Detecting data tampering; Win98
Results 1 to 7 of 7

Thread: Detecting data tampering; Win98

  1. #1
    Junior Member
    Join Date
    Feb 2006
    Posts
    5

    Detecting data tampering; Win98

    What do you all think of this scenario?

    Let's suppose one has a laptop with a 10 gig hard drive. Let's further suppose that the OS is use is Windows 98. It becomes necessary to forensically examine the contents using X-Ways suite of forensic tools. The file system is collated and traversed using X-Ways. When one examines the dates and times of modified files in order one can see the general pattern of dates and times of when the system was booted up and shut down. This is because Windows 98 modifies certain files everytime it starts and shuts down (see Knowledge base articles #183603, 183887 and 184023).

    Here's the oddity: Let's suppose that by judging from the traversed modifed system files you see that the machine was apparently turned on 2/6/06 at 08:45 and turned off at 23:30, as those were the first and last files modified on that date. But when you check inside one of the CAB files it contains a DAT file that is dated 20 minutes after 23:30.

    Does this not suggest an anomoly of some sort? How often would something like this occur? Would it necessarily be a sign of someone tampering with the system data? Or perhaps this oddity arose from a power glitch of some sort.

    rogueactivex

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Welcome to AO

    What happens if one sets the system's date into the future.. Change the cab.. set the date back to normal and shuts down?

    Or change the cab.. set the time back half an hour then shuts down?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Feb 2006
    Posts
    5
    I have to be very vague on the details because it relates to an ongoing case. I also don't have access to the original machine. However I could set up Windows 98 on VMWare and some different options.

    rogueactivex

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by rogueactivex
    However I could set up Windows 98 on VMWare and some different options.
    That's what I would do.. Try out different scenarios and see which one comes close to what you've actually logged..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Windows 98.......................

    Forget it mate, you cannot get that OS and forensics in a meaningful sentence

    What about the Millenium Bug?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Time change would do the trick as mentioned about. However, trying to do forensics on 98 is trying to find a needle in a haystack. Good luck.

  7. #7
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Well, I know this is a little old, but I will add to the thread.

    I have a couple of "billy-do's" that will run in DOS/9x and change file characterictics.........

    That means EVERYTHING

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •