Notifications

Clear all

Evidence of OS reinstall?

user808 · 2016-08-11T21:33:28Z

Hello all, its possible that I am just simply not looking in the right area as I am not very experienced with forensic work but I am looking to see if there is a place to look for evidence that a person may have reinstalled their operating system.Some background info –Currently working on a civil case where the user purchased their Windows 7 laptop in 2008 and used it all the way up until they turned it over for forensic imaging in early 2014. The user testified that from the time they learned that they would be turning over their laptop for imaging (they learned this mid 2013) until they actually turned it over in early 2014, that they did everything they could to preserve evidence (eg no deletion of files etc.) My goal was to dip into the image using Encase, pull all the log files (system, security, application etc.) to see if the computer was experiencing any issues over those years that it was in use. And this is where I immediately saw that something was off. All the log files show a creation date of October 2013. At first I thought perhaps some of the log files ran out of room and recycled but after further investigation, I realized all the OS log files show the same October 2013 creation date (this was further verified looking at the Windows Event Log Parser Output). At this point I took a step back and ran the System Info Parser and the OS System Artifact came back with an 'Install Date' of October 2013. I then started looking at creation dates of important files and folders - many of them come back with a creation date of October 2013 but not all of them. Some of them (eg Windows) comes back with an install date of back in 2007). Its a bit confusing - there are a lot of system folders and files that appear to have been deleted right before that October 2013 date. Some other important pieces of info - the hard drive appears to be the original one that was shipped with the laptop. Key files on the boot partition ($MFT, $MFTMirr, $LogFile etc.) all show one version deleted (that had a creation date back in 2007) and the other current "in use" version with the October 2013 creation date. Again, the user was not supposed to do anything to their laptop during that 2013 - 2014 period that might delete/alter files. So my question is, are there any key places/files I can look at that would shed a bit more light on just what exactly the user might have done on that October 2013 date?thanksps - sorry for the lengthy post, just wanted to provide as much useful info as possible.

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by user808 9 years ago

17 Posts

5 Users

0 Reactions

3,589 Views

RSS

passcodeunlock

(@passcodeunlock)

Prominent Member

Joined: 9 years ago

Posts: 792

14/08/2016 9:56 pm

If you got time, you should also try Eric Zimmerman's Registry Explorer and ShellBags Explorer tools. Hopefully you could find some more relevant data with these

https://ericzimmerman.github.io/

Not that I dislike encase or any other software, it's just another idea I got. Results from different analysis might lead to a better way figuring your case )

ReplyQuote

user808

(@user808)

Active Member

Joined: 9 years ago

Posts: 9

Topic starter 15/08/2016 12:29 am

will do. thanks passcodeunlock, I really appreciate all the help!

ReplyQuote

passcodeunlock

(@passcodeunlock)

Prominent Member

Joined: 9 years ago

Posts: 792

15/08/2016 2:00 pm

will do. thanks passcodeunlock, I really appreciate all the help!

You are welcome )

ReplyQuote

tdaniels

(@tdaniels)

New Member

Joined: 9 years ago

Posts: 2

20/08/2016 6:56 pm

thanks for response guys - was traveling the past two days and just got back.

Viewing the Install Date key under 'Current Version' had an odd value. On the left hands side the value was B2 2A 5F 52 and on the right had side was this interesting string 2*_R. I figured the left hand side was hex and I converted it to decimal and then put that through a unix time converter but the date came back as September 20th 2064. But when I ran the Encase System Info module, that reported back that the install date was the October 2013 date. So not sure why the registry key and the system module have different information.

Assuming you haven't already solved this yourself, this might help!

What you had there was the 'Hex' tab selected in the view pane. The left side of the window shows the hex data, the right hand side is the ASCII conversion of that hex.

Putting B2 2A 5F 52 through a hex to ASCII converter brings back ²*_R, as you described.

I'm going out on a limb slightly and assuming you are using EnCase 7? All you need to do is highlight those four bytes, then switch to the 'Decode' tab. You can then decode it into various date formats, which will save the manual effort of converting to decimal and putting through a Unix date converter.

You'll kick yourself when I tell you this, but that hex value is little-endian. So rather than converting B2 2A 5F 52 to epoch time, which as you said gives a date of 20/9/2064, you should have converted 52 5F 2A B2!

That gives a date of 17/10/2013, 000922 UTC!!

Hope that helps!

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

20/08/2016 8:37 pm

Just in case (and additional to what tdaniels posted ) ) there is a nice, free tool to decode dates, called dcode
http//www.digital-detective.net/digital-forensic-software/free-tools/
that accepts directly the string
B2 2A 5F 52
(of course you need to select the appropriate date format)

jaclaz

ReplyQuote

user808

(@user808)

Active Member

Joined: 9 years ago

Posts: 9

Topic starter 22/08/2016 9:03 pm

Assuming you haven't already solved this yourself, this might help!

What you had there was the 'Hex' tab selected in the view pane. The left side of the window shows the hex data, the right hand side is the ASCII conversion of that hex.

Putting B2 2A 5F 52 through a hex to ASCII converter brings back ²*_R, as you described.

I'm going out on a limb slightly and assuming you are using EnCase 7? All you need to do is highlight those four bytes, then switch to the 'Decode' tab. You can then decode it into various date formats, which will save the manual effort of converting to decimal and putting through a Unix date converter.

You'll kick yourself when I tell you this, but that hex value is little-endian. So rather than converting B2 2A 5F 52 to epoch time, which as you said gives a date of 20/9/2064, you should have converted 52 5F 2A B2!

That gives a date of 17/10/2013, 000922 UTC!!

Hope that helps!

awesome info tdaniels. thank you!

ReplyQuote

user808

(@user808)

Active Member

Joined: 9 years ago

Posts: 9

Topic starter 22/08/2016 9:04 pm

Just in case (and additional to what tdaniels posted ) ) there is a nice, free tool to decode dates, called dcode
http//www.digital-detective.net/digital-forensic-software/free-tools/
that accepts directly the string
B2 2A 5F 52
(of course you need to select the appropriate date format)

jaclaz

adding that to my growing list of tools. thanks jaclaz!

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
208 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed