Thanks Ian and Keith, the event logs are indeed a good place to look in NT/2000. I'm still struggling a bit with 95/98 though (as far as I can see bootlog.txt is created the first time after setup and is thus copied over along with the image without being written to again unless forced). Kind regards, Mac >From: Keith Tyler <ktylerat_private> >To: 'Mac Macavity' <mac_macavityat_private>, forensicsat_private >Subject: RE: Installation date of Windows image >Date: Thu, 28 Mar 2002 12:02:46 -0500 > >I don't think there would be a time stamp on anything that would show you >when it was first booted up. However depending on the OS you may be able to >tell when they booted up the machine and how many times. In winnt you can >check the event viewer, provided the logs haven't been overwritten yet. In >win95/98 it may have file called bootlog.txt in the root of c: > > >-Regards > >Keith _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 31 2002 - 10:10:26 PST