Thanks Ian and Keith, the event logs are indeed a good place to look in
NT/2000. I'm still struggling a bit with 95/98 though (as far as I can see
bootlog.txt is created the first time after setup and is thus copied over
along with the image without being written to again unless forced).

Kind regards,

Mac

>From: Keith Tyler <ktylerunicornfinancial.com>
>To: 'Mac Macavity' <mac_macavityhotmail.com>, forensicssecurityfocus.com
>Subject: RE: Installation date of Windows image
>Date: Thu, 28 Mar 2002 12:02:46 -0500
>
>I don't think there would be a time stamp on anything that would show you
>when it was first booted up. However depending on the OS you may be able to
>tell when they booted up the machine and how many times. In winnt you can
>check the event viewer, provided the logs haven't been overwritten yet. In
>win95/98 it may have file called bootlog.txt in the root of c:
>
>
>-Regards
>
>Keith

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]