±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36290
New Yesterday: 2 Visitors: 179

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows installation date

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

DataR
Member
 

Windows installation date

Post Posted: Dec 14, 16 23:40

I will be happy to get an advice on the following question:

I am examining an image, in which I need to find the initial installation date of the windows os. From looking at usual places in the registry I see a date back in 2013, but the user claims that he had the system installed in 2011, and upgraded it in 2013 (from XP to 7).

How can I confirm it? Where should I look for the original installation date, and is there some place I can look to confirm that the 2013 mark was an update and not the initial installation?

Thank you  
 
  

jaclaz
Senior Member
 

Re: Windows installation date

Post Posted: Dec 15, 16 00:29

- DataR
I will be happy to get an advice on the following question:

I am examining an image, in which I need to find the initial installation date of the windows os. From looking at usual places in the registry I see a date back in 2013, but the user claims that he had the system installed in 2011, and upgraded it in 2013 (from XP to 7).

How can I confirm it? Where should I look for the original installation date, and is there some place I can look to confirm that the 2013 mark was an update and not the initial installation?

Thank you

There is (was) not an "upgrade path" from Windows XP to 7.

The OS would have been re-installed so it is normal that you find 2013 if the "upgrade" was performed in 2013, that is when the current 7 os has been installed.
IF the OS volume (and/or other volumes) has not been re-formatted (or the whole disk re-partitioned) at the time, you might find some earlier traces in the NTFS metadata/filesystem structures dates.
And - a loong shot - there may still be some traces of files that are "normal" in a XP install, such as NTLDR, ntdetect.com and boot.ini.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

DataR
Member
 

Re: Windows installation date

Post Posted: Dec 15, 16 00:49

In this case, I am looking for cookies and web activity from before 2013 (2010-2012), and I find a lot of them. So I assume that during the update/upgrade there was no format.

So no way to know what was before the windows update in 2013?  
 
  

joakims
Senior Member
 

Re: Windows installation date

Post Posted: Dec 15, 16 15:44

Besides jaclaz's suggestion, you could analyze the various portions of slack and unallocated.
_________________
Joakim Schicht

github.com/jschicht 
 
  

jaclaz
Senior Member
 

Re: Windows installation date

Post Posted: Dec 15, 16 20:11

- DataR
In this case, I am looking for cookies and web activity from before 2013 (2010-2012), and I find a lot of them. So I assume that during the update/upgrade there was no format.

So no way to know what was before the windows update in 2013?

Then *anything goes*.

Though - of course - there is no real way to say that the date the filesystem was created was also the time of first install of an OS (and even if you find - possibly in the slack or "deleted" fragments or "whole" definitely XP related files, they may be there for several reasons).

I wouldn't even completely rule out the actual hard disk manufacture date (on the label of the disk).

IF the disk manufacturing date is in a "suitable range", let's say manufactured in October 2010, it is more likely that the first NTFS metadata dates you can find are related to a format done when installing (for the first time) the OS (i.e. the XP in 2011[1]).
If the disk is older than that then it is more likely that it was already used and then the NTFS dates may be related to an even earlier OS install.
If it is newer and you find older dates in the NTFS, then it is a "clone" of a previous system.

jaclaz

[1] Installing for the first time a Windows XP in 2010 or 2011 is not actually "common" since Vista is 2006 and 7 is 2009, so it must have been a "custom" install or however not the "standard" one for a new computer, particularly, End Of Sale for XP was - at least in theory - 30 June 2008.
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

JimC
Senior Member
 

Re: Windows installation date

Post Posted: Feb 01, 17 15:30

I would suggest looking at the $FN attributes of the various system folders (\WINDOWS, \WINDOWS\SYSTEM32 etc).

The creation timestamp will typically record when the folder was created and is unlikely to have changed since this would only happen if the folder was moved/renamed.

Jim
www.binarymarkup.com  
 

Page 1 of 1