jekautz
asked on
Proof of Software Installation
For legal reasons, I am required to provide evidence of when a software application was installed or uninstalled from a Windows 7 PC. We know the software was uninstalled about 4 years ago from Programs and Features.
What are some ways / methods / tools that I can use to find the existence of this software. Are there some obscure logs in Windows that record information that could help me? Anything in the registry?
What are some ways / methods / tools that I can use to find the existence of this software. Are there some obscure logs in Windows that record information that could help me? Anything in the registry?
ASKER
The software is custom made and is not public. It is only provided to organizations in a vertical market that need it. It was uninstalled through Programs and Features which leads me to believe that it must have registered with Windows in such a way as to appear there.
"For legal reasons"
How legal is this going to get? Before starting you may need to clone the machine as proof of how it was before forensic analysis. If this ends up in court you may need a Court approved investigator for any evidence to be admissible.
Hopefully we're looking at something less formal than this but just something you might need to consider.
Yes, installers and software all work slightly differently so knowing what package we're dealing with will make this a lot easier.
How legal is this going to get? Before starting you may need to clone the machine as proof of how it was before forensic analysis. If this ends up in court you may need a Court approved investigator for any evidence to be admissible.
Hopefully we're looking at something less formal than this but just something you might need to consider.
Yes, installers and software all work slightly differently so knowing what package we're dealing with will make this a lot easier.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks MASQ. I do have similar concerns. However, knowing the context and weight of the issue, I think it is unlikely to get too heavy as to need approved investigators and certified forensic analysis. If I only need to look at files on the drive then I might just attach the drive through a USB interface. If I need to interact with the OS software then I will likely clone it first.
I will try to find what installer was used but it's unlikely.
I will try to find what installer was used but it's unlikely.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@MASQ, your command might have led me on the path. From the wmic output I found the name of the software in the results. The installed date seems to be around the right time, but there is no uninstalled date.
Other data that I took from the results led me to the installation path which was a temporary folder under content.ie5 and doesn't seem to contain any relevant files anymore.
I found an msi under Windows\Installer (the file name is only random numbers) and a GUID which has a folder and an exe under Windows\Installer\{GUID}. The exe file starts with an underscore followed by a long string of numbers and letters.
Since I think I have the GUID and the msi, could I go further and try to determine the uninstall date?
Other data that I took from the results led me to the installation path which was a temporary folder under content.ie5 and doesn't seem to contain any relevant files anymore.
I found an msi under Windows\Installer (the file name is only random numbers) and a GUID which has a folder and an exe under Windows\Installer\{GUID}. The exe file starts with an underscore followed by a long string of numbers and letters.
Since I think I have the GUID and the msi, could I go further and try to determine the uninstall date?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for all your good suggestions on how to find any remnants of software that was previously installed. I thought that I found the software I was searching for, but I was mistaken. All results were inconclusive, but we think that helps in this matter.
Can you provide any input about the actual software you're trying to prove? (name, etc?)