±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35264
New Yesterday: 0 Visitors: 122

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Track history of OS installations

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

work.hardy.n
Newbie
 

Track history of OS installations

Post Posted: Dec 24, 18 07:20

A computer with dual boot using GNU Grub exists.

Currently, Ubuntu on one partition and Fedora on another.
But the partition that has fedora previously had another version ubuntu on it, and before that had windows 7.
Is there any way/logs to tell when(date) each of the OS were installed on the partition, which currently has fedora.

Fedora resides on ext4, ubuntu previously was on ext4 and windows 7 before that was on ntfs, not sure if file system type makes any difference at all.  
 
  

ForensicallyChallenged
Newbie
 

Re: Track history of OS installations

Post Posted: Dec 24, 18 18:21

I may be wrong(feel free to correct me) however if you reformat a partition from NTFS to EXT4 or vice versa, the previous data would be unreadable due to the differences in the data structure.  
 
  

work.hardy.n
Newbie
 

Re: Track history of OS installations

Post Posted: Dec 25, 18 06:15

Hi,
I am a complete newbie, so I wouldn't know too much about the affiliated logic underneath. I am not trying to do data recovery from the previous installation. In my scenario, ruling out the need for data recovery helps, as in, if the history of dates of OS installation warrant a data recovery situation, I would instead be recreating the data in a certain way that I think it existed in history. If it doesn't warrant, I don't need to recreate my data, I might be more or less all set with the existing data at hand.

Is there like an entity(either the GNU Grub/existing dualboot software or something else), which tells us there existed an OS at a certain date, or an OS was installed on a certain date in history.
Conceptually, if GNU Grub or something else is allowing me to boot into multiple OS installations, it makes me think it would keep log of when one of the OS partitions changed into a different OS. I wouldn't be surprised if I am completely wrong, just a question, if the answer existed, hoping to save me a lot of data crunching work.  
 
  

calimelo
Senior Member
 

Re: Track history of OS installations

Post Posted: Dec 25, 18 13:07

Hi,

Are you sure about the "installed on the same partition" info? Those operating systems usually require more than one partition.

Let's assume it is true. (N2J: The following are just personal opinions, not statistics or scientific info.)

First installation (Ubuntu on P1, Windows 7 on the other):
People usually install Windows first, then ubuntu (or any other distro) to make the installation easy, or they install linux, reserve an ntfs partition, restore the windows from an image to that partition (not that likely). Ubuntu needs at least one partition for OS, an optional partition for home, and a swap partition. The user can choose to install ubuntu on a single partition and install swapd (a daemon for dynamic swap file creation) but that is not common. To be able to dual boot the user should have installed a boot manager (lilo, grub, grub2, refind etc.). Grub changes should be in ubuntu's logs (like updategrub command).

Second installation (Ubuntu on P1, Ubuntu on P2):
(Who does that?) If someone did install another ubuntu version (U2) on the other partition, it should be in the first ubuntu (U1)'s log if the user actually booted U1 after installing U2. To be able to access the second OS's partition, it should have been mounted. So it should be in the logs (as well as the change in grub).

Third installation (Ubuntu on P1, Fedora on P2)
Same as 2nd installation.

If the user ever booted into the Ubuntu version on P1, the OS should have logged some info.

What i'd do if were you, test it! Replicate the installation process in a virtual machine. It'd take some time but will be more informational than theories.
_________________
"Simplicity is the ultimate sophistication." 
 
  

jaclaz
Senior Member
 

Re: Track history of OS installations

Post Posted: Dec 26, 18 04:52

- ForensicallyChallenged
I may be wrong(feel free to correct me) however if you reformat a partition from NTFS to EXT4 or vice versa, the previous data would be unreadable due to the differences in the data structure.

Yes and no.
Meaning that if you "quick format" a volume without changing its size, two possible cases:
1) you format it with the same filesystem as before (and under the same OS) 99.9999% of the time all filestem data structures will be overwritten
2) you format it with a different filesystem (and in some cases also with the same filesystem on a different OS) filesystem data may (entirely or partially) "survive".

A typical example is if you re-format a NTFS hard disk volume as FAT32.

ALL the filesystem structures of the NTFS filesystem, with the exception of the $Boot file, which however is not of particular importance, normally reside at a relatively high offset (the $MFT is by default on any volume bigger than 5-6 Gb on cluster 786432 i.e. normally sector 6291456).

ALL the filesystem structures of the FAT32 filesystem (the FAT tables) are instead at the very beginning of the volume, and are very unlikely to overwrite any of the NTFS ones.

Cannot say about EXT2/3/4, but I believe that at the most it will "make holes" in the underlying NTFS structures.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

ForensicallyChallenged
Newbie
 

Re: Track history of OS installations

Post Posted: Dec 28, 18 01:06

Thank you for the clarification.  
 

Page 1 of 1