±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35755
New Yesterday: 5 Visitors: 104

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

setupapi.offline.log

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

Cults14
Senior Member
 

setupapi.offline.log

Post Posted: Jun 05, 19 20:16

Hello

I have sometimes seen contextually small and recently-created setupapi.dev.log files , but they always had a larger "cousin" or predecessor

I recall that setupapi.dev.log would be re-named when it reached a certain size (although I don't recall what that size was) and a new setupapi.dev.log was created, carrying on from where the old file left off. I also don't recall the exact formatting of the modified filename but it started with setupapi and was located alphabetically adjacent to setupapi.dev.log in the \Windows\Inf folder

I'm now looking at a DD image of a Win7 Enterprise system where setupapi.dev.log is only 476 bytes, the first entry is dated 17th April 2019 but the computer has been in use for a lot longer than that. And the "cousin" isn't present

There is a setupapi.offline.log which I have just started reading about but there's a 2-year gap between it's last entry and the first one in setupapi.dev.log. And, the first entry in setupapi.offline.log in 2011 which makes no sense as the Dell warranty didn't start until 2015. We're in a corporate environment where a 3rd party vendor tests and provides the standard images/builds

Has anyone come across this before and have any idea what possible causes there could be (other than manually deleting the re-named setupapi.dev.log, which is always a possibility)

One of the results of this is that I am currently unable to see when devices were first installed using my normal process (as per SANS and others).

Look forward to replies Smile

Peter  
 
  

trewmte
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 06, 19 08:04

- Cults14


I'm now looking at a DD image of a Win7 Enterprise system

We're in a corporate environment where a 3rd party vendor tests and provides the standard images/builds


Just to clarify. Server or Desktop PC?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

Cults14
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 06, 19 08:08

It's a Laptop

I've never come across Win7 Enterprise Servers.....................  
 
  

trewmte
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 06, 19 08:14

- Cults14
It's a Laptop


Do you know if there is any system maintenance tasks operating on the system?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

Cults14
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 06, 19 08:17

No I don't know. Sorry to confess my ignorance, what kind of tasks would I be looking for and how would I find out. Am happy to be pointed in the direction of the well rather than been lead to drink  
 
  

trewmte
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 06, 19 08:40

- Cults14
Am happy to be pointed in the direction of the well rather than been lead to drink


Laughing

Please correct if wrong/inaccurate (remember I know nothing of your circumstances other than those in your post)

The impression from your post is that this is a stand-alone device not administered by the organisation's system administrator or by RSAT.

Please confirm how image/build occurred:

1) 'Grub' on micro-card- needed at power up: password and other credentials to assist machine download image/build from local or distant server?

2) Set-up network connection to local/distant server?

3) image/build transferred from physical-connect device?

4) Some other method?

If you cannot answer any of the above questions then in the alternative can you provide content (from e.g. below) which might give a clue during any rollback:

- setupmem.dmp
- .evtx file/s
- setupapi. app. log
- setupapi.dev.log
- setupapi.offline.log
- setupact.log
- setuperr.log
- DISM.log
- CBS.log
- cbs.unattended.log
- Sessions.log

Is this post connected to the exchanges of views in an earlier post at FF of yours?https://www.forensicfocus.com/Forums/viewtopic/t=12079/postdays=0/postorder=asc/start=0/
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

keydet89
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 06, 19 20:44

- Cults14

Has anyone come across this before and have any idea what possible causes there could be (other than manually deleting the re-named setupapi.dev.log, which is always a possibility)


I haven't seen this before, but have you considered creating a timeline of system activity? I'd think that file system metadata, correlated with Windows Event Log and Registry metadata, might be very revealing, particularly with respect to what was going on on the system when the file was created or modified.  
 

Page 1 of 3
Page 1, 2, 3  Next