Notifications
Clear all

OS Install date

9 Posts
7 Users
0 Reactions
4,921 Views
(@bluedragon)
Trusted Member
Joined: 18 years ago
Posts: 60
Topic starter  

Hi all,

I run windows initialize case in EnCase under case processor but I can't get the OS install date. Is there an explanation for that?

If I EnCase can't tell the install date? IS there any other way to find out?


   
Quote
(@benclelland)
Eminent Member
Joined: 19 years ago
Posts: 21
 

Just look at the 'Software' registry file and go to \Microsoft\WindowsNT\CurrentVersion and view it manually.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Export the Registry hives from the image, or mount the image and run RegRipper against the hives…


   
ReplyQuote
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
 

Greetings,

I believe you can also look at the date on the $MFT to determine when the disk was initialized. Not the same as when the OS was installed, but related, and potentially of interest.

-David


   
ReplyQuote
(@bluedragon)
Trusted Member
Joined: 18 years ago
Posts: 60
Topic starter  

I went to Microsoft\WindowsNT\CurrentVersion and view it manually and convert it to Unix 32 Time stamp. Will this time be in the same time zone as in the user machine?


   
ReplyQuote
(@bperk)
Eminent Member
Joined: 16 years ago
Posts: 24
 

Hi all,

I run windows initialize case in EnCase under case processor but I can't get the OS install date. Is there an explanation for that?

If I EnCase can't tell the install date? IS there any other way to find out?

Try this…

http//www.forensickb.com/2009/05/file-system-creation-date-vs-operating.html


   
ReplyQuote
iruiper
(@iruiper)
Estimable Member
Joined: 19 years ago
Posts: 145
 

If no "strange" circumstances, you could find a quick tip on the OS install date taking a look at the created times for the most tipycal folder structures and users always created in a Windows installation (such as Default, for instance).


   
ReplyQuote
(@nigel_cro)
Eminent Member
Joined: 16 years ago
Posts: 29
 

you could find a quick tip on the OS install date taking a look at the created times for the most tipycal folder structures and users always created in a Windows installation

Just a quick word of caution - be very careful when doing this for a Vista machine. MS changed the method of 'installation' with Vista and a large portion of the initial folder structure is 'Deployed' and not 'Installed'. The created date/time will not always accurately reflect when the Op Sys was put on the machine.

And one more - be very careful in XP, Service Packs CAN update the install date - sometimes they will, sometimes they won't, who knows??????

Sorry if this is instructing aged female grandparent to suck eggs, but I am a newbie on this forum and I'm not sure of appropriate levels )

All the best,

Nigel


   
ReplyQuote
iruiper
(@iruiper)
Estimable Member
Joined: 19 years ago
Posts: 145
 

Any remark is always appreciated, so… thank you! 😉 I was just giving a very quick tip, but you are completely right don't rely 100% on this method.


   
ReplyQuote
Share: