Afternoon all,
Just a quick one to see if someone knows, off the top of their head, the Windows installation process, in terms of creation date recorded versus file-system format date(s).
It's not critical to the case, but whilst I was just getting an overview of the timeline of various exhibits, I noticed the format date of a drive (judging by the date of the $MFT creation and similar items) was quite a few hours after the install date/time.
Barring some more complicated/unlikely explanations, I assume this is because starting a Windows installation, from a CD/DVD, for example, will generate an installation date in memory, prior to the point where it goes ahead and formats a disk, and writes any files/filesystem(s). So, if a user started an installation, but didn't get as far as the point where it formats a disk/copies files, that could explain the disparity.
I just wanted to see if anyone else has tested this previously or knows if it's correct (edit - I suppose if the clock is modified during this process that might explain it too perhaps - depending if/when that's possible - but if anyone knows if either of those things are plausible it'd be help reassure me prior to any testing if ever required).
Thanks,
Rich
Notifications
Clear all
Topic starter
02/05/2020 12:08 pm