Re: [sleuthkit-users] Windows 7 Recognised as XP
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Windows 7 Recognised as XP
|
From: Sonnekus, M. <MSo...@fn...> - 2014-06-22 16:33:08
|
Hi Jason Thank you for the advise and guidance. Kind Regards Michael Sent from my LG Mobile ------ Original message------ From: Jason Wright Date: Sun, 22 Jun 2014 16:48 To: Sonnekus, Michael; Cc: sle...@li...; Subject:Re: [sleuthkit-users] Windows 7 Recognised as XP MIke, The version information in the file system details is not the version of the operating system. The file system isn't going to tell you anything about the operating system that's built on the volume. The OEM Name and version are based on the OS or application that formatted the file system. Check out "File System Forensic Analysis" by Brian Carrier if you really want to get into the nitty gritty details of the bytes in the Volume Boot Record. The OS details of the Windows system are going to be found in the Registry. R/ Jason On Sun, Jun 22, 2014 at 7:55 AM, Sonnekus, Michael <MSo...@fn...<mailto:MSo...@fn...>> wrote: Hi I am using Autopsy 2.24 on a SIFT 3.0 Workstation. I imported a dd image which I created using Paladin. The operating system of the drive imaged is Windows 7. When loading the image into Autopsy, the file system is correctly recognized as ntfs but the Version is detected Windows XP. I created an E01 image of the same drive using Paladin again and ran fsstat against the image. I received the same result – that the operating system on the image is XP. The fsstat output is below: sansforensics@siftworkstation:~/Windows_OS_Deleted$ fsstat -i ewf Windows_Paladin_Deleted_Image.E01 FILE SYSTEM INFORMATION -------------------------------------------- File System Type: NTFS Volume Serial Number: EAFE6DC5FE6D8B21 OEM Name: NTFS Version: Windows XP METADATA INFORMATION -------------------------------------------- First Cluster of MFT: 786432 First Cluster of MFT Mirror: 2 Size of MFT Entries: 1024 bytes Size of Index Records: 4096 bytes Range: 0 - 55040 Root Directory: 5 CONTENT INFORMATION -------------------------------------------- Sector Size: 512 Cluster Size: 4096 Total Cluster Range: 0 - 3669502 Total Sector Range: 0 - 29356030 $AttrDef Attribute Values: $STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident $ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident $FILE_NAME (48) Size: 68-578 Flags: Resident,Index $OBJECT_ID (64) Size: 0-256 Flags: Resident $SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident $VOLUME_NAME (96) Size: 2-256 Flags: Resident $VOLUME_INFORMATION (112) Size: 12-12 Flags: Resident $DATA (128) Size: No Limit Flags: $INDEX_ROOT (144) Size: No Limit Flags: Resident $INDEX_ALLOCATION (160) Size: No Limit Flags: Non-resident $BITMAP (176) Size: No Limit Flags: Non-resident $REPARSE_POINT (192) Size: 0-16384 Flags: Non-resident $EA_INFORMATION (208) Size: 8-8 Flags: Resident $EA (224) Size: 0-65536 Flags: $LOGGED_UTILITY_STREAM (256) Size: 0-65536 Flags: Non-resident sansforensics@siftworkstation:~/Windows_OS_Deleted$ Could someone please shed some light on the reason for this? Thanks Mike To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to fir...@fn...<mailto:fir...@fn...> and we will send you a copy of the Disclaimer. ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to fir...@fn... and we will send you a copy of the Disclaimer. |
