-
February 27th, 2006, 03:51 PM
#1
Junior Member
Detecting data tampering; Win98
What do you all think of this scenario?
Let's suppose one has a laptop with a 10 gig hard drive. Let's further suppose that the OS is use is Windows 98. It becomes necessary to forensically examine the contents using X-Ways suite of forensic tools. The file system is collated and traversed using X-Ways. When one examines the dates and times of modified files in order one can see the general pattern of dates and times of when the system was booted up and shut down. This is because Windows 98 modifies certain files everytime it starts and shuts down (see Knowledge base articles #183603, 183887 and 184023).
Here's the oddity: Let's suppose that by judging from the traversed modifed system files you see that the machine was apparently turned on 2/6/06 at 08:45 and turned off at 23:30, as those were the first and last files modified on that date. But when you check inside one of the CAB files it contains a DAT file that is dated 20 minutes after 23:30.
Does this not suggest an anomoly of some sort? How often would something like this occur? Would it necessarily be a sign of someone tampering with the system data? Or perhaps this oddity arose from a power glitch of some sort.
rogueactivex
-
February 27th, 2006, 04:08 PM
#2
Welcome to AO
What happens if one sets the system's date into the future.. Change the cab.. set the date back to normal and shuts down?
Or change the cab.. set the time back half an hour then shuts down?
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 28th, 2006, 01:58 PM
#3
Junior Member
I have to be very vague on the details because it relates to an ongoing case. I also don't have access to the original machine. However I could set up Windows 98 on VMWare and some different options.
rogueactivex
-
February 28th, 2006, 02:51 PM
#4
Originally posted here by rogueactivex
However I could set up Windows 98 on VMWare and some different options.
That's what I would do.. Try out different scenarios and see which one comes close to what you've actually logged..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 28th, 2006, 02:53 PM
#5
Windows 98.......................
Forget it mate, you cannot get that OS and forensics in a meaningful sentence
What about the Millenium Bug?
-
March 7th, 2006, 07:44 AM
#6
Junior Member
Time change would do the trick as mentioned about. However, trying to do forensics on 98 is trying to find a needle in a haystack. Good luck.
-
March 7th, 2006, 10:08 AM
#7
Well, I know this is a little old, but I will add to the thread.
I have a couple of "billy-do's" that will run in DOS/9x and change file characterictics.........
That means EVERYTHING
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|