tag:blogger.com,1999:blog-2456910508235577340.post5335754356829674127..comments2024-03-03T22:38:30.152-07:00Comments on Another Forensics Blog: When Windows LiesMari DeGraziahttp://www.blogger.com/profile/07035429062451749639noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-2456910508235577340.post-33153979885161820182018-05-17T23:12:36.103-07:002018-05-17T23:12:36.103-07:00we had the same situation and it also coincides wi...we had the same situation and it also coincides with the windows 10 security/feature update dates. thanks for sharing.TonyBeehttps://www.blogger.com/profile/15574047247356717022noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-72644174335467575422017-07-03T14:49:19.152-07:002017-07-03T14:49:19.152-07:00Great catch, appreciate the post.Great catch, appreciate the post.Ben Meredithhttps://www.blogger.com/profile/08172944521379508847noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-21505358531262783292017-04-26T08:16:13.897-07:002017-04-26T08:16:13.897-07:00So the Windows 10 OS has yet another registry subk...So the Windows 10 OS has yet another registry subkey, this one in the SYSTEM hive file: "\Setup\Source OS." The InstallDate information here is the original computer OS install date/time. It also tells you when the update started, ie; "\Setup\Source OS (Updated on xxxxxx)." This may of course not be when the update ends, the user may choose to turn off instead of rebooting when prompted, etc. The update can actually complete on a different day, and "\Setup\Source OS (Updated on xxxxxx)" will reflect the date/time it started the update. <br /><br />You can also find instances of multiple "\Setup\Source OS (Updated on xxxxxx)" subkeys, each one reflecting an update.Anonymoushttps://www.blogger.com/profile/16845497695244094797noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-76456749306287826342017-04-26T05:55:53.139-07:002017-04-26T05:55:53.139-07:00I am assuming from the "Windows.old" ref...I am assuming from the "Windows.old" reference that these are updates to Windows 10 and not a clean install of the full OS ?? I checked my installs which were Windows 10 Pro 64-bit and Windows Home 64-bit and the install dates were correct Dec. 2016 and April 2017. But since the install disks were newer I speculate that the update that tripped your dates and times was already on the OS I installed. Although the Pro was prior to Feb 2017. At least the new Redstone 3 "Creators Update" that installed just earlier this week did not muck up the install dates and times. J. Jones Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-27308813569724578002017-02-28T10:26:09.396-07:002017-02-28T10:26:09.396-07:00Just to state for the record, when any "featu...Just to state for the record, when any "feature" release is installed, it will indeed wipe out and start over the log files. All event logs to before the feature release are wiped and placed in the windows.old folder on the system. Not exactly the most forensically nice way to do it. Also be aware that the Windowsupdate.log file is historically and horrifically now unreliable as they don't publish the symbol files. The Get-windowsupdate powershell command may post out unusable output.Susan Bradleyhttp://www.patchmanagement.orgnoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-59282887840400641902017-02-27T18:39:40.103-07:002017-02-27T18:39:40.103-07:00Hi Mari! I believe we may have been in class toge...Hi Mari! I believe we may have been in class together at some point at Champlain. Regardless, thanks for the heads up with this!Anonymoushttps://www.blogger.com/profile/08371921404305115407noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-22216384232489706082017-02-26T09:21:44.718-07:002017-02-26T09:21:44.718-07:00So, some more thoughts on your post, specific to t...So, some more thoughts on your post, specific to the value of historical data on systems...<br /><br />1. For Windows 10 systems, the LastWrite time for the "Windows NT\CurrentVersion" key is now something that is of interest.<br /><br />2. VSCs and RegBack copies of the Software hive will perhaps now have more relevance.<br /><br />3. Using EVTXtract will likely help recover *.evtx data, if the VSCs don't hold what you're looking for...<br /><br />Again, thanks for sharing and continuing to lead within the community, by your example.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-47747555228811885852017-02-21T09:13:17.225-07:002017-02-21T09:13:17.225-07:00I have found this update/install artifact as well....I have found this update/install artifact as well. In one system it started out as an XP box -> Win7 and finally Win10 Home Edition. I also used (always do) RegRipper and then Timeline analysis and saw major Windows Updates changing the installation date. Timeline analysis helped to point me in the right direction.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-83017109618031443802017-02-20T19:14:16.215-07:002017-02-20T19:14:16.215-07:00I did create a timeline for the case in question, ...I did create a timeline for the case in question, and one thing that tipped me off was the amount of entries located just prior with references to "C:/Windows/SoftwareDistrubutions/Download. However, it would not be uncommon for Windows to download something while it was installing I suppose. Another tipoff was the amount of entries in the timelime prior to the supposed install date. VSC for event logs is a great idea. Interestingly enough, Windows was nice enough to drop a copy of the old event logs in a Windows.old directory. However, I'm not sure how long the Windows.old directory sticks around, as it wasnt on all the systems I looked at. Throwing the registry entries for installed programs (uninstall_tln.pl) into the timeline may also help point out the inconsistencies that would show a installed programs before a OS install date. I think a macro timeline of the software registry would be very helpful in detecting this.Mari DeGraziahttps://www.blogger.com/profile/07035429062451749639noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-42209223855434910132017-02-20T18:26:30.745-07:002017-02-20T18:26:30.745-07:00Fascinating stuff, Mari! Great find, and thanks f...Fascinating stuff, Mari! Great find, and thanks for sharing! <br /><br />Do you think you would have found this if you had created a timeline and added the 'new' InstallDate to it? Do you think you would have seen the updates in the file system and Registry metadata? <br /><br />Any thoughts on getting Windows Event Logs from, say, a VSC? <br /><br />Thanks!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com