Difference between revisions of "Determining OS version from an evidence image"

From ForensicsWiki
Jump to: navigation, search
(=Windows 95/98/ME)
(Linux)
Line 15: Line 15:
  
 
===Linux===
 
===Linux===
tbc
+
A number of Linux distributions create a file in /etc to identify the release or version installed.
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
!Distro!!Tag
 +
|-
 +
|Red Hat || /etc/redhat-release
 +
|-
 +
|Debian  || /etc/debian-version
 +
|}
  
 
===Solaris===
 
===Solaris===

Revision as of 04:33, 31 July 2007

One of the first steps an examiner will need to carry out once they have an evidence image is log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.

Windows

Windows 95/98/ME

The family of DOS based Windows operating systems.

Windows NT

tbc

Windows 2000/2003/XP

tbc

Unix/Linux

Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However this is not much good if you performing dead analysis on a disk image.

Linux

A number of Linux distributions create a file in /etc to identify the release or version installed.

Distro Tag
Red Hat /etc/redhat-release
Debian /etc/debian-version

Solaris

tbc

Free/Net/OpenBSD

AIX

tbc

HP/UX

tbc