±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35755
New Yesterday: 1 Visitors: 207

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

setupapi.offline.log

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 
  

Cults14
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 10, 19 10:39

- trewmte
Fair enough, then perhaps provide a copy of your setupapi.offline.log with the 2011 entry. Then we can see if this is a red-herring or might be a cause for genuine concern.

My mistake, was looking at wrong file when I replied, apologies for my sloppiness.

Yes they look similar. The first page looks the same, and there is an entry in both which is the same:
<<< Section end 2011/04/12 00:44:54.940
<<< [Exit status: SUCCESS]

At that point the two files diverge.

Hope that helps

Peter  
 
  

trewmte
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 11, 19 09:28

Ok, then using the .log I posted there is nothing suspicious in that .log at all. It demonstrates first installation and then additional events that occurred thereafter.

Michael Sonntag (Windows Forensics) refers to C:\Windows\inf\setupapi.offline.log as "Initial installation" and "Remains during an OS upgrade".

I looked at a number of setupapi.offline.logs and all had entries prior to the date of purchase etc... And all showed post events in-line with purchase/warranties/etc.


- Cults14
Yes they look similar. The first page looks the same, and there is an entry in both which is the same:
<<< Section end 2011/04/12 00:44:54.940
<<< [Exit status: SUCCESS]


The identical timestamp might tell you something if that is in your setupapi,offline.log; that the event is common and not unusual.

You may also want to consider the whole entry and not just the section end. If this helps, a record of an event is formatted:

>>> [section_title - instance_identifer]
>>> time_stamp Section start
section body log entry
section body log entry
section body log entry
<<< [time_stamp: Section end]
<<< [Exit Status(status_value)]


- Cults14
At that point the two files diverge.


Yup, and why I asked to see your .log as I already know what is in mine.


I think Harlan's comments to you about "timeline" would be worth pursuing to sort 'wheat from the chaff' (see en.wikipedia.org/wiki/Matthew_3:12 (see analysis).

In your timeline you might think it helpful to have parameters:

1) timestamps of .logs and files
2) timestamps of entries in .logs and files.

As a further observations arising from your original post:

- Cults14
I'm now looking at a DD image of a Win7 Enterprise system where setupapi.dev.log is only 476 bytes, the first entry is dated 17th April 2019 but the computer has been in use for a lot longer than that. And the "cousin" isn't present


.logs can be set for levels of events that are logged (so to speak).

Maybe check to see if the examples entries (or similar) below are in the registry and determine the logging level values.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 

Page 3 of 3
Page Previous  1, 2, 3