Looking at a Windows XP box checking out the registry it gives a shutdown time and last write time at a specific date in 2007. When looking at files on the drive there are numerous amounts of files that are created, modified, and accessed over a year later in 2008. My question is if the registry is showing that the last write and shutdown time was in 2007 if the computer was turned on to use in 2008, would the registry last write time reflect this? This is looking in the Software\Microsoft\Windows NT\CurrentVersion, and also the shutdown time in System\ControlSet001\Control\windows. Thank you

Pronie,

When performing analysis such as this, you have to keep in mind what the various values truly reflect. For example, a Registry key LastWrite time reflects that last time that key was modified; ie, when a value or subkey was created or modified (with deleted being the extreme case of modified).

As to the ShutdownTime value, that reflects the date/time that the system was last cleanly shutdown. My daughter never shuts off her computer, but lets it go into sleep() mode. Depending upon the type of system you're looking at, this may make perfect sense.

One way to correlate this is to check the System Event Logs for 6005 and 6009 events, which indicate a system shutdown/restart.

Ok so if a year later the computer was turned on files were created, modified, etc.. and then the computer was just turned off or plug pulled, etc anything but being cleanly shut down then the registry key for shutdown time would not reflect this? thanks keydet

Have you considered that the user may have taken the drive out of the computer and plugged it into another externally

Maybe there was more than one drive that in the computer before that acted as O/S and accessed the other drive as they were both attached to the same mother board

I've had this in cases before where the defendant claims the files were planted, but then when you look at the drive, they have a slide out caddy which contains a separate O/S and link files to the files they allege were planted.

I have thought of that this drive came from a laptop, something else I came across that I thought was odd was the OS install date is in 2006, but I have files that are created on that drive dating back to 1999 and all the years before 06???thanks stezer

Have you looked into the sys event files

Security Event, ID 520 - Indictes that the system clock is changed

Export the .evt files and view them in your sys event viewer in windows

Only one entry in the security event log ID 517 (the audit log was cleared) by user name system on the date that the registry shows as the OS install date

Why would the OS install date say 2006 when there are files on the drive dating back to 1999 and everything in between?

Again, context. Specifically, which files are you referring to? Are they system files? Part of the default installation?

Asking "why are some files on the drive dated thus and such?" doesn't really do a lot to help us help you.

I appologize it is a lot of microsoft office files, word, excel, etc. as well as application files. I just dont see that if the computer OS was installed in 06 how could these files be on there from 6 years prior to the operating system being installed. I will get specifics on the system files but from a glance it was a lot of office files. Thanks