Determining OS version from an evidence image
One of the first steps an examiner will need to carry out once they have an evidence image is log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.
The family of DOS based Windows operating systems.
Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However this is not much good if you performing dead analysis on a disk image.