I'm looking for a way to determine the physical hardware specs a computer most recently had based on analyzing a forensic image of the system. Specifically, I'm looking for the CPU type & freq, amount of memory & graphics card from Windows XP machines. Is anyone aware if this information is stored in the registry anywhere or if there are any other files on an XP system which may contain this data? Thanks.
Jeff
You may be able to get some/most of this from the registry keys under system\<current control set>\Enum\ACPI.
For example on the processor front, a subkey of that can look like "GenuineIntel_-_x86_Family_6_Model12" with a further subkey "_0" listing the "FriendlyName" as "Intel(R) Pentium blah lbah @ xx ghz"
Rich
Thanks, Rich. That'll work for CPU type and freq…how about memory and GPU now?
Get a hold of WRR from http//
If this does not yield the information you were after, I would suggest loading the image into VMWARE and when mounted add a program to the mounted image like SIW at http//
Allan S Hay
Not so sure about memory Jeff, i'd have to do some digging for that, as for the video card i'd have thought that'd be listed in the registry though, even if it is in the form of a vendor/product ID. (dont know for these off the top of my head)
I'd be careful of the VMWare option thats likely to report information about your virtual machine, rather than the originating machine.
I discovered that the video card information is present in the registry, however the location depends on the model of video card which was installed. There doesn't seem to be a consistent location in the registry I can look to for any given computer in order to determine the card which was installed. That's one of my other requirements - I'm not just working on one machine, but rather putting together a script that can look at any image and pull out this data.
In regards to the VM soltuion, that wouldn't work. The hardware information presented would be indicative of the virtual HAL the VM tells the guest OS it's running on.
Is this a live system, or a forensic image?
Not all system parameters which are configured at boot time will be present in the registry.
I'm looking for a way to determine the physical hardware specs a computer most recently had based on analyzing a forensic image of the system.