±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 5
New Yesterday: 9
Overall: 27212
Visitors: 64

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Determining the make and model of a machine from an Image

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Determining the make and model of a machine from an Image

Post Posted: Tue Nov 20, 2012 8:19 am

Hi,

An image was dropped into me recently with little in the way of documentation. We are attempting to link the drive back to the original machine and was wondering if this data is heald any where on disk. A copy of the HARDWARE hive was not taken, so this is not a source of evidence in this matter. Any help would be appreciated.

Regards  

jm25
Member
 
 
  

Re: Determining the make and model of a machine from an Image

Post Posted: Tue Nov 20, 2012 8:40 am

- jm25

An image was dropped into me recently with little in the way of documentation. We are attempting to link the drive back to the original machine and was wondering if this data is heald any where on disk. A copy of the HARDWARE hive was not taken, so this is not a source of evidence in this matter. Any help would be appreciated.


The fact that you're looking for the Hardware hive indicates that you suspect that this image was acquired from a Windows system. A simple query or two (via RegRipper or the Forensic Scanner) will provide you with information regarding the type/version of Windows running.

You won't find the Hardware hive, as it is volatile:
technet.microsoft.com/...50583.aspx

You can get some information about the system by parsing the MountedDevices key values within the System hive, as well as examining the setupapi.log or setupapi.dev.log file. The Registry and the Event Logs (again, depending upon the version of the Windows OS) can provide other clues as to the specific hardware on the system.

HTH  

keydet89
Senior Member
 
 
  

Re: Determining the make and model of a machine from an Imag

Post Posted: Tue Nov 20, 2012 9:23 am

In addition to, or instead of, using Regripper to determine Windows version, host name, etc.

Registry Browser (https://sites.google.com/site/registrybrowser/Home) by Darren Freestone will crawl through the registry hives and recreate the computer's hardware in a Device Manager type interface. This includes all the USB Drives (which it then looks up the PID to find the friendly names). If that is important to you.  

twjolson
Senior Member
 
 
  

Re: Determining the make and model of a machine from an Image

Post Posted: Tue Nov 20, 2012 9:33 am

The Registry Browser looks like a cool tool...I'll have to give it a closer look.

However, I'm not sure how getting the USB devices that had been attached to the system would help the OP tie the image to particular hardware.

What I *can* see is using a tool like RegRipper to parse the volume GUIDs in user's MountPoint2 keys, specifically those related to USB devices, in order to get MAC addresses. This could also be achieved by parsing LNK files, or on Windows 7, Jump Lists.

Other bits of information that may be useful, not to tie the image to specific hardware but rather to an owner, would be (via any tool) Registered Org and user values, warnings that pop up when a user tries to log in, etc.

All great stuff...thanks for sharing the link to the tool.  

keydet89
Senior Member
 
 
  

Re: Determining the make and model of a machine from an Image

Post Posted: Tue Nov 20, 2012 9:55 am

- keydet89
The Registry Browser looks like a cool tool...I'll have to give it a closer look.

However, I'm not sure how getting the USB devices that had been attached to the system would help the OP tie the image to particular hardware.


I know, but I mentioned because the OP made mention of the HARDWARE Hive. Registry Browser does about as much reconstructing of the Hardware environment as can be done without the HARDWARE Hive.  

twjolson
Senior Member
 
 
  

Re: Determining the make and model of a machine from an Imag

Post Posted: Tue Nov 20, 2012 10:39 am

Thanks for all the replies. Yeh, the information I was looking for, as far as I know, only exists in the HARDWARE hive. Such as machine make and model. Not to worry thanks for all the suggestions.  

jm25
Member
 
 
  

Re: Determining the make and model of a machine from an Imag

Post Posted: Tue Nov 20, 2012 11:27 am

I guess what I'm wondering is why is the make and model so important? There are a bevvy of serial numbers (device, volume, etc) that can tie an image to a disk, and by extension a machine.

Even if the registry said it was a Dell Precision T7500, that may not narrow it down. Where as a serial number (even a volume serial number) could pinpoint an exact machine.

Why is that route not acceptable?  

twjolson
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next