Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Imaged?


  • Please log in to reply
39 replies to this topic

#1 AH18

AH18

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 08 October 2016 - 10:51 AM

I have an old dell computer (2007) that I recently put back into service. I found some things that made me think that the hard drive had been imaged. I believe it was factory preinstalled with windows xp but not sure. It has a password protected main user account that was mostly used while in service. It has another named user account that was rarely used and it has the hidden admin account and a blank user account(guest?). All these account have a "recent" folder. In the admin, named user, and (guest?) User recent folder, I see a shortcut to sysprep folder and a shortcut to wimbom, and a shortcut to wimbom(2) in that order. Would this be leftover from the dell factory preinstall? When I attempt to see the details of the shortcuts, it says the files are no longer in that location so it wont show me dates. Is there anyway to tell when a shortcut was added to recent files?

Thanks for all the help!

BC AdBot (Login to Remove)

 


#2 AH18

AH18
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 08 October 2016 - 03:15 PM

Additionally, the shortcuts don't lead to anything. The files are in a different location or have been renamed. I get an error when I click the on the shortcut or try to look at properties.

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 AM

Posted 08 October 2016 - 04:31 PM

Shortcut files (.lnk) have a (mostly) known data structure. I wrote a template for .lnk for the 010 Editor (a commercial hex editor).

 

.lnk files are like other files, they also have MAC times (https://en.wikipedia.org/wiki/MAC_times). So you can check these to see when the shortcut was created.

Keep in mind though that the MAC times are only correct if the system clock is also correct, and since you mention an old computer, this could not be the case.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 AH18

AH18
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 08 October 2016 - 08:57 PM

Thanks for the help. When I pull up properties info from the shortcut, I get an error messege. Is there another way to figure it out? Something that my research did possibly figure out was that the former folder location was c\sysprep and the two winbom files were winbom.ink and winbom.log. I also read that the last thing sysprep does is delete the folder from C. Does this seem correct? If that was the case, it still leaves me confused. Is sysprep ran on the new computer that the image goes to, or is it only ran on the original?

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 AM

Posted 09 October 2016 - 04:54 AM

There are other ways, but please tell us first what the error message is.

 

The normal scenario is to run sysprep first, then image, then boot the new computer. But there's nothing that prevents you from running sysprep after imaging. It's not practical, but can be done.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 AH18

AH18
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 09 October 2016 - 10:44 AM

Error is- The folder c:\sysprep specified in the start box is not valid. Make sure that the folder exists and that the path is correct.

#7 AH18

AH18
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 09 October 2016 - 02:52 PM

I am learning as I go.....I found a clonetag in the registry dated Jan 15, 2007. And I found out the admin account was created in august 16 of 2005 from using command prompt. How likely is this scenerio: A computer was sysprepped by Dell in August 2005 without clearing the recents folder. They loaded the image on the new computer in Jan 2007, it contained the shortcuts from the 2005 original sysprep in the recents folder and gave the computer a clonetag of jan 2007 since that was when the image was loaded? How could I verify this scenerio if it was possible?

#8 AH18

AH18
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 09 October 2016 - 08:06 PM

I also did a date modified search for August 16, 2005 and under the search, and the shortcuts of winbom.ink winbom.log and c:\sysprep from the recents folder all show up with the date modified as that date. Is that the date modified of the file or the date the shortcut was created? I also found the clonetag is the date the image was created. What scenerio would put that date on those now missing folders if the clonetag was not until January 2007?

#9 MDD1963

MDD1963

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 09 October 2016 - 09:41 PM

Is the goal to actually use/restore this old comptuer with a functioning Windows XP, complete with it's now hopelessly outdated OS and browser? (Can't even install Chrome on XP anymore)

 

All this effort on who's login is where/functional, etc., for an OS that deserves at best an insta-nuke? Delete partition, throw on Linux Mint 17.3, be happy! :)


Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060


#10 AH18

AH18
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 09 October 2016 - 10:44 PM

I am just using it for basics. My questions arise from wierd shortcuts in the recents folder. Trying to figure out if they mean that the hard drive was copied or they are remnants from the original image.

#11 AH18

AH18
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 10 October 2016 - 01:02 AM

I can see how the admin was created in 2005 but If the clonetag was 2007, how could it show the shortcut to the files last modified in 2005. Wouldn't they show a mod date of 2007, when they were used for the image? If you use sysprep, wouldn't it change the date of the files? I feel like wimbon.ink would be modified somehow.

#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 AM

Posted 10 October 2016 - 06:45 AM

Error is- The folder c:\sysprep specified in the start box is not valid. Make sure that the folder exists and that the path is correct.

 

OK, that's because the file to where the shortcut is pointing is no longer there.

But there are other methods.

Are you familiar with the command line?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 AH18

AH18
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 10 October 2016 - 07:23 AM

Is that using cmd from run? If so, I have used it a little bit but don't know a ton about how to use it.

#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 AM

Posted 10 October 2016 - 10:21 AM

You can print the MAC times of a .lnk file with my FileScanner tool.

Download the ZIP file from https://blog.didierstevens.com/2014/09/18/filescanner-exe-part-4/

Extract executable FileScanner-crt-x86.exe (I'm assuming your old machine is still 32-bit).

Copy file FileScanner-crt-x86.exe to the same folder as the .lnk file.

Open a command-line (cmd.exe) in the folder of the .lnk file.

Run this command: FileScanner-crt-x86.exe x.lnk

where you replace x.lnk with the name of the .lnk file.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 AH18

AH18
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 10 October 2016 - 12:36 PM

Great, Thanks for the help. I don't think the actual file is still on the computer, only the shortcut to where the file used to be. The shortcut is in the recents folder. This tool will show the creation date of the just the shortcut?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users