I don't think there would be a time stamp on anything that would show you when it was first booted up. However depending on the OS you may be able to tell when they booted up the machine and how many times. In winnt you can check the event viewer, provided the logs haven't been overwritten yet. In win95/98 it may have file called bootlog.txt in the root of c: -Regards Keith -----Original Message----- From: Mac Macavity [mailto:mac_macavityat_private] Sent: Tuesday, March 26, 2002 9:40 AM To: forensicsat_private Subject: Installation date of Windows image Hi all, Given the situation of a Windows (any flavour from 95 to 2000) partition which has been Norton Ghosted to a laptop, can anyone think of a way to determine when (date) that ghosting took place, or failing that when the system was booted for the first time thereafter (assuming that it has been booted a number of times after that)? So far the file timestamps and registry entries I've looked at give me either dates relating to when the system from which the image was made was first created or from when the laptop was last booted, nothing related to when the image was first copied to the laptop or first used. Perhaps there just isn't a way but I'd be grateful if someone could point out anything obvious which I may have missed! Many thanks, Mac _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 13:42:05 PST