±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36312
New Yesterday: 7 Visitors: 141

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Track history of OS installations

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

work.hardy.n
Newbie
 

Track history of OS installations

Post Posted: Dec 24, 18 13:20

A computer with dual boot using GNU Grub exists.

Currently, Ubuntu on one partition and Fedora on another.
But the partition that has fedora previously had another version ubuntu on it, and before that had windows 7.
Is there any way/logs to tell when(date) each of the OS were installed on the partition, which currently has fedora.

Fedora resides on ext4, ubuntu previously was on ext4 and windows 7 before that was on ntfs, not sure if file system type makes any difference at all.  
 
  

ForensicallyChallenged
Newbie
 

Re: Track history of OS installations

Post Posted: Dec 25, 18 00:21

I may be wrong(feel free to correct me) however if you reformat a partition from NTFS to EXT4 or vice versa, the previous data would be unreadable due to the differences in the data structure.  
 
  

work.hardy.n
Newbie
 

Re: Track history of OS installations

Post Posted: Dec 25, 18 12:15

Hi,
I am a complete newbie, so I wouldn't know too much about the affiliated logic underneath. I am not trying to do data recovery from the previous installation. In my scenario, ruling out the need for data recovery helps, as in, if the history of dates of OS installation warrant a data recovery situation, I would instead be recreating the data in a certain way that I think it existed in history. If it doesn't warrant, I don't need to recreate my data, I might be more or less all set with the existing data at hand.

Is there like an entity(either the GNU Grub/existing dualboot software or something else), which tells us there existed an OS at a certain date, or an OS was installed on a certain date in history.
Conceptually, if GNU Grub or something else is allowing me to boot into multiple OS installations, it makes me think it would keep log of when one of the OS partitions changed into a different OS. I wouldn't be surprised if I am completely wrong, just a question, if the answer existed, hoping to save me a lot of data crunching work.  
 
  

jaclaz
Senior Member
 

Re: Track history of OS installations

Post Posted: Dec 26, 18 10:52

- ForensicallyChallenged
I may be wrong(feel free to correct me) however if you reformat a partition from NTFS to EXT4 or vice versa, the previous data would be unreadable due to the differences in the data structure.

Yes and no.
Meaning that if you "quick format" a volume without changing its size, two possible cases:
1) you format it with the same filesystem as before (and under the same OS) 99.9999% of the time all filestem data structures will be overwritten
2) you format it with a different filesystem (and in some cases also with the same filesystem on a different OS) filesystem data may (entirely or partially) "survive".

A typical example is if you re-format a NTFS hard disk volume as FAT32.

ALL the filesystem structures of the NTFS filesystem, with the exception of the $Boot file, which however is not of particular importance, normally reside at a relatively high offset (the $MFT is by default on any volume bigger than 5-6 Gb on cluster 786432 i.e. normally sector 6291456).

ALL the filesystem structures of the FAT32 filesystem (the FAT tables) are instead at the very beginning of the volume, and are very unlikely to overwrite any of the NTFS ones.

Cannot say about EXT2/3/4, but I believe that at the most it will "make holes" in the underlying NTFS structures.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

ForensicallyChallenged
Newbie
 

Re: Track history of OS installations

Post Posted: Dec 28, 18 07:06

Thank you for the clarification.  
 

Page 1 of 1