Changing file times, was -> Re: Trojan of somesort - Update

[Harlan Carvey <keydet89 () yahoo com>]

> Although looking at the dates of files is one of the
> simpler and more 
> important tool when investigating a possible issue,
> we need to keep in 
> mind how easy it is to change it.

This is definitely something to keep in mind, but it's
not the whole story.  When performing incident
response and forensics, one should never rely on one
piece of information/evidence exclusively.

There's another distinction to keep in mind.  It's
relatively easy to throw out things like this that are
trivial...but the question remains, *is* it being
done?  Can anyone out there demonstrate, with proof,
that a compromised box that they responded to had file
times that were tampered with?  I suppose one example
might be a CP case in which the perp altered the last
access times of the files to when he was on vacation,
or to 1979, or to 2153.  Has anyone actually seen a
case in which the MAC times of the file were altered,
and if so, can you show proof of this?

Just b/c something *can* happen, doesn't mean that it
*does* happen.

> It's easier on some systems than others, and
> practically ridiculous on FAT file systems.

To be honest, I'm not aware that there's any real
distinction with regards to file system.  On both NTFS
and FAT, as long as you have write access to the file
in question, the file times can be changed.  I've
demonstrated this time and again, in presentations as
well as in my book.  

If I'm missing something with regards to the
distinction with regards to how easy it is to change
MAC times on FAT vs NTFS, please let me know.