Re: Checking when the OS was first installed

["Greg Stiavetti" <stiavetti () rentoneonline com>]

You can check the date of the OS installation by examining the properties of 
the "C:\documents and settings" (amongst many other places) for "created" 
date and time.

If the OS was cloned it can be impossible to tell unless you have the 
orginal for comparison. If you do the SIDS will be non-unique.

Besides Ghost, check out Altiris, they make excellent deployment tools.

My favorite method of cloning is to use hardware RAID 1 and let the 
controller mirror the installation. Even works with RAID 5 volumes.

For information on RestorePoint, you should RTFM the helpscreens. Beyond 
that, know that it CANNOT be relied upon to work correctly, in a pinch it 
will fail.

----- Original Message ----- 
From: "ricci" <ricci () cs ust hk>
To: <security-basics () securityfocus com>
Sent: Monday, May 23, 2005 5:07 PM
Subject: Checking when the OS was first installed


> Hello All,
>
> I was given a Windows XP Pro bootup hard disk for verification of its 
> first
> installation date. What information I can verify when the hard disk was
> first installed?
>
> Secondly, if the OS was cloned and reproduced from another source, how can 
> I
> verify that? Other than Norton Ghost, what other tools could be used for
> duplicating the hard disk? Besides, if I got a hard disk how can I verify
> what software (for cloning) it has been used?
>
> In a Windows XP platform, what is the use of Windows XP RestorePoint? What
> information I can collect from the RestorePoint? Is that related to backup
> information?
>
> Thanks.
>
> Ricci