Determine Windows version from offline image

I am not a forensics expert, nor do I play one on TV. I do, however, play one at work from time to time and I own some of the key tools: a magnifying glass and a 10baseT hub. Oh, and a Sherlock Holmes hat -- that's the key. Unfortunately, these weren't much help when I was handed a pile of drives and was asked to find out which version of Windows they had been running. I wasn't allowed to boot them, and I couldn't really find the full answer of how to get the version after a lot of googling, so I figured it out the hard way. Hopefully I can save you guys some time by explaining it in detail.

And if there's a better way, which I'm sure there is, please let me know. I don't doubt that I did this the hard way -- that's kinda my thing.

The order of events is, basically:

  • Step 1: Copy the system's registry hive to your analysis system
  • Step 2: Mount the registry hive in regedit.exe
  • Step 3: Navigate to the OS version in regedit.exe
  • Step 4: Unmount the registry hive.

If you know how to do all that, then thanks for reading! Check back Tuesday for a brand new blog posting! I have an interesting blog that combines DNS and cross-site scripting lined up.

Otherwise, keep reading. Or just look at the pictures.

Step 1: Get the registry hive

This step is pretty simple. The file is called software and is located in %SYSTEMROOT%\system32\config. You're going to have problems if you try grabbing this file from a running system, but fortunately we have an offline version of the harddrive. Copy that file to a USB stick, or some other device, following your standard evidence collection policies. I also recommend working from an image, not the live drive, if you're doing actual forensic work.

Step 2: Import the hive

First, run regedit on the analysis machine (that you copied the software file to):

Next, click on the HKEY_LOCAL_MACHINE hive (or any other, really):

Next, under the File menu, click "Load Hive...":

Navigate to the 'software' file that you copied from the target machine:

When prompted, type in a name - it doesn't matter what:

And that's it! Now you'll have the registry mounted as the name you gave it under HKEY_LOCAL_MACHINE:

Step 3: Find the key

The key is located in HKEY_LOCAL_MACHINE/<thenameyoupicked>/Microsoft/Windows NT/CurrentVersion:

Any key you want related to the version of Windows is right there. In my screenshot, we're running Windows XP Service Pack 2. The Owner and Company given during installation is shown there too, if you're into that.

Step 4: Unmount

If you don't unmount the device, you'll get file-in-use errors until you do. So, click on the hive and under the File menu, select "Unload Hive...":

Done!

That's it! Once you learn how to mount the registry from the offline machine, it's actually pretty easy.

If you know of a better way to do it, let me know! Comments and registration should once again work, assuming you an do simple math, or you can find my email address at the right somewhere.

Thanks for reading!

9 thoughts on “Determine Windows version from offline image

  1. Reply

    Flavien

    What about simply reading c:\boot.ini?

    1. Reply

      Ron Bowes Post author

      Haha, apparently I'm not that smart! Wow...

      On the plus side, I get a lot more information from the registry than from boot.ini.

  2. Reply

    Flavien

    No, you're smart, but I'm lazy ;-)

    Your method is in fact more "accurate" as the text in boot.ini can be easily modified without side effects.

    An other way would be to look at the file version information of %windir%\system32\ntdll.dll. This cannot be faked.

  3. Reply

    Ikem

    If I am right, you can import/export registry keys from the commandline. And then you run a script on top of it. ^^

  4. Reply

    Cameron

    Could you have just cloned the drive using "Easeus Disk Copy" and booted the clone drive and then telling the OS from there is pretty easy.

  5. Reply

    Alejandro

    Cameron, that takes a lot more time.
    Ron, thanks for the info, i always wanted to mount foreign registry but never had the motivation to search on how to do it. Now i do:)

  6. Reply

    Steve Munden

    Old post but thanks that was just what I needed! Re. boot.ini that can be manipulated and as of Vista and later may not be present at all.

  7. Reply

    uday

    wt which location the operating system info is stored.
    am reading the file in binary mode so i wanted to get it by reading through the locations.

  8. Reply

    Ditty Warner

    Great answer on the boot.ini, gave
    me the Windows version. ALSO, don't
    forget that an easy way to get the
    valid windows activation key is to
    find the file unattend.txt in the i386 folder or simply search
    through command with let's say an external non-boot drive "G" so that if you do use it later as a boot drive and want the updates, you will have the validation key. So, all you would type through DOS is, without the quotes "G:"
    then "dir unattend.txt /s"
    Let's say it finds the i386 folder in the root directory, then enter "cd i386" then key-in "type unattend.txt :more" again without the quotes and you will find the valid key.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>