4.2.1 (U//FOUO) Operating System Instance (OS) Fingerprint
(C//NF) An OS fingerprint should uniquely identify a specific installation of an OS. Please note that
collisions can still occur, especially in corporate deployment scenarios. A collision is a clue to the user
that some level of volatility might be expected from the OS and that the Hardware identifier should be
considered more reliable. In this way a non-unique OS fingerprint is a feature, not a bug.
(U//FOUO) For Windows the OS Fingerprint is the MD5 hash of the following template string.
(U//FOUO) Valid values are similar to the output of the following command:
wmic.exe os get version, installdate, csname, registereduser
(U//FOUO) For example a Windows 7 SP1 machine named USER-PC registered to “Joe User” would
have an OS fingerprint of “bc89504e2794514ba593cc2934bd6b96” which is the MD5 hash of the
UTF-8 string “6.1.7601-20131112211240.000000-300-
(U//FOUO) For Linux the OS Fingerprint will be the contents of /etc/machine-id, if this file does not
exist or is empty then the contents of /var/lib/dbus/machine-id will be used. If neither of these
files exists or they exist but are empty then the OS Fingerprint will be the MD5 hash of the lowercase file
system UUID for the root file system (i.e. ‘/’). For example a Linux machine with none of the above files
but with a root UUID of “27a0727c-d9cb-c412-a618-9c573f9a015f” would have an OS fingerprint
(U//FOUO) For Apple OSX the OS Fingerprint will be the MD5 hash of the filesystem UUID for the root
file system (i.e. ‘/’). For example a Mac with a root UUID of “de305d54-75b4-431b-adb2-
eb6b9e546013” would have an OS fingerprint of “c001163fbbaaadabeb733e1e9ceb95e6”.
(U//FOUO) If no OS fingerprint can be determined despite the tool’s best effort then a fingerprint UID
value SHOULD NOT be generated.