Got it, that works a treat! Many thanks to all who replied, greatly appreciated. Cheers, Mac >From: Ronald Prins <prins@fox-it.com> >To: 'Mac Macavity' <mac_macavityat_private> >CC: "'forensicsat_private'" <forensicsat_private> >Subject: RE: Installation date of Windows image >Date: Mon, 1 Apr 2002 18:16:27 +0200 > >In win98 you can find the schedlog.txt. If the taskscheduler is loaded >(default win98) it will write a new line in this file. > > > > > -----Oorspronkelijk bericht----- > > Van: Mac Macavity [mailto:mac_macavityat_private] > > Verzonden: vrijdag 29 maart 2002 9:44 > > Aan: forensicsat_private > > Onderwerp: RE: Installation date of Windows image > > > > > > Thanks Ian and Keith, the event logs are indeed a good place > > to look in > > NT/2000. I'm still struggling a bit with 95/98 though (as far > > as I can see > > bootlog.txt is created the first time after setup and is thus > > copied over > > along with the image without being written to again unless forced). > > > > Kind regards, > > > > Mac > > > > > > >From: Keith Tyler <ktylerat_private> > > >To: 'Mac Macavity' <mac_macavityat_private>, > > forensicsat_private > > >Subject: RE: Installation date of Windows image > > >Date: Thu, 28 Mar 2002 12:02:46 -0500 > > > > > >I don't think there would be a time stamp on anything that > > would show you > > >when it was first booted up. However depending on the OS you > > may be able to > > >tell when they booted up the machine and how many times. In > > winnt you can > > >check the event viewer, provided the logs haven't been > > overwritten yet. In > > >win95/98 it may have file called bootlog.txt in the root of c: > > > > > > > > >-Regards > > > > > >Keith > > > > > > _________________________________________________________________ > > Join the world's largest e-mail service with MSN Hotmail. > > http://www.hotmail.com > > > > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > >----------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 05:00:41 PST