Re: Installation date of Windows image

From: Ian Macdonald (secforensicsat_private)
Date: Thu Mar 28 2002 - 06:50:49 PST

Next message: Doug.Barbinat_private: "Static Forensic Analysis in Japanese (and other Languages)"

Previous message: Keith Tyler: "RE: Installation date of Windows image"
In reply to: Mac Macavity: "Installation date of Windows image"
Next in thread: Mac Macavity: "RE: Installation date of Windows image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would look at the event log. Everytime the computer boots an entry is made
to the event log. If there was a long time between the Ghost image being
created and then being burned onto the computer you should see a long gap
between rebooted on the machine. You might also want to find out if sysprep
or ghostwalker were run after the ghost image was created. Those are
utilities for reseting machine names and the SID of the computer. I haven't
used them but they might write to log files on the computer.

Hope this gives you some ideas

IAn
----- Original Message -----
From: "Mac Macavity" <mac_macavityat_private>
To: <forensicsat_private>
Sent: Tuesday, March 26, 2002 11:40 AM
Subject: Installation date of Windows image


> Hi all,
>
> Given the situation of a Windows (any flavour from 95 to 2000) partition
> which has been Norton Ghosted to a laptop, can anyone think of a way to
> determine when (date) that ghosting took place, or failing that when the
> system was booted for the first time thereafter (assuming that it has been
> booted a number of times after that)?
>
> So far the file timestamps and registry entries I've looked at give me
> either dates relating to when the system from which the image was made was
> first created or from when the laptop was last booted, nothing related to
> when the image was first copied to the laptop or first used.
>
> Perhaps there just isn't a way but I'd be grateful if someone could point
> out anything obvious which I may have missed!
>
> Many thanks,
>
> Mac
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.
>
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Doug.Barbinat_private: "Static Forensic Analysis in Japanese (and other Languages)"
Previous message: Keith Tyler: "RE: Installation date of Windows image"
In reply to: Mac Macavity: "Installation date of Windows image"
Next in thread: Mac Macavity: "RE: Installation date of Windows image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 13:44:11 PST