Hello,
I am interested in finding the first boot time for a hard drive I am working on. I am using Access Data FTK.
I am aware that I can use a command ''systeminfo'' to find the first boot time of the PC I am on now but not if I only obtained a hard drive. Is there a log or event log I can look into to obtain the First Boot Time of the OS installed? I feel like some sort of Power Event can assist me with this but unsure. I see when I type ''systeminfo'' it says "Loading xxx" so I assume its reading something to obtain this. (Tested on a random PC) So maybe I can find an alternative to this method?
Any help would be appreciated.
Presuming windows, there are several date/time stamps which indicate install, and first boot time.
You need to be more specific with the OS version.
At command prompt systeminfo | find /i "Original Install Date"
You can look at the creation date of OS folders, best one is C\$Recylcle.Bin date/time in MFT.
Registry key
SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
The currently installed OS has logs, registry entries, etc. If your case is about anti-forensics, all those values can be changed or altered.
In case of Windows I would look deeper in the MFT and it's backups and I would check the creation date of the "System Volume Informations" directory, since that can't be deleted on a running NTFS filesystem.
Bad news even the "System Volume Informations" directory can be deleted/altered booting a live media, thus changing the MFT infos as well.