Windows Operating System Version

Author Name
Joe Garcia


Artifact Name
Windows Operating System Version


Artifact Location
SOFTWARE Registry Hive


Registry Keys
SOFTWARE\Microsoft\Windows NT\CurrentVersion


Description
What version of the Windows Operating System is installed on a suspect computer is important. When Microsoft went from XP to Vista/Win7, certain artifacts were moved to new locations. This knowledge can help a Forensic Examiner/Analyst streamline their examinations. It can also help determine who the registered owner of the computer is and when the OS was installed.


Let’s look at this artifact using AccessData’s Registry Viewer:

Windows OS Version in Registry Viewer


Here we can see the following important information (Owner & ProductID redacted in image):
Install Date
Registered Organization
Registered Owner
Product Name
ProductID
CSDVersion (Version of the OS)


Registry Viewer was nice enough to parse out the Install Date, but if you are like me you like to verify your findings. To do this I used the DCode utility by Digital Detective:




Forensic Programs of Use
FTK Registry Viewer
RegRipper
DCode


轉自 http://forensicartifacts.com/2011/03/windows-operating-system-version/

0 意見: