Hi all,
I run windows initialize case in EnCase under case processor but I can't get the OS install date. Is there an explanation for that?
If I EnCase can't tell the install date? IS there any other way to find out?
Just look at the 'Software' registry file and go to \Microsoft\WindowsNT\CurrentVersion and view it manually.
Export the Registry hives from the image, or mount the image and run RegRipper against the hives…
Greetings,
I believe you can also look at the date on the $MFT to determine when the disk was initialized. Not the same as when the OS was installed, but related, and potentially of interest.
-David
I went to Microsoft\WindowsNT\CurrentVersion and view it manually and convert it to Unix 32 Time stamp. Will this time be in the same time zone as in the user machine?
Hi all,
I run windows initialize case in EnCase under case processor but I can't get the OS install date. Is there an explanation for that?
If I EnCase can't tell the install date? IS there any other way to find out?
Try this…
http//
If no "strange" circumstances, you could find a quick tip on the OS install date taking a look at the created times for the most tipycal folder structures and users always created in a Windows installation (such as Default, for instance).
you could find a quick tip on the OS install date taking a look at the created times for the most tipycal folder structures and users always created in a Windows installation
Just a quick word of caution - be very careful when doing this for a Vista machine. MS changed the method of 'installation' with Vista and a large portion of the initial folder structure is 'Deployed' and not 'Installed'. The created date/time will not always accurately reflect when the Op Sys was put on the machine.
And one more - be very careful in XP, Service Packs CAN update the install date - sometimes they will, sometimes they won't, who knows??????
Sorry if this is instructing aged female grandparent to suck eggs, but I am a newbie on this forum and I'm not sure of appropriate levels )
All the best,
Nigel
Any remark is always appreciated, so… thank you! 😉 I was just giving a very quick tip, but you are completely right don't rely 100% on this method.