Determining OS version from an evidence image

From Forensics Wiki
Revision as of 12:50, 13 June 2008 by .FUF (Talk | contribs)

Jump to: navigation, search

One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.

Contents

Windows

Windows 95/98/ME

Windows NT

Windows 2000/2003/XP/Vista

Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).

Unix/Linux

Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.

Linux

A number of Linux distributions create a file in /etc to identify the release or version installed.

Distro Tag
Red Hat /etc/redhat-release
Debian /etc/debian-version

Solaris

Free/Net/OpenBSD

AIX

HP/UX