Does anyone have any thoughts on the following please?;
A machine with a history of some years.
An setupapi.log going back but now renamed setupapi.old.
A 'new' setupapi.log created on date 'a'.
The client recalls that "some housekeeping" may have been run on date 'a', in the shape of "reinstalling Windows over the top of itself".
Software hive with an earliest entry that corresponds with date 'a', albeit with timestamps a couple of hours earlier than the setupapi.log.
System hive with earliest entries of date 'b' - which is one week later than date 'a'.
Some of those earliest entries are 7 x USB devices all created/mounted at exactly the same time on date 'b'.
Could the 7 x USB entries have been brought forward from somewhere else? May they have 'original' timestamps related to them stored elsewhere? Or is there another logical explanation?
Any thoughts would be very welcome indeed.
Have a good weekend all.
Fab4.
I know of at least two cases, and there may be more, where these entries will have their timestamps updated. Those are
the installation of an XP service pack (3, for sure, maybe earlier)
the use of Norton Ghost in non-forensic mode
There may be others, as well.