If the boot log also logs the MAC address of the ethernet card, you may be able to figure it out that way... Check for when the current ethernet address was first used. That would probably be (close to) the time the machine was ghosted. Mac Macavity wrote: > Hi all, > > Given the situation of a Windows (any flavour from 95 to 2000) partition > which has been Norton Ghosted to a laptop, can anyone think of a way to > determine when (date) that ghosting took place, or failing that when the > system was booted for the first time thereafter (assuming that it has > been booted a number of times after that)? > > So far the file timestamps and registry entries I've looked at give me > either dates relating to when the system from which the image was made > was first created or from when the laptop was last booted, nothing > related to when the image was first copied to the laptop or first used. > > Perhaps there just isn't a way but I'd be grateful if someone could > point out anything obvious which I may have missed! > > Many thanks, > > Mac > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management and > tracking system please see: http://aris.securityfocus.com > -- Stephen Samuel +1(604)876-0426 samuelat_private http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 05:01:49 PST