Hello,
I have being working on a windows image. I extracted the SAM file and run Rigripper v2.8 to get the account information. Below is the output for the USER.
Username USER [1000]
Full Name
User Comment
Account Type Default Admin User
Account Created Mon Mar 31 051725 1980 Z
Last Login Date Sun Jan 24 125803 2016 Z
Pwd Reset Date Mon Mar 31 051727 1980 Z
Pwd Fail Date Never
Login Count 16
My question is why is the account created date 1980. I am certain this wasn't the time the account was created. Could it be the system time was wrong.
My question is why is the account created date 1980.
What's the version of Windows you were analyzing, and when was it installed on the system?
I am certain this wasn't the time the account was created.
How so? Did you verify this by checking the MFT entries for files within the profile?
Could it be the system time was wrong.
Sure, that's a possibility, but it can also be verified. How to go about doing that relies a bit on the version of Windows you're examining.
Something to consider is that before stating in a public forum that there's an "error", perhaps try to verify it first. Open the SAM hive in a Registry viewer, export the value that contains the time stamps for the user account, locate the time stamp(s) in question, and verify the time stamp(s).
The samparse.pl plugin is an excellent resource that you can use to locate those values, as is the reference material in the header of the plugin.
Another means for verifying the time stamps would be to create a timeline, and see what may have occurred "near" the time that the profile was created.
There's likely a pretty straightforward explanation as to why you're seeing those time stamps…
The OS is Windows 7 Ultimate and the installed date was identified to be Mon Mar 31 053319 1980 in the registry.
I have check the registry key in the SAM file SAM\Domains\Account\Users\Names\USER and the last written date is 3/31/1980 51725 AM +0000.
Now I checked the Software hive and the key Microsoft\Windows NT\CurrentVersion\ProfileList and the last time written was Mon Mar 31 053654 1980 (UTC) some minutes after the account was created.
Under the ProfileList key I checked the SID (S-1-5-21-331876463-2052389224-3239719413-1000) key which is linked to the USER account and the last written time was Fri Jan 15 182930 2016 (UTC).
This tells me that the ProfileList key was not updated when the SID was modified or someone has modified it (yet to find out)
Can I used the last written time on that to be the time the USER account was created.
I exported all the files and directory listing using FTK Imager and most of the windows default generated files were all 1980
I just check the time stamp the Desktop Folder was created in the USER account and it was 1980-Mar-31 053655 UTC a second after the key was created under the ProfileList. The modified timestamp on the Desktop folder was 2016-Jan-24 131343 UTC which is about an hour after the last logon.
Now how do I prove when the OS was installed?
Can I used the last written time on that to be the time the USER account was created.
Sorry, but I honestly have no idea what you're asking here…
I exported all the files and directory listing using FTK Imager and most of the windows default generated files were all 1980
Okay, but that "timeline" does not appear to include things like Windows Event Log records, etc.
Now how do I prove when the OS was installed?
I'm not sure that you ever will. I say that, as you may likely find a point in a timeline where there was a significant time change; even so, you likely won't know when the OS had actually been installed, as it sounds as if there was some issue with the system time at the time that Win7 was installed.