Operating System Version and Banners

Without know which Operating System your image was running you cannot possibly hope to carry out a comprehensive investigation. So my next couple of posts will be very short ‘quick wins’ of where to get some critical data. Starting with the Operating System version:

I recommend simply using Registry Viewer for this one, the data is stored in plain text and is easy to read/understand. You will need to open the Software Hive and browse to the following Key

SOFTWARE\Microsoft\Windows NT\CurrentVersion and look for ‘ProductName’

Registry_Viewer_OS_Version

With Windows 8 there is no ‘CSDVersion’ as we have seen with previous versions to dictate service pack. It is theorised that Microsoft have moved away from Service Packs in favour of this new decimal system in order to allow a ‘mandatory update’ policy with a much shorter time-span than Service Packs in order to avoid the two-year support window service packs brought.

Previous version of Windows use the same Key path to determine the Windows versions, but the will also include ‘CSDVersion’ to allow for service pack identification.

 

 

This entry was posted in Windows Forensics, Windows Registry Forensics and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s