EH-Net

Harlan Carvey of the Windows-IR blog has finished developement on a utility for determining the OS from a ram dump either dd-style or a VMWare .vmem file.

http://windowsir.blogspot.com/2006/09/os-detection-explained.html

Harlan does a lot of great work - but why should somebody need to determine the OS from a RAM dump ? When you're in front of computer doing a RAM dump in general you know what operating system is running on that box.

What do you think about, perhaps I'm missing something?

I've read Harlan's book cover to cover and I'm a big fan of his. I would have to guess from some of his other projects, like the Windows Forensic Server is that the focus may have been remote. But also, having a tool provides an automated, accurate, and documented way of collecting this data versus, saying that you knew it was <insert OS here> from the logon splash screen or whatever. I guess there are just too many scenarios to say exactly why they would use it, however it may only be just to see if they could actually do it reliably with the least amount of system interaction possible. For me it makes sense because most of the stuff I do is remote, however if you work in an environment where every machine you get has been unplugged and shipped to you for imaging, then its probably not that useful.

Well, to me its not so much the tool as it is the methodology.

We now have a perl module that could be integrated into a lot of other tasks. It might be important to know the OS to come to certain conclusions about forensic data, this can now be automated rather than asking the user what os was used. There are probably many other good reasons.