[sleuthkit-users] Windows 7 Recognised as XP
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Windows 7 Recognised as XP
|
From: Sonnekus, M. <MSo...@fn...> - 2014-06-22 11:55:32
|
Hi I am using Autopsy 2.24 on a SIFT 3.0 Workstation. I imported a dd image which I created using Paladin. The operating system of the drive imaged is Windows 7. When loading the image into Autopsy, the file system is correctly recognized as ntfs but the Version is detected Windows XP. I created an E01 image of the same drive using Paladin again and ran fsstat against the image. I received the same result - that the operating system on the image is XP. The fsstat output is below: sansforensics@siftworkstation:~/Windows_OS_Deleted$ fsstat -i ewf Windows_Paladin_Deleted_Image.E01 FILE SYSTEM INFORMATION -------------------------------------------- File System Type: NTFS Volume Serial Number: EAFE6DC5FE6D8B21 OEM Name: NTFS Version: Windows XP METADATA INFORMATION -------------------------------------------- First Cluster of MFT: 786432 First Cluster of MFT Mirror: 2 Size of MFT Entries: 1024 bytes Size of Index Records: 4096 bytes Range: 0 - 55040 Root Directory: 5 CONTENT INFORMATION -------------------------------------------- Sector Size: 512 Cluster Size: 4096 Total Cluster Range: 0 - 3669502 Total Sector Range: 0 - 29356030 $AttrDef Attribute Values: $STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident $ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident $FILE_NAME (48) Size: 68-578 Flags: Resident,Index $OBJECT_ID (64) Size: 0-256 Flags: Resident $SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident $VOLUME_NAME (96) Size: 2-256 Flags: Resident $VOLUME_INFORMATION (112) Size: 12-12 Flags: Resident $DATA (128) Size: No Limit Flags: $INDEX_ROOT (144) Size: No Limit Flags: Resident $INDEX_ALLOCATION (160) Size: No Limit Flags: Non-resident $BITMAP (176) Size: No Limit Flags: Non-resident $REPARSE_POINT (192) Size: 0-16384 Flags: Non-resident $EA_INFORMATION (208) Size: 8-8 Flags: Resident $EA (224) Size: 0-65536 Flags: $LOGGED_UTILITY_STREAM (256) Size: 0-65536 Flags: Non-resident sansforensics@siftworkstation:~/Windows_OS_Deleted$ Could someone please shed some light on the reason for this? Thanks Mike To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to fir...@fn... and we will send you a copy of the Disclaimer. |
