Join Us!

Way to find out how...
 
Notifications
Clear all

Way to find out how many times windows was reinstalled?  

  RSS
ebmetric
(@ebmetric)
New Member

Hi there,

Is there a way to find out how many times windows was reinstalled.

Bonus would be to find when exactly.

Thank you! )

Quote
Posted : 07/06/2018 11:24 am
ludlowboy
(@ludlowboy)
Member

I would start by checking for ‘windows.old’ folders. These are sometimes created when a new version of windows is installed.

ReplyQuote
Posted : 07/06/2018 12:43 pm
jaclaz
(@jaclaz)
Community Legend

Hi there,

Is there a way to find out how many times windows was reinstalled.

Bonus would be to find when exactly.

Thank you! )

Generally speaking, NO WAY.

All you normally have is the last time it was installed, in some cases (it depends on the context, on the actual method used for installation/re-install, and on the actual windows version) a folder windows.old containing the previous installation may be found, though.

jaclaz

ReplyQuote
Posted : 07/06/2018 12:50 pm
ebmetric
(@ebmetric)
New Member

For example, I could try recover old windows/system32/config folder using r-studio and then use Windows registry recovery to check installation date and other information?

I have heard that with EnCase is possible to do something similar.

ReplyQuote
Posted : 07/06/2018 3:51 pm
jaclaz
(@jaclaz)
Community Legend

For example, I could try recover old windows/system32/config folder using r-studio and then use Windows registry recovery to check installation date and other information?

I have heard that with EnCase is possible to do something similar.

It is unlikely that you will recover that folder, and even more unlikely that you will be able to recover a "sound" enough Registry file, and even if you recover a good enough Registry, that the information you seek is recoverable, and anyway it would not be IMHO "final" or even "reliable" evidence, particularly with Windows 10, see
https://www.raedts.biz/forensics/determining-windows-10-installation-date/
http//az4n6.blogspot.com/2017/02/when-windows-lies.html

but also previous versions may have "strange" dates/times because of BIOS time at install time, or use of sysprep, etc., see also
https://www.forensicfocus.com/Forums/viewtopic/t=15574/
http//www.forensicfocus.com/Forums/viewtopic/t=13178/
http//www.forensickb.com/2009/05/file-system-creation-date-vs-operating.html

jaclaz

ReplyQuote
Posted : 07/06/2018 5:29 pm
thefuf
(@thefuf)
Active Member

It could be possible to recover registry hives from a previous Windows installation. Try yarp-carver (https://github.com/msuhanov/yarp), it supports the reconstruction of fragmented hives.

ReplyQuote
Posted : 07/06/2018 8:14 pm
jaclaz
(@jaclaz)
Community Legend

It could be possible to recover registry hives from a previous Windows installation.

Sure it is possible, but highly unlikely.

Let's say you install windows "fresh" for the very first time on a brand new disk, for the sake of the reasoning let us assume you use a "default" partitioning (a single partition or a small "hidden" partition + the actual large partition for the OS)

The install will take - roughly - the first 16 GB of the large partition.

Then you fill the rest of the partition with your data.

At a given point you need/want to reinstall.

You have basically 3 (three) options (excluding the wiping of the disk or of the partition with the format without the /q)
1) backup the data, format the partition (quick) and reinstall windows
2) delete the \windows folder (and possibly some other specific OS folders) and reinstall windows
3) reinstall windows on the partition "as is" (and thus the OS will create the windows.old folder

In case 1) the actual Windows files (that come from a "same" applied .wim, by a "same" setup command) will 99.99% occupy the same areas they did originally, overwriting the original install.

In case 2) it has to be seen, and it may depend on the actual level of fill of the filesystem, surely (again 99.99%) if the partition is filled up to the brim, and install sees only a 16 GB or so "free" chunk will install there, but I believe that even on a not-so-filled up the setup will choose to write on that same area.

In case 3) the files are not deleted and so you don't *need* to carve anything.

jaclaz

ReplyQuote
Posted : 07/06/2018 9:02 pm
armresl
(@armresl)
Community Legend

Your best reply may end up needing to be "yes Windows has been reinstalled, the exact number I can't state."

ReplyQuote
Posted : 07/06/2018 9:04 pm
thefuf
(@thefuf)
Active Member

It could be possible to recover registry hives from a previous Windows installation.

Sure it is possible, but highly unlikely.

Let's say you install windows "fresh" for the very first time on a brand new disk, for the sake of the reasoning let us assume you use a "default" partitioning (a single partition or a small "hidden" partition + the actual large partition for the OS)

The install will take - roughly - the first 16 GB of the large partition.

Then you fill the rest of the partition with your data.

At a given point you need/want to reinstall.

You have basically 3 (three) options (excluding the wiping of the disk or of the partition with the format without the /q)
1) backup the data, format the partition (quick) and reinstall windows
2) delete the \windows folder (and possibly some other specific OS folders) and reinstall windows
3) reinstall windows on the partition "as is" (and thus the OS will create the windows.old folder

In case 1) the actual Windows files (that come from a "same" applied .wim, by a "same" setup command) will 99.99% occupy the same areas they did originally, overwriting the original install.

In case 2) it has to be seen, and it may depend on the actual level of fill of the filesystem, surely (again 99.99%) if the partition is filled up to the brim, and install sees only a 16 GB or so "free" chunk will install there, but I believe that even on a not-so-filled up the setup will choose to write on that same area.

In case 3) the files are not deleted and so you don't *need* to carve anything.

jaclaz

Backup hives from the RegBack folder are rotated frequently. Since files in this folder are created and deleted, they are likely to survive longer.

ReplyQuote
Posted : 07/06/2018 10:41 pm
ArsenalConsulting
(@arsenalconsulting)
Junior Member

It could be possible to recover registry hives from a previous Windows installation.

Sure it is possible, but highly unlikely.

jaclaz

I very rarely disagree with you, but this is one of those times. If we assume a HDD rather than a SSD is in play (never mind an unsophisticated user), we have been quite successful rebuilding Registries from previous Windows installations. This exact situation is one of the reasons we built Registry Recon, so we would have a solution for quickly (programmatically) associating and rebuilding hives from unallocated space and other locations in order to browse through Registries from previous Windows installations. Our typical use cases for this situation at Arsenal involve either IT departments that re-imaged computers before corporate HR and/or legal realized there was a problem with a former employee, and former employees that re-installed Windows just prior to returning their computer to the company.

We know of at least one police department that uses our tool for a similar purpose as well… believe it or not, to get stolen laptops back in the hands of their rightful owners.

Here's a relevant screenshot from a few years back

https://twitter.com/ArsenalArmed/status/637356151856852992

thefuf can probably share his experience with the volume of Registry hives recovered from unallocated space in his cases… once you have enough, you can do amazing things. Well, sometimes even if you just have a single hive from unallocated space (or VSCs, or hibernation, or crash dumps, or…) you can do amazing things. 😉

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

ReplyQuote
Posted : 08/06/2018 6:17 pm
jaclaz
(@jaclaz)
Community Legend

It could be possible to recover registry hives from a previous Windows installation.

Sure it is possible, but highly unlikely.

jaclaz

I very rarely disagree with you, but this is one of those times.

It is perfectly fine disagreeing with me, no need for the preamble/disclaimer ) .

But you are seemingly (and of course IMHO) losing the focus from the actual original scope.

Sure you can recover whole (or more likely fragments of ) registry hives from previous installations in some cases.

Logically, if it was easy to recover whole hives, there would be no need whatsoever to have the Registry Recon software nor the yarp-carver thefuf mentioned, so it is more likely that you get on average "fragments" of hives.

And surely you can do amazing things with the parts that you recover. )

But the original questions are rather narrow

Is there a way to find out how many times windows was reinstalled.

Bonus would be to find when exactly.

So, as soon as you will post a report saying that out of a "random"[1] sample of (say) 100 PC's where windows was reinstalled once or more times you can determine[1] through recovered registry hives how many times windows was reinstalled and (bonus) when exactly in at least 25 of the samples (i.e. 1/4 of the examined PC's) I will gladly change the highly unlikely to "in some cases possible" and if you can get it for at least 51 (i.e. 1/2 of the examined PC's +1 ) to "likely".

About specific reliability of these recovered data, see also
https://www.forensicfocus.com/Forums/viewtopic/p=6594697/#6594697

jaclaz

[1] random in the sense that they need to be "real world" PC's, actually used by actual people for some time after the reinstall, including automated defrag having some chances to run, etc., not "artificial" samples where you attempt the recover just after the reinstall of the sheer OS.

[2] with a confidence suitable to be put in an official report, i.e. capable of making a court consider it sufficient proof to condemn a suspect

ReplyQuote
Posted : 08/06/2018 8:12 pm
ArsenalConsulting
(@arsenalconsulting)
Junior Member

Sure you can recover whole (or more likely fragments of ) registry hives from previous installations in some cases.

Often enough that recovering hives (whether complete or partial) from unallocated space on HDDs, related to previous Windows installations, should not be considered an edge case as it often is now. Of course recovered hives related to the current installation are useful as well, and in most of our cases we tend to be more interested in those as our persons of interest were using the current Windows installation.

But the original questions are rather narrow

Is there a way to find out how many times windows was reinstalled.

Bonus would be to find when exactly.

Yes, I drifted from the original question if you consider it narrowly. I suspect the OP would be interested in knowing as much as possible about previous installations, even if we all concede that he will probably not get an authoritative answer to "how many times" and "exactly when." It may be for the OP, as it often is with us in this kind of situation, that the most important previous installation was the one just prior to the current.

Anyway, the point of my response is that you may be able to learn quite a bit about previous Windows installations (while conceding you will not learn everything), particularly when dealing with HDDs and populated unallocated space.

Mark

ReplyQuote
Posted : 08/06/2018 9:49 pm
Share: