Recycle Bin Dates
 
Notifications
Clear all

Recycle Bin Dates

5 Posts
4 Users
0 Likes
636 Views
koppitekop11
(@koppitekop11)
Posts: 4
New Member
Topic starter
 

Hi guys,

I'm doing an investigation and have found a file of interest in the recycle bin. The OS is Windows 10 and I have the $I and $R files.

If an OS was reinstalled - lets say in September - how can the $R and $I files have creation dates which preceed this date? There is a Windows.old folder, however these files were found in the Recyle Bin of the new OS.

Any clarification on this would be greatly appreciated!

Many thanks!

 
Posted : 17/11/2017 3:09 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

I'm doing an investigation and have found a file of interest in the recycle bin. The OS is Windows 10 and I have the $I and $R files.

If an OS was reinstalled - lets say in September - how can the $R and $I files have creation dates which preceed this date? There is a Windows.old folder, however these files were found in the Recyle Bin of the new OS.

With the Windows.old folder, it sounds as if the "new OS" is a result of an upgrade, i.e., Win7 upgraded to Win10. As such, all of the original files would still exist after the process completed.

What sort of file was deleted? Does it have metadata that would let you validate the creation date?

Something else to consider is that the "deletion" is a move to a new folder, and the file being renamed…what effect do such operations have on the original file creation dates?

 
Posted : 17/11/2017 7:19 pm
randomaccess
(@randomaccess)
Posts: 385
Reputable Member
 

If an OS was reinstalled - lets say in September

I'd also be curious about you knowing the OS was reinstalled?
Are you taking the OS install date from the registry?

Because that's also changed by a Win10 update

 
Posted : 18/11/2017 6:42 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

As a side note besides "updates" the "windows.old" is created also in some cases of "repair" (or "reset") of the OS, in windows 8.1 there is/was also seemingly a "time bomb" of sorts
https://support.microsoft.com/en-us/help/17125/windows-8-restore-files-old-folder-upgrade

of 28 days for "system files", whilst user and documents directories should remain untouched.

jaclaz

 
Posted : 18/11/2017 10:33 am
koppitekop11
(@koppitekop11)
Posts: 4
New Member
Topic starter
 

Ok guys - it would appear that both the Windows.old and current system are running Windows 10, however they are different versions. If you apply an update when using Windows 10 will this create a Windows.old folder? Also, will it update the OS install time in the Software registry hive? I dont have time to test this at the moment so any insight would be greatly appreciated.

Many thanks!

EDIT From what I have read I think when you update Windows 10 to a new version it will create a Windows.old folder and as jaclaz rightly pointed out, this will then be deleted after 28 (or 30) days by default.

This is only from what I've read and hasn't been tested. Is anyone able to confirm this?

Thanks guys!

UPDATE I've got to the bottom of this thanks to this old post from Ridders

https://www.forensicfocus.com/Forums/viewtopic/t=15574/

It apepars that a security update/upgrade was applied to Windows 10 which explains the new OS installation time and the creation of the Windows.old folder. It also explains how the timestamp on the file predates the OS installation.

Hopefully it can help others in future.

Thanks guys!

 
Posted : 20/11/2017 9:36 am
Share:
Share to...