Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: mactimes

from [Bénoni MARTIN] Network Security [Permanent Link]
Subject: RE: mactimes
Date: Thu, 11 Nov 2004 21:11:31 +0100 
Let's clear up this:
        - The atime field is updated each time the pointer to the file's data 
blocks is followed and the file's data is read.
        - The mtime field is updated each time the file's data changes.
        - The ctime field is updated each time the file's inode changes. 

There is NO WAY under standard Unises to get a file's creation time ! Well, 
AFAIK !

The atime and mtime can easily be changed (for instance under Perl, just use 
the utime() function) , but there is no (simple) way to change the ctime:  as a 
file is a series of 0 and 1, it should be possible to forge the right series to 
match our hack :)



-----Message d'origine-----
De : Potter, Timothy [mailto:Timothy.F.Potter@pjc.com] 
Envoyé : mercredi 10 novembre 2004 17:30
À : forensics@securityfocus.com
Objet : mactimes

If mactimes can easily be modified by a hacker, then would I know, and how 
would mactimes be utilized in court?

I have a Microsoft Excel file on a fat12 floppy disk.
Here are the mactimes:

modified: 9/28/2004 @ 9:12AM CST
accessed: 9/29/2004 @ 4:38PM CST
created: 10/1/2004 @ 1:12 AM

So, how can the created time be later than the last modified time?? This 
doesn't help in establishing a clear timeline of events.. Thanks, -Tim



Guides for the journey. Piper Jaffray & Co. Since 1895. Member SIPC and NYSE.
Learn more at piperjaffray.com. Piper Jaffray corporate headquarters is located 
at 800 Nicollet Mall, Minneapolis, MN 55402

Piper Jaffray outgoing and incoming e-mail is electronically archived and 
recorded and is subject to review, monitoring and/or disclosure to someone 
other than the recipient. This e-mail may be considered an advertisement or 
solicitation for purposes of regulation of commercial electronic mail messages. 
If you do not wish to receive  commercial e-mail communications  from Piper 
Jaffray, click here to request to unsubscribe. mailto:can-spam@pjc.com


For additional disclosure information see 
http://www.piperjaffray.com/info2.aspx?id=298


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking 
system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MD5 Collisions and Evidence Integrity, Jack Seward
Next by Date:  Re: mactimes, Jason Coombs
Previous by Thread:  Re: mactimes, Marius Huse Jacobsen
Next by Thread:  Re: mactimes, Jason Coombs
Indexes:  [Date] [Thread] [Top] [All Lists]