Determining OS version from an evidence image
One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.
Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).
During a forensic examination, information regarding the version of Windows can be found in a number of places. For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt". This is not definitive, however, because this directory name is easily modified during installation.
Determining the version of Windows from the Software Registry Hive file - navigate to the Microsoft\Windows NT\CurrentVersion key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.
Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file. You can view this information with a hex editor, or extract it using a variety of means. There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script kern.pl illustrates a platform independent means of examining the PE header and ultimately locating the file version information.
In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of Product ID). Some of these values:
|55034||Windows XP Professional English|
|55683||Windows XP Professional Russian|
|55681||Windows XP Home Edition Russian|
Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.
A number of Linux distributions create a file in /etc to identify the release or version installed.