Hi,
Currently working on a Windows XP box, on which the user has installed remote control software. I've produced a timeline using log2timeline, however upon examination it appears to show the files associated with software as well as registry entries being created over a minute before the installation file for the software is executed.
I've parsed out the NTUSER file using RegRipper, which confirms installation of the software at the time the registry entries appear, but, prior to the installation file being executed a minute later, I don't see any activity by the user to install the software.
Also, following the execution of the installation file there does not appear to be any activity relating to this software (further file creations, etc.). Possibly the execution of this file and the current installation of the software are unrelated (maybe the user double-clicked the installation file then changed his mind).
Any ideas on what might be going on here?
Thanks.
Never mind. Looks like the user has run the install twice, once to install, and then once again after installation, which was canceled.
Never mind. Looks like the user has run the install twice, once to install, and then once again after installation, which was canceled.
This is good, this is good.
I think this forums' audience would appreciate how you determined that. Prefetch?
UserAssist indicates the installation file has been run twice. The installation of the software took place in June 2011 - the installation file has since been deleted, and there isn't a prefetch file available. I'm searching for any prefetch files relating to the installation file within unallocated clusters. I'll update after the search to say if I found any.
If this sounds like I'm heading in the wrong direction, please feel free to let me know.