Operating System and Network Adapter Info


rui12

New Member
Feb 6, 2009
6
0
#1
currently a newbie in computer forensic using encase.

where can i find the system information such as the installed operating system (OEM, etc.) / Computer Name / Work Group / Network Adapter used (DHCPIPaddress, IPaddress, etc.)

Is there any logs where i can see these informations?

please help and Thanx! :?
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#2
rui12 said:
currently a newbie in computer forensic using encase.

where can i find the system information such as the installed operating system (OEM, etc.) / Computer Name / Work Group / Network Adapter used (DHCPIPaddress, IPaddress, etc.)
Best idea is probably to run that Windows Initialize Case EnScript (I think it's under 'Case Processor') -- enable all reporting options by double-clicking on the Module Name before you run that module. It extracts much of the information you ask about into bookmarks. See your EnCase User Guide for more details.

(Added: I *am* assuming a reasonably recent release of EnCase. Don't remember what v5 or earlier had anymore.)
 

rui12

New Member
Feb 6, 2009
6
0
#3
athulin said:
rui12 said:
currently a newbie in computer forensic using encase.

where can i find the system information such as the installed operating system (OEM, etc.) / Computer Name / Work Group / Network Adapter used (DHCPIPaddress, IPaddress, etc.)
Best idea is probably to run that Windows Initialize Case EnScript (I think it's under 'Case Processor') -- enable all reporting options by double-clicking on the Module Name before you run that module. It extracts much of the information you ask about into bookmarks. See your EnCase User Guide for more details.

(Added: I *am* assuming a reasonably recent release of EnCase. Don't remember what v5 or earlier had anymore.)
I have done that already but didn't give those things. I've thought of using the manual method maybe a log file or a txt file contains those information.
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#4
rui12 said:
I have done that already but didn't give those things. I've thought of using the manual method maybe a log file or a txt file contains those information.
Are you sure you enabled the appropriate reporting options? Many beginners with EnCase tend to forget to double-click the module to bring up the reporting options before it is run. Well, ... at least I did ...

The registry is where most of the information would be found. If you did enable reporting, you may possibly have a system where registry is damaged to an extent where it can't be used to find this information. (Check that you have recovered deleted files.)

Some info could perhaps be found in the system event logs ... again, I think it's a EnScript that dissects those. Or ... Copy/Unerase the files, and then examine them in the standard Windows Event Log viewer, though this may not work if they're damaged.
 

Complete

Administrator
Aug 19, 2006
861
0
#5
An alternative method would be to export all the registry files and use RegRipper to process them. You'll get all that information and more.
 

farmerdude

New Member
Jan 11, 2006
789
0
#6
That information is stored in the Windows Registry.

Use logparser to pull it, or RegRipper, or chntpw, etc.

Cheers!

farmerdude


www . onlineforensictraining . com

www . forensicbootcd . com
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu