Check to see if OS was upgraded?

Off the top of my head, (so you'll to verify this)
Windows NT and 2000 has the following file

%SystemRoot%\System32\$winnt%.inf

this has the following variables

winntupgrade = "no"
win9xupgrade = "no"
win31upgrade = "no"

If it was upgraded i beleive these change to "yes"

Hope this helps

I dont beleive this file exsists in Windows XP (or probably vista)

Therefore i dont know how to tell in those, though can't you just pull the installation date from the Reg, and compare this to the $MFT object in Encase.

I assume that, a clean install would format the disk MFT and Installation date would be the same.

Upgrade MFT would be older than the installation date, as the disk would not have been formated.

Though thinking about it,

If the user decided to delete the windows dir and install clean (without formatting), you would need to check the MFT creation date against the Windows Folder Creation Date.

Sorry for posting three seperate posts.

Tom

Tom,

Don't be sorry…this is a good thought process to go through. Time after time, the majority of folks in forums like this don't want to ask questions as much as they just want to see "how others do it". This is a good look into that.

I guess the question that needs to be asked is, who cares? I know, this is kind of abrupt, but if someone upgrades from 98 to XP, they're using XP. By asking "who cares", what I'm getting at is, why is "was the system upgraded" important? Is it b/c a customer is asking…out of curiosity? What's the underlying rational and is there a better way to address that?

If we're talking about upgraded in the sense that the user popped a CD in and chose "Upgrade" as opposed to "format and install", then you're likely to see remnants of the old file system…files specific to 98 left behind. One example of this is when a friend "upgraded" from XP to Vista…the Documents and Settings directory was still present, although Vista was now using C\Users.

Good question, and good discussion thus far…

The best way is to actually do the upgrade yourself and see what changes or what remains. You could also look user files that were created before WinXP was installed. That could give you an indication (not always).

I guess the question that needs to be asked is, who cares?

I'd guess "when" _could_ be a more pertinent question. If the use of an application was dependant on XP rather than 98 the fact that said machine had been upgraded on the 1st of July, 2008 means that the chances of that program having been used before that date are slim …

Just a possible justification for the concept - don't ask for an example - I can't think of a real one either …

Azrael,

Interesting…particularly given the fact that XP does application prefetching in addition to maintaining a pretty good resource in the UserAssist key.

My point is that many times when working with customers, requests come in such as this…but working with the customer to get back to the core issue or question that they are trying to answer may show that their original request was based on faulty assumptions.

Either way, I agree…the way to go about this is to upgrade a system and document the artifacts. This also leads us to another, broader issue within the community…there are no repositories of such resources available.

Either way, I agree…the way to go about this is to upgrade a system and document the artifacts. This also leads us to another, broader issue within the community…there are no repositories of such resources available.

I seem to recall that we discussed this before http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1708 at the time we decided that there was no value in creating a "new" resource … Has your opinion changed ?

Windows has a nice little habit of updating its out of the box experience file when you install or upgrade an operating system. Been a while since I looked at this, but if I remember correctly, you can find the OOBE files and establish, with some reservations, the install date, or the first run date.