Re: [sleuthkit-users] Windows 7 Recognised as XP

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

MIke,

The version information in the file system details is not the version of
the operating system. The file system isn't going to tell you anything
about the operating system that's built on the volume. The OEM Name and
version are based on the OS or application that formatted the file system.
Check out "File System Forensic Analysis" by Brian Carrier if you really
want to get into the nitty gritty details of the bytes in the Volume Boot
Record.

The OS details of the Windows system are going to be found in the Registry.

R/

Jason

On Sun, Jun 22, 2014 at 7:55 AM, Sonnekus, Michael <MSo...@fn...>
wrote:

>  Hi
>
>
>
> I am using Autopsy 2.24 on a SIFT 3.0 Workstation. I imported a dd image
> which I created using Paladin. The operating system of the drive imaged is
> Windows 7. When loading the image into Autopsy, the file system is
> correctly recognized as ntfs but the Version is detected Windows XP.
>
>
>
> I created an E01 image of the same drive using Paladin again and ran
> fsstat against the image.  I received the same result – that the operating
> system on the image is XP. The fsstat output is below:
>
>
>
> sansforensics@siftworkstation:~/Windows_OS_Deleted$ fsstat -i ewf
> Windows_Paladin_Deleted_Image.E01
>
> FILE SYSTEM INFORMATION
>
> --------------------------------------------
>
> File System Type: NTFS
>
> Volume Serial Number: EAFE6DC5FE6D8B21
>
> OEM Name: NTFS
>
> Version: Windows XP
>
>
>
> METADATA INFORMATION
>
> --------------------------------------------
>
> First Cluster of MFT: 786432
>
> First Cluster of MFT Mirror: 2
>
> Size of MFT Entries: 1024 bytes
>
> Size of Index Records: 4096 bytes
>
> Range: 0 - 55040
>
> Root Directory: 5
>
>
>
> CONTENT INFORMATION
>
> --------------------------------------------
>
> Sector Size: 512
>
> Cluster Size: 4096
>
> Total Cluster Range: 0 - 3669502
>
> Total Sector Range: 0 - 29356030
>
>
>
> $AttrDef Attribute Values:
>
> $STANDARD_INFORMATION (16)   Size: 48-72   Flags: Resident
>
> $ATTRIBUTE_LIST (32)   Size: No Limit   Flags: Non-resident
>
> $FILE_NAME (48)   Size: 68-578   Flags: Resident,Index
>
> $OBJECT_ID (64)   Size: 0-256   Flags: Resident
>
> $SECURITY_DESCRIPTOR (80)   Size: No Limit   Flags: Non-resident
>
> $VOLUME_NAME (96)   Size: 2-256   Flags: Resident
>
> $VOLUME_INFORMATION (112)   Size: 12-12   Flags: Resident
>
> $DATA (128)   Size: No Limit   Flags:
>
> $INDEX_ROOT (144)   Size: No Limit   Flags: Resident
>
> $INDEX_ALLOCATION (160)   Size: No Limit   Flags: Non-resident
>
> $BITMAP (176)   Size: No Limit   Flags: Non-resident
>
> $REPARSE_POINT (192)   Size: 0-16384   Flags: Non-resident
>
> $EA_INFORMATION (208)   Size: 8-8   Flags: Resident
>
> $EA (224)   Size: 0-65536   Flags:
>
> $LOGGED_UTILITY_STREAM (256)   Size: 0-65536   Flags: Non-resident
>
> sansforensics@siftworkstation:~/Windows_OS_Deleted$
>
>
>
>
>
> Could someone please shed some light on the reason for this?
>
>
>
> Thanks
>
>
>
> Mike
>
> To read FirstRand Bank's Disclaimer for this email click on the following
> address or copy into your Internet browser:
> https://www.fnb.co.za/disclaimer.html
>
>  If you are unable to access the Disclaimer, send a blank e-mail to
> fir...@fn... and we will send you a copy of the
> Disclaimer.
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>