
> this sort of functionality in place during an
> investigation.
>
> Carv
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic