shanex,
What operating system (and version) were you working with?
What tool were you using?
Which keys had LastWrite times from 2005?
Hi H,
I am using some perl code I found in a book - and as I get more and more into this stuff, I realise that the author of that code might be very nearby 😉
Windows XP professional, SP2. I used the tool on keys I had changed moments earlier, and it worked great. The key that returned 2005, was the key mentioned as an example in the book i.e
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Thanks for any help!
something that just occurred to me…although this laptop is new, I suspect it may have been built from a disk image cd….if that image was from 2005, would those dates stick on an install from that cd? Seems like the only plausable explanation….
Edit
Having said that, just looking at some of the data/values under the winlogon key, some of it is definately not from 2005 (for example the DefaultUserName is set to my windows user name, which was definately only set very very recently!), so I go back to my original question - shouldn't LastWrite on this key be far more recent?
Hello all,
Here is a problem I'm trying to solve. Suppose someone sat you down at a PC (running windows xp professional, sp2) and asked you the following simple question has this PC ever been connected to any computer network?
The challenge is not necessarily to identify which networks, just a yes/no as to whether the PC has ever been on some network.
Also, please assume that nobody has been trying to hide their tracks on this PC by deleting logs or caches or events etc. It's not a crime I'm trying to solve here, just a theoretical question. So nothing has been deleted or cleaned from the PC.
In theory this sounds easy, but can it be proved rigorously?
Obviously, the first step would be to examine Internet Explorer histories, temp files etc, but suppose they were all empty. What then? As far as I can see XP does not by default store a history of IPs a PC has been assigned or a log of established connections.
Here are some ideas I had
1) If windows firewall logging was on, it would tell you about network connections, but if this logging was off (which it is by default), you're out of luck
2) if "ipconfig /all" simply output "Windows IP Configuration" would this prove the PC has never been on a network?
3) If there were no tcpip/browser/LAN source events in the event viewer, would this prove the PC has never been on a network?
Any other ideas?
Thanks for any help !
Hi,
If the PC is still ON, you can try searching for ARP entries in the local ARP cache,
or U can try to search for the PC's MAC in the Switch's ARP cache or maybe CAM table.
I know this is very out of track, maybe this can be the best option.
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA. ITIL.MCSE.MCSA.MCP.