Guessing Windows version from artifacts

Posted on

When investigators are given an index file, it is immediately apparent, from its file name, for one to have a quick grasp of the coarse generation of Windows. However, by “coarse” I mean it is very, very imprecise. With a file name like $I87kHp4.jpg one can only conclude it’s from Vista or above, no more or no less. Usually for real investigations the Windows version is easily determined from other items (registry etc); but on the rare case of only having recycle bin artifact available, one must search for clue by directly peeking into the data.

Determination for $Recycle.Bin

With $Recycle.Bin folder the rule is very simple, yet still quite limited in the sense that Windows versions are not that accurate:

Diagram about how rifiuti2 determines Windows version for Vista or above

Figure: How rifiuti2 determines Windows version for Vista or above

The check is very simple: just scan for version number, and violà. However, unlike INFO2 format which has undergone frequent changes, $Recycle.Bin index format is very stable, so that’s no way of pinpointing the exact Windows version unfortunately.

Determination for INFO and INFO2

On the other hand, pre-Vista artifacts need relatively more complex logic, and in some place heuristical technique is needed. Yeees, some people may say it’s possible to guess from filename itself (INFO2 only occurs since Win98), but I’d rather play safe as files can be renamed easily.

Diagram about how rifiuti2 determines Windows version for 95 – 2003

Figure: How rifiuti2 determines Windows version for 95 – 2003

Essentially it means:

Step Check Extra notes
1 Version number Result can be determined unless version = 5
2 Record size Must be Windows ME if size of each record is 280 bytes, otherwise continue to next step
3 Unicode path Heuristically scan for junk data in trailing padding area after unicode path. Windows 2000 if found, otherwise XP/2003 1

  1. If recycle bin has been emptied (no record is present), it’s entirely impossible to determine OS result. In such case rifiuti2 only displays Windows 2000-2003. Another hypothetical possibility of misidentification occurs when padding area contains no junk data, wrongly treating INFO2 generated by Win2K as from 2003/XP; however no real world evidence has been encountered yet.