Notifications
Clear all

Basic OS Analysis  

  RSS
patrick1981
(@patrick1981)
New Member

I had so much success with my previous post that I thought I'd come back with another inquiry. Again, I searched the forums but didn't see anything that I understood to speak to what I am specifically wondering about however my novice status could have very well prevented me from understanding that this topic has in fact been covered previously so please forgive me and advise me as such. Also and again, I am as green as they come so I appreciate the patience with the basic nature of my question!

With the preface out of the way, I am working on an investigation that invovles a Windows 7 laptop. The system in question was used by Mr. A for a yet-to-be-determined amount of time before it was given to Mr. B for use. So far, the only evidence of a crime found was located in unallocated space and unfortunately no temporal data associated with said evidence has been obtained. Once I gather more information regarding the located evidence, I will come back to discuss the possibility of additional metadata existing but until then, I'd like to address the question of whether or not a new OS had been installed and/or the system reformatted. Specifically seeking the install date and time of any OS installations and/or date and time of any reformatting functions. The thought being that either

A., Mr. A was assigned a system and committed a crime on said system before reinstalling a new OS and/or reformatting the drive and giving the system to Mr. B or

B., Mr. B committed a crime on said system and installed a new OS and/or reformatted the drive before giving the system back to Mr. A.

I understand the most important piece of information is determing if any temporal data can be associated with the evidence but if the case agent knows when a drive was reformatted and/or when a new OS was installed then he can better direct inquiries with the appropriate suspect.

Quote
Posted : 29/01/2015 8:32 pm
patrick1981
(@patrick1981)
New Member

I understand it wouldn't be too suspicious if the system was reformatted and/or a new OS installed before Mr. A gave the system to Mr. B or before Mr. B gave the system back to Mr. A but there are additional factors that come into play here such as A. Mr. B is incredibly untechnical so a reformat or even a new OS install is unlikely to have occurred outside above-average motivation and B. an OS upgrade and/or reformat operation is against departmental policy.

Also, I understand determining the "OS Install Date" to be, for the most part, straight forward

http//www.computerforensicsworld.com/modules.php?name=Forums&file=viewtopic&p=4692

Additionally, I've found the following site which addresses the consideration of file system creation date vs. OS install date

http//www.forensickb.com/2009/05/file-system-creation-date-vs-operating.html

I guess A. I wanted to see if there was a way to determine the timestamps for all system reformats/OS installations vs. the most recent one and B. if there was any advice from the community here regarding additional considerations/techniques regarding this topic.

ReplyQuote
Posted : 29/01/2015 8:36 pm
Share: