Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: momu189
New Today: 0
New Yesterday: 2
Overall: 29619

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 How much can be found?
 Computer Forensic in responding to Data Breach issues
 A bunch of numbers about digital evidences collection
 Computer forensic issue
 A Survey on the Internet of Things Digital Forensic Research

Computer Forensics World Forums


Pages Served
We received
58168971
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - W2000 system profile
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

W2000 system profile

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
pimp
Newbie
Newbie


Joined: Sep 20, 2014
Posts: 8

PostPosted: Mon Mar 02, 2015 9:18 am    Post subject: W2000 system profile Reply with quote

Hi,

I have found a computer (W2000 operating system) with a System Profile under Document and Settings Folder. As far I know this user doesn´t log in the computer. In a new W2000 PC this system profile folder doesn`t appear. In the registry under:

Microsoft\Windows NT\CurrentVersion\ProfileList

there is a key with id S-1-5-18 and Date Modified: 11/09/2013 9:33:13. Analyzing profile's folders in MFT I've found that Std Info Modification date is prior to Std Info Creation date in some folders under System profile, for example:

Filename #1: /Documents and Settings/SYSTEM/SendTo
Std Info Creation date : 2013-05-29 11:33:44.724249
Std Info Modification date: 2005-07-05 12:28:58
Std Info Access date: 2014-02-07 13:48:16.765625 (this date is because the disk was plugged by usb cable to check it)
Std Info Entry date: 2013-05-29 11:33:46.083626
FN Info Creation date: 2013-05-29 11:33:44.724249
FN Info Modification date: 2013-05-29 11:33:44.724249
FN Info Access date: 2013-05-29 11:33:44.724249
FN Info Entry date. 2013-05-29 11:33:44.72424

The system was installed in 2005.

Could anyone help me to understand what happened? Is this the result of an exploit? Why Std Info Modification date is prior to Std Info Creation date?

Best Regards and thanks in advance.
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 241

PostPosted: Tue Mar 03, 2015 4:49 am    Post subject: Re: W2000 system profile Reply with quote

pimp wrote:
I have found a computer (W2000 operating system) with a System Profile under Document and Settings Folder.


Have you established that it is (or was) a profile directory, and not just a random directory that happened to be created in that folder? (The latter would be more likely if there was a successful attack, I think.)

Quote:
Could anyone help me to understand what happened? Is this the result of an exploit? Why Std Info Modification date is prior to Std Info Creation date?


One rather old reference is Chow et al.: The Rules of Time on NTFS File System (published in SADFE 2007). That document formulates the rule: "When M time is before C time, the file has been copied from one system into the same/another system or moved from one partition to another partition. " However, they refer to 'normal' use, not use by exploit. (See the full article -- just google for it on the web -- there are other important 'rules' to know about.)

Another possibility (also covered in that article) is unpacking a file archive. Some archivers restore some/all of the time stamps.

Look for traces of deleted files/directories and other events 'close' to the timestamps you already have found -- in log files as well as in the file system or the registry.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.