Here's the story
Run Init Case script on a particular hard drive within various version of EnCase (up to the most recent version). It keeps returning a date in 2000, seven years earlier then the OS was installed.
Heard there was an issue with Vista and the Last Shutdown registry key. In this case, I previewed the SYSTEM Hive and could not locate the key. So, if the key is not there why is EnCase returning a result at all?
Trying the system.evtx route via Event ID 1074, but not sure that this is the correct way to determine the last shutdown time of this particular system.
Any ideas would be appreciated.
edit also checking Event ID 6006
As far as I know this problem is associated with the Vista OS, pre-SP1 (at least that's been my experience of it) ? I can't remember off-hand where EnCase actually gets the 2000 timestamp from …
In the past I've used the timestamp associated with the last file activity on the system, to determine the Last Shutdown Time.
HTH
Phil H
Thanks philh,
I just need confirmation from Guidance Software that this is a known error for court purposes. I am in the process of contacting them and will post their response (if I get a satisfactory one).
Update
EnCase has given this issue a defect # (35813), and states that the new version of EnCase will deal with it. They forwarded an EnPack that, when run on the drives, bookmarks the correct Shutdown Time.
Have you run RegRipper against the hives as well - I usually run the case processor and RR to compare results and confirm. Just a thought.