Jump to content











Photo
- - - - -

System Profile W2000


  • Please log in to reply
2 replies to this topic

#1 pimp

pimp
  • Members
  • 2 posts
  •  
    Spain

Posted 01 March 2015 - 11:27 PM

Hi,

I have found a computer (W2000 operating system) with a System Profile under Document and Settings Folder. As far I know this user doesn´t log in the computer. In a new W2000 PC this system profile folder doesn`t appear. In the registry under:

Microsoft\Windows NT\CurrentVersion\ProfileList

there is a key with id S-1-5-18 and Date Modified: 11/09/2013 9:33:13. Analyzing profile's folders in MFT I've found that Std Info Modification date is prior to Std Info Creation date in some folders under System profile, for example:

Filename #1: /Documents and Settings/SYSTEM/SendTo
Std Info Creation date : 2013-05-29 11:33:44.724249
Std Info Modification date: 2005-07-05 12:28:58
Std Info Access date: 2014-02-07 13:48:16.765625 (this date is because the disk was plugged by usb cable to check it)
Std Info Entry date: 2013-05-29 11:33:46.083626
FN Info Creation date: 2013-05-29 11:33:44.724249
FN Info Modification date: 2013-05-29 11:33:44.724249
FN Info Access date: 2013-05-29 11:33:44.724249
FN Info Entry date. 2013-05-29 11:33:44.72424

The system was installed in 2005.

Could anyone help me to understand what happened? Is this the result of an exploit? Why Std Info Modification date is prior to Std Info Creation date?

Best Regards and thanks in advance.   



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 02 March 2015 - 11:37 AM

Generally speaking, a creation date later than the modified date may be the result of a copy/paste or of a backup/restore operation, see:

http://www.forensicf...wtopic/t=10310/

 

Which specific tool are you using to analyze the $MFT?

 

:duff:

Wonko



#3 pimp

pimp
  • Members
  • 2 posts
  •  
    Spain

Posted 02 March 2015 - 06:45 PM

Hi The finder,

 

The tool is analyzeMFT and the strange thing is that system folder doesn´t exist in all installations.

 

Best Regards.


Edited by pimp, 02 March 2015 - 06:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users