How to determine if a file has been changed or not in windows SBS 2003
Posted on 2008-06-14
I'm asked to assist a lawyer this to check following:
A company, i'll call it the buyer, bought an accounting software 2 years ago. They claim it never worked as it should have and never payed it. The company that created and sold the software, the seller, décommissioned it and claim that the package needed just some tuning. They had remote console access to the sbs server.
The buyer has found a text file (.txt) that ought to have contained parameters but contains in fact a very large list of known bugs. They say it was dropped there by the seller but the seller denies it.
This is what is known around this file
1° The creation date and modification date are the same. They match a date of an email, the seller admits to have send, mentioning a new parameter file that was dropped.
2° the user of the file is the group Administrator, to which the remote login user belongs of the seller and only the main operator of the buyer belong. I don't remember how but in some history it is proven no changes has been made to administrator group since before that event.
3° In the event log we detected that each time someone opens the remote controle an event is created about a printer that can't be connected. On that date of the creation of the file, a remote connection occured twice, one of which is around the date of the creation of the file.
First the seller denied that he created the file, then he admitted he did but said the content of the file was changed, not his.
My questions are :
1) Can we find out in some way, via active directory information or other if the file really was not changed afterward, as modification dates can be manipulated (as far as i know)?
2) the creator of the file is a system user group, is there a way to find out who the effective user was that last changed the file?
The purpose is to know if the content of the file was per accident transmitted by the seller or manipulated by the buyer.