When working on fraud cases it isn’t uncommon to see people trying to hide their tracks. In some cases this means hiding files in a hidden folder, in other cases, they might replace the hard drive with a new drive or reinstall the system. Therefore it’s important to reliably determine the installation date of the operating system.
When examining a Windows system, the registry is the way to go. There are a number of registry keys that can tell you a lot about a system. One of those registry keys has always been the “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion” key.
This key holds a wealth of information about the system, including the install date and time. The InstallDate is a Unix timestamp. In my case, the key was “1493975877” which translates to 05-05-2017 11:17:57 (GMT +2).
However, this date is wrong. The original install of my system was on 29-07-2016 22:20 (Just before the free upgrade to W10 officially ended). And I did a “reinstall” of windows on 18-03-2017 using the “Reset this PC” functionality in Windows 10. Why is the CurrentVersion key displaying a different date? Let’s try some other commonly used ways to determine the installation date of a system.
It’s regularly suggested to use the Systeminfo tool. This only works when the system is running and this information is read from the registry. Run the following command in a Command Prompt to show the original install date.
|systeminfo | find /i “Install Date”
On my system this command outputs the following:
Again the wrong date is shown. This isn’t surprising since it simply reads the currentversion key from the registry and thus showing us the same information as before.
Modifying the currentversion key named above will result in Systeminfo displaying the other date, confirming that the tool simply outputs the information from the registry.
Using WMI in PowerShell results in the same information being shown as using the Systeminfo tool. The following command can be used in a PowerShell to display the installation date using WMI:
It’s clear that WMI is also getting its information from the Registry.
Since the most common ways to determine the installation date all seem to be getting their information from the same (incorrect) registry key we need to resort to file system forensics.
When you install Windows a lot happens, but most importantly the file system is populated with a lot of files and folders. These files and folders will have a created timestamp which should relate to the system time when the system was installed.
A good way to inspect the Creation date of folders is using FTK Imager. When the suspects drive is added as an evidence item (in this case, the physical drive of my own system) you are able to browse through the file system and view the creation date of the folders. By selecting a folder FTK Imager will show the folder properties in the bottom left corner.
The creation date of the Windows folder ([ROOT]\Windows\) should indicate when the current installation of windows was installed. Selecting this folder on my system reveals the following:
According to this information, the Windows folder was created on 18-03-2017 11:40. This date corresponds with the date I did a reinstall of windows using the build in “Reset this PC” functionality in W10.
The users folder ([ROOT]\Users\) will also be created at the time the system is installed. Selecting this folder reveals the following dates:
Again this date corresponds with the date I did a reinstall.
When we check the folder of the main user ([ROOT]\Users\Username\), we get another date:
This time we get the 5-5-2017 date again, the same date as indicated by the Windows Registry.
The last folder we want to check is the ProgramData folder.
This folder has the same date as the windows and users folder, but with another time.
Determining the Windows 10 installation date
At this point, we have two dates.
- According to the Registry and the User folder, the installation date is 05-05-2017.
- According to the Windows folder, Users folder and the ProgramData folder the installation date is 18-03-2017
At this point, you might be asking yourself which date is correct, or what happened on 05-05-2017 which caused the discrepancy between all the dates?
The answer is an update. In this case the Creators Update. Microsoft released 4 major versions of Windows 10 to this date (July 2017).
- 1507 – First release (29-07-2015)
- 1511 – November Update (10-11-2015)
- 1607 – Anniversary Update (02-08-2016)
- 1703 – Creators Update (05-04-2017)
These updates are actually Upgrades which replace your complete windows installation. After an upgrade, you will find a folder called “Windows.Old” in your root containing the old Windows installation. This folder will be deleted when you run Disk Cleanup or automatically a month after the upgrade.
This explains why we are seeing the strange 05-05-2017 date, this is probably the date on which the system was upgraded with the Creators Update. But in forensics, you never “assume” anything. Let’s go back to the registry and see if we can find some supporting evidence of this upgrade.
Back to the registry
In the registry, there is another, lesser-known key, that also contains information about the installation date.
In the “HKLM\SYSTEM\Setup” key there are subkeys called “Source OS (Updated on M/DD/YYYY HH:MM:SS)”. These keys are backups of the CurrentVersion key before an upgrade/reinstall.
On my system there are 4 backup keys:
- Source OS (Updated on 5/5/2017 10:49:57)
- Source OS (Updated on 3/21/2017 21:59:36)
- Source OS (Updated on 8/7/2016 21:39:07)
- Source OS (Updated on 7/29/2016 22:33:01)
From this list, we can see that windows were replaced by another version at least 4 times. The contents of these keys are identical to the contents of a Currentversion key. Looking at the keys we are able to determine what version was installed before the upgrade. All these keys contain a reg_sz value called “InstallDate” containing a unixtimestamp of when the system was installed. Please note that the this timestamp might not match the date shown behind the Source OS key of the backup. This is caused because the backup is created before the “InstallDate” value is created. In this case the oldest Key from 29-07-2016 contained the InstallDate value 1469830847 which translates to 29-07-2016 22:20:47.
- 05-05-2017 upgrade from 1607 to 1703
- 21-03-2017 upgrade from 1607 to 1607
- 07-08-2016 upgrade from 1511 to 1607
- 29-07-2016 upgrade from W8.1 to W10 1511
- 29-07-2016 Initial installation of Windows 8.1
This tells us a lot about the system and the windows installation. We can see that the system was originally installed on 29-07-2016 with Windows 8.1 and was upgraded to Windows 10 the same day. This corresponds with my story about the system being installed and upgraded just before the free upgrade to Windows 10 officially ended. Also visible is my reinstall of Windows 10 using the “Reset this PC” functionality on 21-03-2017. The system was upgraded from 1607 to 1607. Since I chose to keep my personal files this information was preserved in the Registry. The last upgrade and the cause of the discrepancy between the actual installation date and the date stored in the Registry are also shown here as the upgrade from 1607 to 1703.
In conclusion, this all shows that Windows 10 does things differently than you might be used to. It’s clearly wrong to assume that information is stored in the same way. It’s important to verify your findings and base your conclusions on multiple sources. In this case determining the installation date of Windows 10 should be done based on A. Filesystem analysis B. Registry analysis and if possible C. Logfile analysis.
Note: All dates in this article are according to this format: DD-MM-YYYY.