A method for identifying software executing on a computer system from a
memory image defining at a particular time a state of the executing
software. The method includes populating a comparison file for the
computer system with executable signatures. The executable signatures
correspond to preselected executables that can be run on the computer
system, such as kernel software, and include version identifying
information. Executables are located in the received memory image and are
then processed to generate comparison information. The comparison
information is compared to the version identifying information to identify
software. Executable text segments in the preselected executables are
isolated, and offset, size, and checksum are determined for inclusion in
the executable signature. The executable text segments in the memory image
are isolated and a checksum determined. The checksum information is then
compared to achieve matches and to accurately identify software versions
running on the computer system.