Hi
I'm sure this is a simple one but I'm struggling. XP Pro SP3, corporate (AD) environment, internal investigation.
I have a user's HD, RegRipper shows timedate control panel being run just before last shut down time for the last time (15th November), and indicates that it has been run twice.
Where can I find the first time it was run? Somewhat unusually, the user has Restore Points available, but I can't work out which Registry Key contains the relevant info.
TimeZoneInformation doesn't appear to have been updated on the user's HD anywhere near 15th November, I ran a test on my computer (same OS), exported the System hive and checked in FTK Registry Viewer but am still stumped. Unless I need to re-start for the relevant key to have been updated?
Any help out there?
Thanks
When you ran the test on your computer, did you run regshot to see what changes were made to your registry?
Also, did you try to confirm regripper's output with another alternative?
A few questions for you -
When RR was run, which output specifically are you using for your data?
I assume that you meant the user ran the timedate, not the system. Is that a correct assumption?
RegRipper can be used against restore points as well; depending on the number of restore points available you could simply get the same output and look for the difs manually.
As a side note, XP SP3 does some interesting stuff to the registry timestamps during the install. (Like USBStor…) Does the install/upgrade time of SP3 correlate with the timeframe you are struggling with?
I might have some ideas if you explain just what it is you are trying to find out?
H