Way to find out how...
 
Notifications
Clear all

Way to find out how many times windows was reinstalled?

12 Posts
6 Users
0 Likes
916 Views
(@ebmetric)
Posts: 10
Active Member
Topic starter
 

Hi there,

Is there a way to find out how many times windows was reinstalled.

Bonus would be to find when exactly.

Thank you! )

 
Posted : 07/06/2018 10:24 am
(@ludlowboy)
Posts: 71
Trusted Member
 

I would start by checking for ‘windows.old’ folders. These are sometimes created when a new version of windows is installed.

 
Posted : 07/06/2018 11:43 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi there,

Is there a way to find out how many times windows was reinstalled.

Bonus would be to find when exactly.

Thank you! )

Generally speaking, NO WAY.

All you normally have is the last time it was installed, in some cases (it depends on the context, on the actual method used for installation/re-install, and on the actual windows version) a folder windows.old containing the previous installation may be found, though.

jaclaz

 
Posted : 07/06/2018 11:50 am
(@ebmetric)
Posts: 10
Active Member
Topic starter
 

For example, I could try recover old windows/system32/config folder using r-studio and then use Windows registry recovery to check installation date and other information?

I have heard that with EnCase is possible to do something similar.

 
Posted : 07/06/2018 2:51 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

For example, I could try recover old windows/system32/config folder using r-studio and then use Windows registry recovery to check installation date and other information?

I have heard that with EnCase is possible to do something similar.

It is unlikely that you will recover that folder, and even more unlikely that you will be able to recover a "sound" enough Registry file, and even if you recover a good enough Registry, that the information you seek is recoverable, and anyway it would not be IMHO "final" or even "reliable" evidence, particularly with Windows 10, see
https://www.raedts.biz/forensics/determining-windows-10-installation-date/
http//az4n6.blogspot.com/2017/02/when-windows-lies.html

but also previous versions may have "strange" dates/times because of BIOS time at install time, or use of sysprep, etc., see also
https://www.forensicfocus.com/Forums/viewtopic/t=15574/
http//www.forensicfocus.com/Forums/viewtopic/t=13178/
http//www.forensickb.com/2009/05/file-system-creation-date-vs-operating.html

jaclaz

 
Posted : 07/06/2018 4:29 pm
(@thefuf)
Posts: 262
Reputable Member
 

It could be possible to recover registry hives from a previous Windows installation. Try yarp-carver (https://github.com/msuhanov/yarp), it supports the reconstruction of fragmented hives.

 
Posted : 07/06/2018 7:14 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It could be possible to recover registry hives from a previous Windows installation.

Sure it is possible, but highly unlikely.

Let's say you install windows "fresh" for the very first time on a brand new disk, for the sake of the reasoning let us assume you use a "default" partitioning (a single partition or a small "hidden" partition + the actual large partition for the OS)

The install will take - roughly - the first 16 GB of the large partition.

Then you fill the rest of the partition with your data.

At a given point you need/want to reinstall.

You have basically 3 (three) options (excluding the wiping of the disk or of the partition with the format without the /q)
1) backup the data, format the partition (quick) and reinstall windows
2) delete the \windows folder (and possibly some other specific OS folders) and reinstall windows
3) reinstall windows on the partition "as is" (and thus the OS will create the windows.old folder

In case 1) the actual Windows files (that come from a "same" applied .wim, by a "same" setup command) will 99.99% occupy the same areas they did originally, overwriting the original install.

In case 2) it has to be seen, and it may depend on the actual level of fill of the filesystem, surely (again 99.99%) if the partition is filled up to the brim, and install sees only a 16 GB or so "free" chunk will install there, but I believe that even on a not-so-filled up the setup will choose to write on that same area.

In case 3) the files are not deleted and so you don't *need* to carve anything.

jaclaz

 
Posted : 07/06/2018 8:02 pm
(@armresl)
Posts: 1011
Noble Member
 

Your best reply may end up needing to be "yes Windows has been reinstalled, the exact number I can't state."

 
Posted : 07/06/2018 8:04 pm
(@thefuf)
Posts: 262
Reputable Member
 

It could be possible to recover registry hives from a previous Windows installation.

Sure it is possible, but highly unlikely.

Let's say you install windows "fresh" for the very first time on a brand new disk, for the sake of the reasoning let us assume you use a "default" partitioning (a single partition or a small "hidden" partition + the actual large partition for the OS)

The install will take - roughly - the first 16 GB of the large partition.

Then you fill the rest of the partition with your data.

At a given point you need/want to reinstall.

You have basically 3 (three) options (excluding the wiping of the disk or of the partition with the format without the /q)
1) backup the data, format the partition (quick) and reinstall windows
2) delete the \windows folder (and possibly some other specific OS folders) and reinstall windows
3) reinstall windows on the partition "as is" (and thus the OS will create the windows.old folder

In case 1) the actual Windows files (that come from a "same" applied .wim, by a "same" setup command) will 99.99% occupy the same areas they did originally, overwriting the original install.

In case 2) it has to be seen, and it may depend on the actual level of fill of the filesystem, surely (again 99.99%) if the partition is filled up to the brim, and install sees only a 16 GB or so "free" chunk will install there, but I believe that even on a not-so-filled up the setup will choose to write on that same area.

In case 3) the files are not deleted and so you don't *need* to carve anything.

jaclaz

Backup hives from the RegBack folder are rotated frequently. Since files in this folder are created and deleted, they are likely to survive longer.

 
Posted : 07/06/2018 9:41 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 

It could be possible to recover registry hives from a previous Windows installation.

Sure it is possible, but highly unlikely.

jaclaz

I very rarely disagree with you, but this is one of those times. If we assume a HDD rather than a SSD is in play (never mind an unsophisticated user), we have been quite successful rebuilding Registries from previous Windows installations. This exact situation is one of the reasons we built Registry Recon, so we would have a solution for quickly (programmatically) associating and rebuilding hives from unallocated space and other locations in order to browse through Registries from previous Windows installations. Our typical use cases for this situation at Arsenal involve either IT departments that re-imaged computers before corporate HR and/or legal realized there was a problem with a former employee, and former employees that re-installed Windows just prior to returning their computer to the company.

We know of at least one police department that uses our tool for a similar purpose as well… believe it or not, to get stolen laptops back in the hands of their rightful owners.

Here's a relevant screenshot from a few years back

https://twitter.com/ArsenalArmed/status/637356151856852992

thefuf can probably share his experience with the volume of Registry hives recovered from unallocated space in his cases… once you have enough, you can do amazing things. Well, sometimes even if you just have a single hive from unallocated space (or VSCs, or hibernation, or crash dumps, or…) you can do amazing things. 😉

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

 
Posted : 08/06/2018 5:17 pm
Page 1 / 2
Share: