Tuesday, June 17, 2008

Determing the OS version from an image

I was perusing the ForensicWiki list of recently added pages this evening and ran across an interesting page/placeholder titled, Determining OS version from an evidence image. The section on Windows systems was...well...empty. I had blogged on this a bit ago, but thought that I'd add a couple of things that might be of help...

From the image, locate the Windows (or WinNT)\system32\config directory, and extract the Software file...you can easily parse this using RegRipper. What you're most interested in is the contents of the Microsoft\Windows NT\CurrentVersion key, in particular values such as ProductName and BuildLab (if available).

To see the version of Windows you're working with, locate the %WinDir%\system32\ntoskrnl.exe file and check the file version information...this is how osid.pl works with memory dumps.

In order to determine the type of XP (Home or Pro) you're working with, check the %WinDir%\system32\prodspec.ini file.

Hope that helps...

5 comments:

Anonymous said...

You've come up with up some great information, Harlan. Would you mind adding it to the wiki? Would you mind if I added it?

H. Carvey said...

Hold on...wait...Jesse reads my blog??!!?

Yeah, sure, I'll update the ForensicWiki.... ;-)

Unknown said...

Hi Harlan,

Good info, as always - thanks, but just wanted to point out, for anyone manually checking prodspec.ini, that the info it contains can be a little misleading. On two of my Windows XP Pro SP2 systems prodspec.ini contains the string "ServicePackNumber=0". The correct info is in the Microsoft\Windows NT\CurrentVersion key, which you reference too. A good example of why examiners should look to corroborate info using multiple sources. Any idea why the discrepancy?

David.

H. Carvey said...

Dave,

This is why I *only* mention that file with respect to determining whether the XP install is home or pro...

Anonymous said...

I also like to check the boot.ini, although, it can be edited.