I have found a computer (W2000 operating system) with a System Profile under Document and Settings Folder. As far I know this user doesn´t log in the computer. In a new W2000 PC this system profile folder doesn`t appear. In the registry under:
there is a key with id S-1-5-18 and Date Modified: 11/09/2013 9:33:13. Analyzing profile's folders in MFT I've found that Std Info Modification date is prior to Std Info Creation date in some folders under System profile, for example:
Filename #1: /Documents and Settings/SYSTEM/SendTo
Std Info Creation date : 2013-05-29 11:33:44.724249
Std Info Modification date: 2005-07-05 12:28:58
Std Info Access date: 2014-02-07 13:48:16.765625 (this date is because the disk was plugged by usb cable to check it)
Std Info Entry date: 2013-05-29 11:33:46.083626
FN Info Creation date: 2013-05-29 11:33:44.724249
FN Info Modification date: 2013-05-29 11:33:44.724249
FN Info Access date: 2013-05-29 11:33:44.724249
FN Info Entry date. 2013-05-29 11:33:44.72424
The system was installed in 2005.
Could anyone help me to understand what happened? Is this the result of an exploit? Why Std Info Modification date is prior to Std Info Creation date?
Best Regards and thanks in advance.
System Profile W2000
Posted 01 March 2015 - 11:27 PM
Posted 02 March 2015 - 06:45 PM
Hi The finder,
The tool is analyzeMFT and the strange thing is that system folder doesn´t exist in all installations.
Edited by pimp, 02 March 2015 - 06:46 PM.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users