User talk:Shray

From Forensics Wiki
Revision as of 23:56, 23 November 2008 by Shray (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Much is known about MACE values( Modified, Access, Created and Entry Modified time-stamps) of $STANDARD_INFORMATION attribute of a file can be easily modified by an attacker. A workaround to detect any such modification is to look at $FILE_NAME MACE values which are not modified by user, but windows in itself manages them.

I found a strange behavior with $FILE_NAME MACE values, which can be indirectly modified by a user/attacker. When a file is moved within a volume, MACE values from $STANDARD_INFORMATION are copied to $FILE_NAME information. I really don't find a justification for such behavior. If the $FILE_NAME MACE is intended to be modified by Windows by itself, than why is this sort of modification allowed?

However it just fosters anti-forensics, I really don't find a perfect way either through meta-data files or attributes which can be helpful in determining sequence of file creation, in such case it is easy for an attacker to camouflage his intent.

Retrieved from "http://www.forensicswiki.org/w/index.php?title=User_talk:Shray&oldid=8965"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox