I have a hdd/ hdd image from computer A. I dont know the system configuration of this computer. How can i gather this information from hdd/ what tools should i use? F.e. i need to get motherboard, CPU, Ram models etc.
P.S. The image was made from working PC so every registry files thould be there.
I would mount the image in FTK Imager 3.0 and pull out the registry files and run RegRipper. Just choose which plugins you want to run. Both programs are free.
The ones you list I don't believe is listed in the registry. No promises though.
What I'm curious about, what value does knowing these lend to your investigation?
I have a hdd/ hdd image from computer A. I dont know the system configuration of this computer. How can i gather this information from hdd/ what tools should i use? F.e. i need to get motherboard, CPU, Ram models etc.
(Assuming Windows.) That kind of information is (as far as I know) only stored in the HKCC area of registry – and that is populated on boot, and not saved. Some of the HKCC contents is linked into the HKLM structure, but as it is linked in, it isn't saved either. (This is one of the few places where you find a CurrentControlSet key without a corresponding Select key in the parent key.)
There may be indirect indications, of course – driver X is installed, which happens to be used only for motherboards with a device DX on them, and so on and so forth. Or perhaps some system configuration options in HKLM\System.
But unless the computer is kept, or HKEY_CURRENT_CONFIG is imaged along with the drive, you've lost the hardware description.
Useful book Jerry Honeycutt Microsoft Windows XP Registry Guide.
thanks
(Assuming Windows.) That kind of information is (as far as I know) only stored in the HKCC area of registry – and that is populated on boot, and not saved.
And I thought I knew this … The hardware info is stored in HKLM\HARDWARE … but the rest is right it's recreated on boot, and not stored.
HKCC contains the current hardware configuration options, which is close, but not quite the actual hardware. But it's not a standalone key, it's a link to HKLM\SYSTEM\CurrentControlSet\HardwareProfiles\nnnn
I think the conclusion is still valid, though – the actual info is gone, but there might be indirect info around – and HKLM\SYSTEM\CurrentControlSet\HardwareProfiles and special drivers is probably as close as you can get.
Useful book Jerry Honeycutt Microsoft Windows XP Registry Guide.
Still stands … the only thing is that it's no good referring to it unless you (i.e. I) actually check what it says … I will now submit myself to 1000 lashes with a wet spaghetti.