Interesting question!

I would say no. File size can be managed and access times can be manipulated.

Given the 500kb size who is to say the virus creator did not pull some of the text out and leave a macro payload that makes the file remain 500kb. When the unsuspecting victim opens the file they reinfect the computer. The victim may even see what appears to be their document and only on close comparison to the clean original that is of course stored on backup do they see the text is changed/missing.

I think the only way to know for certain is by comparing the hash value of the file before and after the virus attack… provided that they have a backup of the document, which they probably don't.

Derrick

Hash is not the option. Considerations - the size, Access /Modification time and Type of File (MS Word).

another interesting thought would be
what if the author of the document placed an alternate data stream
or hidden field with in the document?

rusaus
It could depend on which OS you are checking the file with, and whether the virus is smart enough to fiddle with the mactimes.

OS note crossing over between *nix and MS would screw up the interpretation of the metadata, as one sees Change the other Creation. NTFS both.

NTFS should store the C time (the change time and the creation time) neither of which u mention. M.A but no C .

Do You have a date for the virus infection? maybe check if any mactimes are coincident.

Kern

Can I ask an 'interesting question', What on earth this has to do with 'real world' computer forensics. When the practical suggestion of hashing is 'not allowed' ? … what is this all about ?

Just my 2c worth to stimulate converstaion.

Mark

Can I ask an 'interesting question', What on earth this has to do with 'real world' computer forensics. When the practical suggestion of hashing is 'not allowed' ? … what is this all about ?

Just my 2c worth to stimulate converstaion.

Mark

Where in 'real world' you would have hashed files on a runing system? And if its a forensic image of a computer, then it would not be infected by a virus (or tather it is unlikely -)

Foreniscs often performed on live sytems (such as Web servers that could not be shut down due to the impact on the business etc.

Here is my 50c to stimulate converstaion lol

Where in 'real world' you would have hashed files on a runing system?

In the real world you would go back to a clean uninfected backup and hash the files, then compare them to the current files running on the infected system. This would help determine when and how the system was infected.

And if its a forensic image of a computer, then it would not be infected by a virus (or tather it is unlikely

Seriously? I find viruses, trojans and spyware in images all the time.

Keeping up with inflation, my $12.50 to stimulate conversation. wink

Hdollar,

another interesting thought would be
what if the author of the document placed an alternate data stream
or hidden field with in the document?

Arbitrary alternate data streams (ADSs) do not go "in" a file or document, they are separate files. "Hidden" fields may be of limited value, as in most cases they won't contain something executable, or even a method for doing so.

Also, when you try to add specific information to an OLE/Office file (such as Summary info via the property tab), that information actually goes inside the file (in other file types, such as .txt, etc.) it goes into an ADS. This information is very specific and does not normally pose a threat in terms of executables or viruses.

The original question is interesting, although as someone has pointed out, hardly realistic.

> After a virus attack can one be confident that a particular Microsoft
> Word file was not infected by the virus if
>
> 1. Size has not changed (say 500kb)
> 2. Modified Access time has not changed

Was the theoretical virus attack one that targetted Word files? I agree that one cannot simply take 1 & 2 above and say that the file has not been infected, but to think that other methods of analysis are not available is not realistic.