Artifacts

Windows Operating System Version

Posted by:

Author Name
Joe Garcia

Artifact Name
Windows Operating System Version

Artifact Location
SOFTWARE Registry Hive

Registry Keys
SOFTWARE\Microsoft\Windows NT\CurrentVersion

Description
What version of the Windows Operating System is installed on a suspect computer is important. When Microsoft went from XP to Vista/Win7, certain artifacts were moved to new locations. This knowledge can help a Forensic Examiner/Analyst streamline their examinations. It can also help determine who the registered owner of the computer is and when the OS was installed.

Let’s look at this artifact using AccessData’s Registry Viewer:

Windows OS Version in Registry Viewer



Here we can see the following important information (Owner & ProductID redacted in image):
Install Date
Registered Organization
Registered Owner
Product Name
ProductID
CSDVersion (Version of the OS)

Registry Viewer was nice enough to parse out the Install Date, but if you are like me you like to verify your findings. To do this I used the DCode utility by Digital Detective:




Forensic Programs of Use
FTK Registry Viewer
RegRipper
DCode

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment