Author Name
Joe Garcia
Artifact Name
Windows Operating System Version
Artifact Location
SOFTWARE Registry Hive
Registry Keys
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Description
What version of the Windows Operating System is installed on a suspect computer is important. When Microsoft went from XP to Vista/Win7, certain artifacts were moved to new locations. This knowledge can help a Forensic Examiner/Analyst streamline their examinations. It can also help determine who the registered owner of the computer is and when the OS was installed.
Let’s look at this artifact using AccessData’s Registry Viewer:
Here we can see the following important information (Owner & ProductID redacted in image):
Install Date
Registered Organization
Registered Owner
Product Name
ProductID
CSDVersion (Version of the OS)
Registry Viewer was nice enough to parse out the Install Date, but if you are like me you like to verify your findings. To do this I used the DCode utility by Digital Detective:
Forensic Programs of Use
FTK Registry Viewer
RegRipper
DCode
轉自 http://forensicartifacts.com/2011/03/windows-operating-system-version/
Joe Garcia
Artifact Name
Windows Operating System Version
Artifact Location
SOFTWARE Registry Hive
Registry Keys
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Description
What version of the Windows Operating System is installed on a suspect computer is important. When Microsoft went from XP to Vista/Win7, certain artifacts were moved to new locations. This knowledge can help a Forensic Examiner/Analyst streamline their examinations. It can also help determine who the registered owner of the computer is and when the OS was installed.
Let’s look at this artifact using AccessData’s Registry Viewer:
Windows OS Version in Registry Viewer
Here we can see the following important information (Owner & ProductID redacted in image):
Install Date
Registered Organization
Registered Owner
Product Name
ProductID
CSDVersion (Version of the OS)
Registry Viewer was nice enough to parse out the Install Date, but if you are like me you like to verify your findings. To do this I used the DCode utility by Digital Detective:
Forensic Programs of Use
FTK Registry Viewer
RegRipper
DCode
轉自 http://forensicartifacts.com/2011/03/windows-operating-system-version/
發表文章
0 意見: