±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36231
New Yesterday: 4 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Way to find out how many times windows was reinstalled?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

ebmetric
Member
 

Way to find out how many times windows was reinstalled?

Post Posted: Jun 07, 18 10:24

Hi there,

Is there a way to find out how many times windows was reinstalled.

Bonus would be to find when exactly.

Thank you! Smile  
 
  

ludlowboy
Senior Member
 

Re: Way to find out how many times windows was reinstalled?

Post Posted: Jun 07, 18 11:43

I would start by checking for ‘windows.old’ folders. These are sometimes created when a new version of windows is installed.  
 
  

jaclaz
Senior Member
 

Re: Way to find out how many times windows was reinstalled?

Post Posted: Jun 07, 18 11:50

- ebmetric
Hi there,

Is there a way to find out how many times windows was reinstalled.

Bonus would be to find when exactly.

Thank you! Smile


Generally speaking, NO WAY.

All you normally have is the last time it was installed, in some cases (it depends on the context, on the actual method used for installation/re-install, and on the actual windows version) a folder windows.old containing the previous installation may be found, though.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

ebmetric
Member
 

Re: Way to find out how many times windows was reinstalled?

Post Posted: Jun 07, 18 14:51

For example, I could try recover old windows/system32/config folder using r-studio and then use Windows registry recovery to check installation date and other information?

I have heard that with EnCase is possible to do something similar.  
 
  

jaclaz
Senior Member
 

Re: Way to find out how many times windows was reinstalled?

Post Posted: Jun 07, 18 16:29

- ebmetric
For example, I could try recover old windows/system32/config folder using r-studio and then use Windows registry recovery to check installation date and other information?

I have heard that with EnCase is possible to do something similar.


It is unlikely that you will recover that folder, and even more unlikely that you will be able to recover a "sound" enough Registry file, and even if you recover a good enough Registry, that the information you seek is recoverable, and anyway it would not be IMHO "final" or even "reliable" evidence, particularly with Windows 10, see:
www.raedts.biz/forensi...tion-date/
az4n6.blogspot.com/201...-lies.html

but also previous versions may have "strange" dates/times because of BIOS time at install time, or use of sysprep, etc., see also:
www.forensicfocus.com/...c/t=15574/
www.forensicfocus.com/...c/t=13178/
www.forensickb.com/200...ating.html

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

thefuf
Senior Member
 

Re: Way to find out how many times windows was reinstalled?

Post Posted: Jun 07, 18 19:14

It could be possible to recover registry hives from a previous Windows installation. Try yarp-carver (https://github.com/msuhanov/yarp), it supports the reconstruction of fragmented hives.  
 
  

jaclaz
Senior Member
 

Re: Way to find out how many times windows was reinstalled?

Post Posted: Jun 07, 18 20:02

- thefuf
It could be possible to recover registry hives from a previous Windows installation.


Sure it is possible, but highly unlikely.

Let's say you install windows "fresh" for the very first time on a brand new disk, for the sake of the reasoning let us assume you use a "default" partitioning (a single partition or a small "hidden" partition + the actual large partition for the OS)

The install will take - roughly - the first 16 GB of the large partition.

Then you fill the rest of the partition with your data.

At a given point you need/want to reinstall.

You have basically 3 (three) options (excluding the wiping of the disk or of the partition with the format without the /q):
1) backup the data, format the partition (quick) and reinstall windows
2) delete the \windows folder (and possibly some other specific OS folders) and reinstall windows
3) reinstall windows on the partition "as is" (and thus the OS will create the windows.old folder

In case 1) the actual Windows files (that come from a "same" applied .wim, by a "same" setup command) will 99.99% occupy the same areas they did originally, overwriting the original install.

In case 2) it has to be seen, and it may depend on the actual level of fill of the filesystem, surely (again 99.99%) if the partition is filled up to the brim, and install sees only a 16 GB or so "free" chunk will install there, but I believe that even on a not-so-filled up the setup will choose to write on that same area.

In case 3) the files are not deleted and so you don't *need* to carve anything.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 2
Page 1, 2  Next