Windows installatio...
 
Notifications
Clear all

Windows installation date

6 Posts
4 Users
0 Likes
1,292 Views
(@datar)
Posts: 15
Eminent Member
Topic starter
 

I will be happy to get an advice on the following question

I am examining an image, in which I need to find the initial installation date of the windows os. From looking at usual places in the registry I see a date back in 2013, but the user claims that he had the system installed in 2011, and upgraded it in 2013 (from XP to 7).

How can I confirm it? Where should I look for the original installation date, and is there some place I can look to confirm that the 2013 mark was an update and not the initial installation?

Thank you

 
Posted : 14/12/2016 11:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I will be happy to get an advice on the following question

I am examining an image, in which I need to find the initial installation date of the windows os. From looking at usual places in the registry I see a date back in 2013, but the user claims that he had the system installed in 2011, and upgraded it in 2013 (from XP to 7).

How can I confirm it? Where should I look for the original installation date, and is there some place I can look to confirm that the 2013 mark was an update and not the initial installation?

Thank you

There is (was) not an "upgrade path" from Windows XP to 7.

The OS would have been re-installed so it is normal that you find 2013 if the "upgrade" was performed in 2013, that is when the current 7 os has been installed.
IF the OS volume (and/or other volumes) has not been re-formatted (or the whole disk re-partitioned) at the time, you might find some earlier traces in the NTFS metadata/filesystem structures dates.
And - a loong shot - there may still be some traces of files that are "normal" in a XP install, such as NTLDR, ntdetect.com and boot.ini.

jaclaz

 
Posted : 15/12/2016 12:29 am
(@datar)
Posts: 15
Eminent Member
Topic starter
 

In this case, I am looking for cookies and web activity from before 2013 (2010-2012), and I find a lot of them. So I assume that during the update/upgrade there was no format.

So no way to know what was before the windows update in 2013?

 
Posted : 15/12/2016 12:49 am
joakims
(@joakims)
Posts: 224
Estimable Member
 

Besides jaclaz's suggestion, you could analyze the various portions of slack and unallocated.

 
Posted : 15/12/2016 3:44 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

In this case, I am looking for cookies and web activity from before 2013 (2010-2012), and I find a lot of them. So I assume that during the update/upgrade there was no format.

So no way to know what was before the windows update in 2013?

Then *anything goes*.

Though - of course - there is no real way to say that the date the filesystem was created was also the time of first install of an OS (and even if you find - possibly in the slack or "deleted" fragments or "whole" definitely XP related files, they may be there for several reasons).

I wouldn't even completely rule out the actual hard disk manufacture date (on the label of the disk).

IF the disk manufacturing date is in a "suitable range", let's say manufactured in October 2010, it is more likely that the first NTFS metadata dates you can find are related to a format done when installing (for the first time) the OS (i.e. the XP in 2011[1]).
If the disk is older than that then it is more likely that it was already used and then the NTFS dates may be related to an even earlier OS install.
If it is newer and you find older dates in the NTFS, then it is a "clone" of a previous system.

jaclaz

[1] Installing for the first time a Windows XP in 2010 or 2011 is not actually "common" since Vista is 2006 and 7 is 2009, so it must have been a "custom" install or however not the "standard" one for a new computer, particularly, End Of Sale for XP was - at least in theory - 30 June 2008.

 
Posted : 15/12/2016 8:11 pm
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

I would suggest looking at the $FN attributes of the various system folders (\WINDOWS, \WINDOWS\SYSTEM32 etc).

The creation timestamp will typically record when the folder was created and is unlikely to have changed since this would only happen if the folder was moved/renamed.

Jim
www.binarymarkup.com

 
Posted : 01/02/2017 3:30 pm
Share: