Determing the OS version from an image
I was perusing the ForensicWiki list of recently added pages this evening and ran across an interesting page/placeholder titled, Determining OS version from an evidence image. The section on Windows systems was...well...empty. I had blogged on this a bit ago, but thought that I'd add a couple of things that might be of help...
From the image, locate the Windows (or WinNT)\system32\config directory, and extract the Software file...you can easily parse this using RegRipper. What you're most interested in is the contents of the Microsoft\Windows NT\CurrentVersion key, in particular values such as ProductName and BuildLab (if available).
To see the version of Windows you're working with, locate the %WinDir%\system32\ntoskrnl.exe file and check the file version information...this is how osid.pl works with memory dumps.
In order to determine the type of XP (Home or Pro) you're working with, check the %WinDir%\system32\prodspec.ini file.
Hope that helps...
From the image, locate the Windows (or WinNT)\system32\config directory, and extract the Software file...you can easily parse this using RegRipper. What you're most interested in is the contents of the Microsoft\Windows NT\CurrentVersion key, in particular values such as ProductName and BuildLab (if available).
To see the version of Windows you're working with, locate the %WinDir%\system32\ntoskrnl.exe file and check the file version information...this is how osid.pl works with memory dumps.
In order to determine the type of XP (Home or Pro) you're working with, check the %WinDir%\system32\prodspec.ini file.
Hope that helps...