Investigating System Information
05/11/2021 Friday
Windows Registry is an essential component of Windows operating systems. It maintains a wealth of information related to the user activity on the system, default settings, configurations and more. The Microsoft\Windows NT\CurrentVersion key within the Software hive is one of the valuable registry keys that can provide information related to the operating system installed on a device.
Digital Forensics Value of System Information Artifact
System Information artifact can provide examiners with substantial information that will support digital forensic investigations. The artifact retain information like the date and time when the operating system was installed, the version number of the operating system, the build number of the operating system, the path to the system root, and other details related to the OS.
Location of System Information Artifact
System Information artifact is stored in the Software hive at: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Structure of System Information Artifact
The CurrentVersion key contains multiple valuable subkeys. However, the values within the key itself contains the information related to the operating system such as InstallDate, ProductName, CurrentVersion, CurrentBuild, RegisteredOwner and so on.
Analyzing System Information Artifact with ArtiFast Windows
This section discusses how to use ArtiFast Windows to analyze System Information artifact from Windows
machines and
what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select System Information artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of System Information artifact in ArtiFast Windows.
System Information Artifact
- Current Build - Current installed Windows build.
- Current Version - Current installed Windows version.
- Product Name - Windows product name.
- Registered Owner - Registered owner of Windows.
- System Root - System root path.
- Installation Date - Installation date.
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com
