I was perusing the ForensicWiki list of recently added pages this evening and ran across an interesting page/placeholder titled, Determining OS version from an evidence image. The section on Windows systems was...well...empty. I had blogged on this a bit ago, but thought that I'd add a couple of things that might be of help...
From the image, locate the Windows (or WinNT)\system32\config directory, and extract the Software file...you can easily parse this using RegRipper. What you're most interested in is the contents of the Microsoft\Windows NT\CurrentVersion key, in particular values such as ProductName and BuildLab (if available).
To see the version of Windows you're working with, locate the %WinDir%\system32\ntoskrnl.exe file and check the file version information...this is how osid.pl works with memory dumps.
In order to determine the type of XP (Home or Pro) you're working with, check the %WinDir%\system32\prodspec.ini file.
Hope that helps...
You've come up with up some great information, Harlan. Would you mind adding it to the wiki? Would you mind if I added it?
ReplyDeleteHold on...wait...Jesse reads my blog??!!?
ReplyDeleteYeah, sure, I'll update the ForensicWiki.... ;-)
Hi Harlan,
ReplyDeleteGood info, as always - thanks, but just wanted to point out, for anyone manually checking prodspec.ini, that the info it contains can be a little misleading. On two of my Windows XP Pro SP2 systems prodspec.ini contains the string "ServicePackNumber=0". The correct info is in the Microsoft\Windows NT\CurrentVersion key, which you reference too. A good example of why examiners should look to corroborate info using multiple sources. Any idea why the discrepancy?
David.
Dave,
ReplyDeleteThis is why I *only* mention that file with respect to determining whether the XP install is home or pro...
I also like to check the boot.ini, although, it can be edited.
ReplyDelete