Hello,
I have Encase ver3 and just acquired an HDD of a forensic case I am working on it currently. I was wondering if there's a way through Encase to obtain the serial numbers of the programs installed (such as Microsoft Word, Nero, etc.) on the HDD as well as the Windows Ver installed on the same acquired HDD. Sorry if this been already discussed.
Thank You.
Ahlan,
I'm not sure if Encase ver 3. will support some of the advanced ENScripts such as Scan Registry EnScript - which can also help.
Without a restore, I'm not sure that this can be done. On a system that is restored - I have used WinAudit - a free tool found on this forum for that purpose.
You can find WinAudit at http//www.forensicfocus.com/index.php?name=Downloads&d_op=viewdownloaddetails&lid=35
Hope this helps.
Thanks & Regards,
I.R.
Dubai.
Most software vendors hide or encrypt their product serial numbers for security reasons (they don't want them cracked). If you want to search the registry from an EnCase (v3) environment (I'm relying on memory from some years back now), you need to extract the reg files from your case file and use some other 3rd party tool or method.
You can always inport the files into your workstation and use regedit or regedt32 to search, or use something like an old copy of WRA (now owned by Paraben) to do the same thing.
Andy
Good tool for extract serial number of Microsoft software
_http//
also try belarc advisor -advisor will be able to show for many software or use other profiler software.
You can view the registry in version 3. Right click and "view file structure".
One way to test is to install software with a known serial number on your own system. Then search (making sure you've mounted the registry hives) for the number. Be sure and do a complete shut down and restart before running the search as many registry changes wont be made until you do so.