Hi there,
I am currently doing an forensic analysis using EnCase on Windows XP images to verify whether the computers were recently reinstalled. I understand that there is a built-in EnScript to show the registry value of last OS installation date, however, the way the resintallation was conducted in my case could probably be done by using Ghost image that was prepared a few years ago. Therefore, the registry value may show the computer was installed a few years ago while the reinstallation may have actually taken place a few weeks ago.
In order to have more confidence, I have also performed further analysis as below
1. Checked the event logs of the computer images to see whether mostof the event logs started recently or not.
2. Checked the file creation date of ntuser.dat under user profile.
I understand it is not easy to draw an conclusion or to be 100% sure about the computer reinstallation, therefore i am asking here to see whether you have any other idea to provide some assurance.
Many thanks for the help in advance.
Regards
Arnold
In order to have more confidence, I have also performed further analysis as below
1. Checked the event logs of the computer images to see whether mostof the event logs started recently or not.
Remember, this can be affected by Registry settings; for example, if the logs are set at their default size settings, but what is actually being audited (via the Security Registry hive - RegRipper will parse this…) is significant, then you may be Event Log records in the Security (and possibly the System) Event Logs for just a few days. This, of course, depends on activity levels, etc…but my point is, don't be too surprised if your available Event Log records don't go back as far as you would think.
I would scan for all MFT entries. If there are MFTs outside the current $MFT this could be an indication of a previous installation. This process may work as $MFT tends to grow and sometimes get fragmented. A recent installation will probably not be fragmented, and may be shorter than the previous one
Thank you very much for your reply!