[unisog] Do Windows file access, file mod, file create timestamps lie?

Paul FM paulfm at me.umn.edu
Sat Sep 15 14:55:12 GMT 2007 

They can be "corrected" by any program with the right privileges (admin).

You should do MD5 hashes on the important files and keep those:
One program that might be useful is this.
http://sourceforge.net/projects/md5deep/

marchany at vt.edu wrote:
> One of the guys in my group tried to post to the list but got a failure. 
> Apologies if this is a duplicate. It's a question that's bothering us and 
> we're trying to see how this impacts us in a forensic investigation.
> 
> --------------------------------From Brad Tilley-------------------
> 
> In an effort to monitor access to files that might contain sensitive
> data, we've been experimenting with Windows timestamps. We have found
> that timestamps do not change when the files are viewed, printed or
> copied (basic file reads). We wrote some scripts to monitor the
> timestamps while various read access was occurring. Below are the
> results... perhaps we're way off base here and there is a simple
> explanation for this, but if timestamps on Windows are really as
> indifferent as they seem to be to reads, we're wondering how or if we
> can rely on them. Any input or feedback is welcome... Brad
> 
> Please note the win32file.GetFileAttributesEx() function is four hours
> (19:00) ahead while the python os.stat() function has the correct
> (15:00) time.
> 
> ---------------------------------------
> 
>   Created a zero byte text file named 'wup.txt' 09/14/07 15:09:39
> 
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
> 
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
> 
>   ------------------------------------------
> 
>   Opened 'wup.txt' in Notepad, viewed it, then closed 09/14/07 15:14:38
> 
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
> 
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
> 
>   ------------------------------------------
> 
>   Opened 'wup.txt' in Wordpad, viewed it, then closed 09/14/07 15:17:04
> 
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
> 
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
> 
>   ------------------------------------------
> 
>   I printed 'wup.txt' from Wordpad to a printer 09/14/07 15:20:09
> 
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
> 
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
> 
>   ------------------------------------------
> 
>   I copied 'wup.txt' to 'Copy of wup.txt' 09/14/07 15:24:07
> 
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
> 
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
> 
>   ------------------------------------------
> 
>   I typed 'Brad' into the 'wup.txt' file 09/14/07 15:25:13
> 
>   (33206, 0L, 2, 1, 0, 0, 4L, 1189797892, 1189797892, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:24:52 Modify
>   09/14/07 15:24:52 Access
>   4 Bytes
> 
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:24:52 PM,
> <PyTime:9/14/2007 7:24:52 PM, 4)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:24:52 win32 Modify
>   09/14/07 19:24:52 win32 Access
>   4 Bytes
> 
>   ------------------------------------------
> 
> Randy Marchany (for Brad Tilley)
> VA Tech IT Security Office.
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------

More information about the unisog mailing list