Windows Registry is an essential component of Windows operating systems. It maintains a wealth of information related to the user activity on the system, default settings, configurations and more. The Microsoft\Windows NT\CurrentVersion key within the Software hive is one of the valuable registry keys that can provide information related to the operating system installed on a device.
System Information artifact can provide examiners with substantial information that will support digital forensic investigations. The artifact retain information like the date and time when the operating system was installed, the version number of the operating system, the build number of the operating system, the path to the system root, and other details related to the OS.
System Information artifact is stored in the Software hive at: SOFTWARE\Microsoft\Windows NT\CurrentVersion
The CurrentVersion key contains multiple valuable subkeys. However, the values within the key itself contains the information related to the operating system such as InstallDate, ProductName, CurrentVersion, CurrentBuild, RegisteredOwner and so on.
This section discusses how to use ArtiFast Windows to analyze System Information artifact from Windows
what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select System Information artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of System Information artifact in ArtiFast Windows.
System Information Artifact
For more information or suggestions please contact: firstname.lastname@example.org