Oddly, he left a message on my site after my last post about forensic spots in Windows 7. I did not know it was Carvey till I looked up his email address. Small world.
Adrian On Thu, Aug 13, 2009 at 8:39 PM, Ken Pryor <[email protected]> wrote: > Also, this was on Harlan Carvey's excellent blog today > http://windowsir.blogspot.com/2009/08/timeline-creation-tools-posted.html > > > On Thu, Aug 13, 2009 at 3:48 PM, Joel Folkerts <[email protected]>wrote: > >> SANS recently posted an article discussing timeline creation and analysis >> - >> https://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ >> >> -Joel >> >> "The path to hell is paved with good intentions." >> >> >> >> On Wed, Aug 12, 2009 at 12:45 PM, Nicholas B. <[email protected]>wrote: >> >>> While it can create an issue when a user is able to modify timestamps >>> those that they can't change for last access time can prove useful. >>> These stamps can yield information on probs of files not actively >>> looked at by others for evidence of probing for vulnerable >>> configuration settings by a malicious user where they are unable to >>> make modifucations to those files, but have read access to them. This >>> only works on filesystems that record that stamp and didn't >>> shortsitedly disable it (ie Vista) for performance reasons and where >>> automatic processes (indexing, virus scans, etc.) haven't run on them >>> since the incident in question occurred. >>> >>> On 8/12/09, David Kovar <[email protected]> wrote: >>> > Greetings, >>> > >>> > Timestamps are one clue to a subject's activity but are rarely the >>> > smoking gun, for many reasons. They can be intentionally modified, >>> > various automated processes can update them, the system's clock may be >>> > off (intentionally or accidentally), various actions may not preserve >>> > them, .... >>> > >>> > Used in conjunction with other information, file system or metadata >>> > timestamps can be very useful. If the physical security log at the >>> > front desk shows the subject entering the building 15 minutes before >>> > they log on to the domain server and then the prefetch shows Limewire >>> > running right after that, leading to files being created shortly after >>> > that .... >>> > >>> > -David >>> > >>> > >>> > On Wed, Aug 12, 2009 at 3:14 AM, Jim Halfpenny<[email protected] >>> > >>> > wrote: >>> >> Timestamps may matter a lot if you refute your role in download such >>> >> niche bedtime reading. The old, "A virus must have downloaded it," >>> >> might have less credibillity if timestamps show the files to have been >>> >> created over a considerable period of time. >>> >> >>> >> Remember that evidence in isolation may seem meaningless. If for >>> >> example you have coroborating evidence from browser history, logs or >>> >> ISP records timestamps might provide strong evidence. >>> >> >>> >> Jim >>> >> >>> >> On 12/08/2009, Grymoire <[email protected]> wrote: >>> >>> >>> >>>>As the subject states, how much do file time stamp matter to a >>> forensics >>> >>>>case? If some one finds my collection of "Nazi albino midget Eskimo" >>> >>>> porn, >>> >>>>does it really mater what the date is? >>> >>> >>> >>> I'm not a forensic expert, but as I understand it, >>> >>> Timestamps help paint an accurate recreation of events. >>> >>> >>> >>> An expert describes a series of events, such as entries in the log >>> >>> file, access times, modifications times, etc, registry entries, etc. >>> >>> >>> >>> Some experts say that you can usually re-create an event even if >>> >>> someone tries to hide their traces (i,e, modify timestamps). I think >>> a >>> >>> lot depends on the OS and logging capability. >>> >>> >>> >>> >>> >>> And if the log is stored on a centralized log server, hiding traces >>> are >>> >>> more difficult. >>> >>> >>> >>> >>> >>> _______________________________________________ >>> >>> Pauldotcom mailing list >>> >>> [email protected] >>> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >>> Main Web Site: http://pauldotcom.com >>> >>> >>> >> >>> >> -- >>> >> Sent from my mobile device >>> >> _______________________________________________ >>> >> Pauldotcom mailing list >>> >> [email protected] >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >> Main Web Site: http://pauldotcom.com >>> >> >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > [email protected] >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> > >>> >>> -- >>> Sent from my mobile device >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
