Tag: dfir

Find out Windows installation date

There are a lot of ways to determine when a Windows operating system have been installed on a machine. In this post you will find some examples.

The installation date is very important during a forensic invegation in order to quickly understand when a Windows operating system have been installed on the analyzed machine.

Please bare in mind, that on Windows 10, this date can refer to the last major update (e.g. creators update).

      1. Extraction from Windows registry with Powershell:

        It is possible to retrieve the date and the time directly from a registry which is:

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

        The value of the registry key “InstallDate” is expressed as UNIX time, in a few words, it displays the time in number of seconds since 1st Jan 1970.
        You can obtain a readeable value with Powershell, writing:

        $date = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\' | select -ExpandProperty InstallDate

        The variable $date contains the installation datetime in UNIX time. In order to convert it into a human readable format in the same Powershell, you shall write:

        (Get-Date "1970-01-01 00:00:00.000Z") + ([TimeSpan]::FromSeconds($date))

        Now you have a human readable installation date time.

        Requirement: Powershell
        SO: Windows 7+

        Extracting from Windows registry with Powershell

      2. Using systeminfo via CMD:

        Systeminfo displays configuration information about a computer and its operating system, and also the Original Installation Date. To extract the installation date, open a cmd and type:

        systeminfo | find /i "original"

        Using the string “Original Install Date” please note that in order to find valid information, your OS language shall be English, otherwise you may not be able to find anything.
        Requirement: cmd
        SO: Windows XP+

      3. Using WMI via Powershell:

        It is also possible to extract the installation date and time with WMI, which stands for “Windows Management Instrumentation“. Open a powershell windows and write this command:

        ([WMI]'').ConvertToDateTime((Get-WmiObject Win32_OperatingSystem).InstallDate)

        With this command, you will get the installation date in a human readable format.
        Requirement: Powershell
        SO: Windows 7+

      4. Client side Cache Folder on Windows 10:

        On Windows 10, all the methods listed before, could retrieve the date of the last major updates (e.g. creators update) and not the Original Installation date.
        A nice way to find the closest thing to the original installation date on a Windows 10 system is to look at the “last write time” of the client side cache and you can do it by using powershell:

        Get-Item C:\Windows\CSC\

         

        The “Last Write Time” is one of the closest things to the original installation date of the system.
        Please refer also to this interesting discussion.

        Requirement: Powershell
        SO: Windows 10

If you use other methods to get the installation date, please share them in the comment box.

 

Extract GPS data from JPEG using imago

Nowadays a lot of images contain GPS data. This data are useful in order to remember the exact position where a photo was taken. Those data are used by social networks to suggest you a location for your image.

GPS data can be very useful also during a digital investigation, because they can give you a lot of information about the place where the picture was shoot.

With imago  https://github.com/redaelli/imago-forensics (a python tool that I made) extracting GPS data from JPEG can be very easy and fast.

Continue reading Extract GPS data from JPEG using imago

[Note] Drive acquisition using dc3dd

In this quick tutorial we will use dc3dd in order to obtain a raw image of an hard drive. dc3dd was developed at the Departement of Defense’s Cyber Crime Center and it is a patched version of the GNU dd command with added features for computer forensics. One of the main characteristic of dc3dd is that its code come from a fork of dd and for this reason dc3dd will be updated every time that dd is updated.  dc3dd offers the possibility to make hashing on the fly with multiple algorithms (MD5, SHA-1, SHA-256, and SHA-512). First of all you need to find the hard drive from which you want to create a forensic image and you can do that with fdisk using this parameter:

sudo fdisk -l

The output will be similar to the one in the screenshot below:

Output of fdisk -l

The device that will be acquired is indicated with a yellow arrow  /dev/sdc1.

Finally we can run dc3dd, using these parameters:

sudo dc3dd if=/dev/sdc1 of=usb1_evidence_image.img hash=sha256 log=usb1_evidence.log

Explanation of the parameters:

if             => input file
/dev/sdc1      => source drive
of             => output file
hash           => On the fly hashing algorthm 
log            => Path of the log file

Then you will see the progress of dc3dd, like in the screenshot below:

dc3dd running output

After that, when dc3ddterminates, you will find the acquired image in the path that is indicated right after the parameter of= and you will also find the log file (that cointains the running output) in the path that is indicated right after the parameter log=. Furthermore, in the log file you will find the hash calculated for the image. An example of what is inside of the log file is showed in the screenshot below.

Log file of dc3dd