I have found a computer (W2000 operating system) with a System Profile under Document and Settings Folder. As far I know this user doesn´t log in the computer. In a new W2000 PC this system profile folder doesn`t appear. In the registry under:
Microsoft\Windows NT\CurrentVersion\ProfileList
there is a key with id S-1-5-18 and Date Modified: 11/09/2013 9:33:13. Analyzing profile's folders in MFT I've found that Std Info Modification date is prior to Std Info Creation date in some folders under System profile, for example:
Filename #1: /Documents and Settings/SYSTEM/SendTo Std Info Creation date : 2013-05-29 11:33:44.724249 Std Info Modification date: 2005-07-05 12:28:58 Std Info Access date: 2014-02-07 13:48:16.765625 (this date is because the disk was plugged by usb cable to check it) Std Info Entry date: 2013-05-29 11:33:46.083626 FN Info Creation date: 2013-05-29 11:33:44.724249 FN Info Modification date: 2013-05-29 11:33:44.724249 FN Info Access date: 2013-05-29 11:33:44.724249 FN Info Entry date. 2013-05-29 11:33:44.72424
The system was installed in 2005.
Could anyone help me to understand what happened? Is this the result of an exploit? Why Std Info Modification date is prior to Std Info Creation date?
Best Regards and thanks in advance.
Aucun commentaire:
Enregistrer un commentaire