In a recent forensic analysis of a hard disk of 250 GB and OS as windows vista, I came across a strange scenario
The $MFT date showed April 2009(date of Format) and OS installation date is September 2008, which was found from the registry hive - HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\InstallDate
Well I know one of the known fact could be the system date and time was changed, but if that's the case then at what stage was the system date & time changed.
I don't think it could be changed after the OS was installed, can it be changed during the installation of OS, if yes - where do I get the evidence for the same to prove my point.
The "install" date does not always correspond to the actual date of the install. Vista is really a copy where many of the dates come from when the installer on the disk was created.
A couple of things to check
-Is this a legit copy of Vista? If not someone may have run the "Rearm 2099" crack or similar to bypass activation.
-What is the patch level? Some Service Packs and patches "adjust" the install date (I suspect partly to foil illegal copies of Vista with the a fore mentioned crack).