Join Us!

Windows installatio...
 
Notifications
Clear all

Windows installation date  

  RSS
DataR
(@datar)
New Member

I will be happy to get an advice on the following question

I am examining an image, in which I need to find the initial installation date of the windows os. From looking at usual places in the registry I see a date back in 2013, but the user claims that he had the system installed in 2011, and upgraded it in 2013 (from XP to 7).

How can I confirm it? Where should I look for the original installation date, and is there some place I can look to confirm that the 2013 mark was an update and not the initial installation?

Thank you

Quote
Posted : 14/12/2016 11:40 pm
jaclaz
(@jaclaz)
Community Legend

I will be happy to get an advice on the following question

I am examining an image, in which I need to find the initial installation date of the windows os. From looking at usual places in the registry I see a date back in 2013, but the user claims that he had the system installed in 2011, and upgraded it in 2013 (from XP to 7).

How can I confirm it? Where should I look for the original installation date, and is there some place I can look to confirm that the 2013 mark was an update and not the initial installation?

Thank you

There is (was) not an "upgrade path" from Windows XP to 7.

The OS would have been re-installed so it is normal that you find 2013 if the "upgrade" was performed in 2013, that is when the current 7 os has been installed.
IF the OS volume (and/or other volumes) has not been re-formatted (or the whole disk re-partitioned) at the time, you might find some earlier traces in the NTFS metadata/filesystem structures dates.
And - a loong shot - there may still be some traces of files that are "normal" in a XP install, such as NTLDR, ntdetect.com and boot.ini.

jaclaz

ReplyQuote
Posted : 15/12/2016 12:29 am
DataR
(@datar)
New Member

In this case, I am looking for cookies and web activity from before 2013 (2010-2012), and I find a lot of them. So I assume that during the update/upgrade there was no format.

So no way to know what was before the windows update in 2013?

ReplyQuote
Posted : 15/12/2016 12:49 am
joakims
(@joakims)
Active Member

Besides jaclaz's suggestion, you could analyze the various portions of slack and unallocated.

ReplyQuote
Posted : 15/12/2016 3:44 pm
jaclaz
(@jaclaz)
Community Legend

In this case, I am looking for cookies and web activity from before 2013 (2010-2012), and I find a lot of them. So I assume that during the update/upgrade there was no format.

So no way to know what was before the windows update in 2013?

Then *anything goes*.

Though - of course - there is no real way to say that the date the filesystem was created was also the time of first install of an OS (and even if you find - possibly in the slack or "deleted" fragments or "whole" definitely XP related files, they may be there for several reasons).

I wouldn't even completely rule out the actual hard disk manufacture date (on the label of the disk).

IF the disk manufacturing date is in a "suitable range", let's say manufactured in October 2010, it is more likely that the first NTFS metadata dates you can find are related to a format done when installing (for the first time) the OS (i.e. the XP in 2011[1]).
If the disk is older than that then it is more likely that it was already used and then the NTFS dates may be related to an even earlier OS install.
If it is newer and you find older dates in the NTFS, then it is a "clone" of a previous system.

jaclaz

[1] Installing for the first time a Windows XP in 2010 or 2011 is not actually "common" since Vista is 2006 and 7 is 2009, so it must have been a "custom" install or however not the "standard" one for a new computer, particularly, End Of Sale for XP was - at least in theory - 30 June 2008.

ReplyQuote
Posted : 15/12/2016 8:11 pm
JimC
 JimC
(@jimc)
Member

I would suggest looking at the $FN attributes of the various system folders (\WINDOWS, \WINDOWS\SYSTEM32 etc).

The creation timestamp will typically record when the folder was created and is unlikely to have changed since this would only happen if the folder was moved/renamed.

Jim
www.binarymarkup.com

ReplyQuote
Posted : 01/02/2017 3:30 pm
Share: