±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36290
New Yesterday: 2 Visitors: 160

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

setupapi.offline.log

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

trewmte
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 07, 19 05:55

- keydet89
I haven't seen this before, but have you considered creating a timeline of system activity? I'd think that file system metadata, correlated with Windows Event Log and Registry metadata, might be very revealing, particularly with respect to what was going on on the system when the file was created or modified.


Uncommon event but experience from previous work for image/builds on new systems or updating older ones it was found that the image that had been "baked" at first instance was flawed (causing glitches and other device issues) which the 3rd party then went to site to make changes and modify certain .logs and files. This is where I thought this matter might be going.

Some of the .logs in my list above were compiled using tips and hints from one of your books, Harlan.

I did think later that maybe include in the search for artifacts might find leads also at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall

and as this is Windows 7 to look at 'AMCACHE'

C:\Windows\AppCompat\Programs
RecentFileCache.bcf
AEINV_PREVIOUS.xml
AEINV_WER_{MachineId}_YYYYMMDD_HHmmss.xml

The drawback here, of course, is the OP couldn't answer is whether the system had been controlled by system admin settings or any system maintenance tasks operating on the system so these would need checking?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

Cults14
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 07, 19 09:00

- trewmte
The drawback here, of course, is the OP couldn't answer is whether the system had been controlled by system admin settings or any system maintenance tasks operating on the system so these would need checking?


Yes sorry about that, been somewhat snowed under. In reply to your questions, I really don't know. Our relationship with the 3rd party is not good, I'll ask the question but won't hold my breath for them even understanding the question

Peter  
 
  

thefuf
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 07, 19 16:04

- trewmte
and as this is Windows 7 to look at 'AMCACHE'

C:\Windows\AppCompat\Programs
RecentFileCache.bcf
AEINV_PREVIOUS.xml
AEINV_WER_{MachineId}_YYYYMMDD_HHmmss.xml


Also, the Syscache hive and the "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System" key.  
 
  

Cults14
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 07, 19 17:01

I have been advised as follows by one of our own people (not the 3rd party):

Sometimes the Image is done via PXE/SCCM, sometimes it’s had to be done via stand alone media or a media boot USB, all of which are created by the 3rd party

It does require a password to be entered to start the build, there is a built in username and password to put the machine in to the correct OU.

There are some BIOS changes that have to be made nowadays to put the machine in to UEFI mode and secure boot is enabled too as part of that.


Not sure where that takes me.  
 
  

trewmte
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 09, 19 13:32

Unless you can confirm there is an alternative, the information below takes you to the point win7 system operated privilege access rights. Changes to the system should be outside the scope of the ordinary laptop user access to installing new SW, devices or drivers etc. on to the laptop other than those permitted by the 3rd party baked image/build.

You mentioned in your first post:

- Cults14
There is a setupapi.offline.log which I have just started reading about but there's a 2-year gap between it's last entry and the first one in setupapi.dev.log.

And, the first entry in setupapi.offline.log in 2011 which makes no sense as the Dell warranty didn't start until 2015. We're in a corporate environment where

a 3rd party vendor tests and provides the standard images/builds.



Does your setupapi.offline.log look like this?

setupapi.offline.pdf - www.dropbox.com/s/gi5x...ffline.pdf

To avoid falling into investigation rabbit holes do you have in your possession or can you get a second DD of another similar laptop administered by the 3rd-party so you and your team can make a comparison of the .logs in question from the first laptop and see any parity with the second laptop?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

Cults14
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 09, 19 19:14

- trewmte
Changes to the system should be outside the scope of the ordinary laptop user access to installing new SW, devices or drivers etc. on to the laptop other than those permitted by the 3rd party baked image/build.


Indeed, but all our laptop users have Local Admin rights. Don't shoot the messenger

- trewmte
Does your setupapi.offline.log look like this?

setupapi.offline.pdf - www.dropbox.com/s/gi5x...ffline.pdf

Nope 'fraid not.

- trewmte
To avoid falling into investigation rabbit holes do you have in your possession or can you get a second DD of another similar laptop administered by the 3rd-party so you and your team can make a comparison of the .logs in question from the first laptop and see any parity with the second laptop?


Re rabbitholes, absolutely agree. Re second DD image, one of my colleagues is building a new machine for me and I will make the DD image and make a comparison. However if that doesn't clear things up (and I'm not sure exactly how it would, but let's not get further into that rabbit hole), I'm quite happy to point out the discrepancy, admit that I can't account for it, and suggest that if further investigation is required then a second opinion is sought. I don't like giving up but my cup floweth over with many competing priorities Sad  
 
  

trewmte
Senior Member
 

Re: setupapi.offline.log

Post Posted: Jun 09, 19 20:17

- Cults14
- trewmte
Changes to the system should be outside the scope of the ordinary laptop user access to installing new SW, devices or drivers etc. on to the laptop other than those permitted by the 3rd party baked image/build.


Indeed, but all our laptop users have Local Admin rights. Don't shoot the messenger


Ok this is a step forward that you can corroborate this now.


- Cults14
- trewmte
Does your setupapi.offline.log look like this?

setupapi.offline.pdf - www.dropbox.com/s/gi5x...ffline.pdf


Nope 'fraid not.


Fair enough, then perhaps provide a copy of your setupapi.offline.log with the 2011 entry. Then we can see if this is a red-herring or might be a cause for genuine concern.


- Cults14
- trewmte
To avoid falling into investigation rabbit holes do you have in your possession or can you get a second DD of another similar laptop administered by the 3rd-party so you and your team can make a comparison of the .logs in question from the first laptop and see any parity with the second laptop?


Re rabbitholes, absolutely agree. Re second DD image, one of my colleagues is building a new machine for me and I will make the DD image and make a comparison. However if that doesn't clear things up (and I'm not sure exactly how it would, but let's not get further into that rabbit hole), I'm quite happy to point out the discrepancy, admit that I can't account for it, and suggest that if further investigation is required then a second opinion is sought. I don't like giving up but my cup floweth over with many competing priorities Sad


You have in your possession a copy of the standard image/build from the 3rd-party to do this (that is before the laptop had any use post image/build)?

I get what you are saying. Of course, not knowing the underlying issue of your case whether its about user laptop misuse, or a dispute, or something else, any info I am referring to is to deal with setup issues or errors etc.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 

Page 2 of 3
Page Previous  1, 2, 3  Next