Forgot your password?
typodupeerror
Windows Operating Systems Software Security IT

Vista For Forensic Investigators 125

Posted by kdawson
from the recovering-it dept.
Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."
This discussion has been archived. No new comments can be posted.

Vista For Forensic Investigators

Comments Filter:
  • Oh n0es (Score:5, Interesting)

    by mboverload (657893) on Tuesday April 17, 2007 @05:36PM (#18774881) Journal
    The smart people already use drive encryption via TrueCrypt and other methods.

    This may make it easier for the not so completely stupid criminals to protect themselves, but I doubt it will have any real effect.

    People are stupid. Thats why they get caught.
    • Re: (Score:3, Informative)

      by mboverload (657893)
      If you didn't RTFA, which I don't blame you, it's short on any radical ideas or editorials, there is one thing I didn't know before:

      Bitlocker (which encrypts the whole windows volume ala Truecrypt but bootable) requires a TPM 1.2 chip in it, which you'd be hard pressed to find in ANY computer.
      • Re: (Score:3, Informative)

        by PitaBred (632671)
        The notebook I bought last September has a TPM v1.2 chip in it... and I know many current other notebooks do. But TPM is primarily useful in the mobile space, anyway, not on the desktop space where most people keep their machines reasonably physically secure.
      • Re: (Score:3, Interesting)

        Bitlocker (which encrypts the whole windows volume ala Truecrypt but bootable) requires a TPM 1.2 chip in it, which you'd be hard pressed to find in ANY computer.


        At the risk of sounding like an overly-eager Apple fanboi (bleck!), recent Macs have an Infineon TPM 1.2 chip in them.
        • At the risk of sounding like a .... person replying to a comment on slashdot, recent recent Macs (Core 2 Duo Macbook Pros etc) do not have the TPM chip installed, only the first Intel Mac generations do. Its totally missing from ioreg on C2D Macs while present in ioreg on CD Macs.
      • Re:Oh n0es (Score:5, Informative)

        by THESuperShawn (764971) on Tuesday April 17, 2007 @06:57PM (#18775845)
        Actually, that's not correct. Bitlocker does not "require" TPM 1.2, it CAN be used without it. You can boot from a USB drive, make a few edits in the local policy, or manually set the 48 digit recovery password just to name a few.

        And just about any computer manufactured after January 2006 will have TPM 1.2.

    • I have yet to investigate a machine used by somebody smart.

      Of course the smart ones may never come to my attention.

      Also I haven't been looking at criminal cases, so the motivation level might be lower -- but don't overestimate the level of computer knowledge in the general population.
    • People are stupid. Thats why they get caught.

      Damn Straight. This is what you should remember whenever there is news coverage of a notorious cracker getting arrested, or some huge identity theft ring being broken up.

      It is not the crimes you KNOW about, it's the ones you DON'T KNOW ABOUT that are the real issue.

      Smart criminals not only do not get caught, they aren't even being looked for because their crimes go undetected.

  • by Anonymous Coward on Tuesday April 17, 2007 @05:40PM (#18774937)
    If someone uses encryption, then obviously they are trying to hide somthing illegal or unlawful.

    In Linux, encryption is done with unusual and special commands in conjuction with mounting a "loop" device to a filesystem; requiring administrator privileges to try to encrypt data like that, and adding to the subversion of a system with evidence of a corrupt administrator.

    What kind of administrator would allow encryption on a filesystem? Obviously, a criminal.

    Information is meant to be free, and open source. Encryption is somthing we would expect Mycrow$oft to use to help criminals be found by the good god-fearing men and women of the DEA/FBI/CIA/GATT/IMF/IRS just to atone for their sins.

    Good people use OSX.

    Call me,
      Eve.
    • by hkmarks (1080097)
      ...Or someone with sensitive financial or legal data. Customer profiles. Business plans. Credit card numbers.

      Are you kidding me?
    • That's not quite the case. Imagine your average information thief. He/she can steal information in one of two ways: online or physically. Now let's say some innocent government or corporate employee left a laptop with sensitive data on it (such as proprietary secrets). Our thief can pick up this laptop, and if it's not encrypted as you suggest because the employee and his/her company are innocent of any criminal activity, the criminal can read the entire contents of the disk.

      An encrypted drive makes this h

    • 10/10, would read again. ;)
    • Taken directly from TechNet [microsoft.com]

      Who should use BitLocker Drive Encryption?
      This guide is intended for the following audiences:
      -IT planners and analysts who are evaluating the product
      -Security architects
      So they do not even plan for criminals or anyone else for that matter to use it...nice...
    • Move along please!
    • You mean ... all those 3-letter-government-organisations are criminal organisations? Organized crime in the top echelons of the US government?

      Now that I think of it... a lot starts to make sense, you know...
    • If someone uses encryption, then obviously they are trying to hide somthing illegal or unlawful.

      As someone who works in telecomms security, I find your statement above laughable.

      Whilst I agree a lot of people are worried about security to point of paranoia, encryption is usually implemented to *stop* those with criminal intent from getting information you don't want them to see.

      About 18 months ago, I worked with a major financial organisation in tracking down someone who was using "man in the middle"

  • Wow. (Score:4, Funny)

    by eviloverlordx (99809) on Tuesday April 17, 2007 @05:40PM (#18774939)
    I would've figured that the investigators' computers would be too slow from running Vista to investigate much of anything.
    • Sorry, I can't resist a dig at that stupid concept.

      If your OS is *disgustingly, *alarmingly inefficient with resources, you can stick a thumbdrive in it and cross your fingers that the email you just spent half an hour typing on will go through.

      In other news if your car gets 1.4 miles per gallon, you can drive around with a few 50-gallon drums of gasoline to get you through out of those tight spots.
      • by drsmithy (35869)

        Sorry, I can't resist a dig at that stupid concept.

        What stupid concept ? Disk caching ? Because that's all ReadyBoost ultimately is - a disk cache.

  • by 5, Troll (919133) on Tuesday April 17, 2007 @05:41PM (#18774949) Journal
    One misconception is that encryption in Vista is turned on "by default." Actually, it is not. In fact, it is not even available in most versions of Vista. Vista is available in five SKUs, only two of which support encryption (a feature known as "BitLocker", or "BitLocker Drive Encryption" - BDE). Vista Home Basic, Media Edition, and Business *do not* support BDE. Vista Enterprise and Ultimate - the two more expensive editions - do support BDE. Also, encryption is not turned on by default. An important step during encryption involves defining the encryption and decryption keys. This cannot be done by default by someone other than the owner of the system. If it could, then that someone else would be able to gain access to the secure data - exactly what is trying to be controlled.
    • by RedElf (249078) on Tuesday April 17, 2007 @05:45PM (#18775011) Homepage
      With Vista, the OS from MS that phones home more than any previous release, can we really trust it not to "Phone Home" the encryption keys of bitlocker once it's enabled?
      • While a great example of "Microsoft Gone Wild!" they would never risk something like that being exposed. It would kill them.

        Yes, I am aware of the "NSA secret backdoor thing".
      • by mordejai (702496)
        No, we can't.

        Next question...
      • by Cheapy (809643)
        Why stop there?

        They could be sending credit card numbers, or SSNs, or your personal files, or your porn, or even every single piece of data on your computer!
      • by Cow Jones (615566)
        I used to be concerned about this, because in the end, you have to trust somebody. Trust Microsoft, trust the device driver programmers, trust your AV vendor, trust the TrueCrypt programmers. In the case of OSS, trust that enough eyes are watching, and that they're watching closely enough, and that they're even checking every single update and patch that you automatically install.

        It simply is not possible to personally check and verify every piece of code that gets executed on your computer.

        So yes, it's
      • by asninn (1071320)
        Short answer: no.

        Long answer: no, but which software *can* you trust? If you install, say, Mandriva, how do you know that it's not going to "phone home" any of your data? Oh, sure, there's no such functionality in the source code, but how do you know that the binaries you're running do correspond to the source code you're getting? And while you might think that simply recompiling everything will help, it's not actually going to - Ken Thompson demonstrated this nicely. If you're using the shipped compiler, y
        • by Magada (741361)
          If you're that concerned, do not use binaries provided by anyone else. There are also defences against a compiler-based attack, if you stop to think about it. There is no need to trust Microsoft or Mandriva.
    • by CCFreak2K (930973)

      One misconception is that encryption in Vista is turned on "by default." Actually, it is not. In fact, it is not even available in most versions of Vista.
      It also requires a TCPM chip. I tried it on my Pentium 4 box with Windows Vista RC1. No dice.
    • if i remember correctly from 4-5 years ago.. BDE also stood for "borland database engine".. or in colloquial english, the spyware that kazza installed.

      now microsoft has made it a feature in their new os, giving us greater spyware value by cutting out the middle man!
  • by heretic108 (454817) on Tuesday April 17, 2007 @05:44PM (#18774991)
    I see from TFA that they're shitting themselves at the prospect of widespread drive-level encryption. They console themselves with the fact that only the high-end Vista versions support BitLocker.

    But in the end, encryption offers only limited protection. If some well-resourced hostile authority wants to take you down, there's endless options for framing you up. For instance, they could mess with your ISP's logs to fabricate http hits to k1dd13 pr0n sites, or infect your box with a bot that hits such sites on your behalf, which will cause the hits without messing with the ISP's logs...
    • Re: (Score:3, Informative)

      by mboverload (657893)
      Criminals usually aren't smart enough to enable drive encryption or buy a $400 copy of Windows Vista. They are probably not smart enough to even install TrueCrypt, which is by far the most incredibly easy to use encryption product on the market.

      And by the way, what kind of bozo puts incriminating evidence on a computer period? Unless they deal in child pornography they wouldn't even have that data on the computer. (Unless you're that one idiot that used Microsoft word to print off a fake suicide note)

      Like
    • by nine-times (778537) <nine.times@gmail.com> on Tuesday April 17, 2007 @05:57PM (#18775185) Homepage

      I see from TFA that they're shitting themselves at the prospect of widespread drive-level encryption.

      Whenever it comes to these things, I find myself in a bit of a quandary. Of course I want various criminals to get busted, but these investigators are essentially relying on poor security to get their information. I generally want computers to have good security. I don't like the idea of people being able to see my personal info or browsing history, but I'm also not really hiding anything.

      oh well...

      • Re: (Score:2, Funny)

        by mboverload (657893)
        IF YOU HAVE NOTHING TO HIDE THEN YOU WON'T MIND US LOOKING THROUGH YOUR BROWSER HISTORY, MR NINE

        *mboverload is sad because he hears these arguments from people but doesn't know how to fight against it. Someone help.*
        • by Qzukk (229616) on Tuesday April 17, 2007 @06:34PM (#18775631) Journal
          *mboverload is sad because he hears these arguments from people but doesn't know how to fight against it. Someone help.*

          "If you have nothing to hide, then you won't mind taking out a newspaper ad with your SSN, your DOB, your credit card numbers, your mother's maiden name, and your driver's license number. Either you have something to hide, or you'll quickly learn that you had something you should have kept hidden."
        • Re: (Score:3, Informative)

          by vux984 (928602)
          If you look through my browser history then you don't respect and trust me.
          If you don't respect and trust me, than there is something fundamentally wrong with our relationship.

          If there is something fundamentally wrong with our relationship then I wish to end it. **OR**
          If there is something fundamentally wrong with our relationship then we need to fix that.

          As far as society, and police/government initiatives its the same baseic question of trust and respect. Do we want to live in a police state? What fundame
        • Re: (Score:3, Interesting)

          by quanticle (843097)
          I've found that the most effective counterargument is to point out that the whole "nothing to hide, nothing to fear" argument is based upon the presumption that the government is infallible and perfectly competent. Sure, I have nothing to hide. However, I do fear the government looking at bits and pieces of my personal data and then coming to an erroneous conclusion about my future behavior because they didn't get the whole picture.

          Also, I don't like the thought of government being able to make arbitrary
        • Re: (Score:3, Insightful)

          The correct reply to that arguement is: "cool, can I come over to your house and install these Web Cams in your house, specifically, your bedroom and your shower, they are gunna broadcast on the internet 24/7"

          Also, demand all government officials (including senators and the president) must be bugged and have their movements and conversation monitored 24/7, and the full details made public, with archives and live feed to ensure that they aren't corrupt. Remember, they won't object if they have nothing

  • encypted backups? (Score:5, Interesting)

    by RedElf (249078) on Tuesday April 17, 2007 @05:51PM (#18775095) Homepage
    After reading the article (I know we're not supposed to do that) I'm a little confused on if you backup an encrypted volume if the backup is also encrypted. If not, doesn't that defeat the whole purpose of encrypting that data in the first place?
    • That's why you should always send your backups to /dev/null.

      That way, they can't be stolen.

      • by RedElf (249078)
        Since when did Microsoft add /dev/null to Windows Vista?
        • by x2A (858210)
          It's existed in the NUL form going right back to early DOS days (and before, in CPM etc I think), which exists whatever directory you're in. Other device names include CON (console), AUX, PRN, COM1, LPT1 etc.

          eg:
          copy con lpt1 -- send anything you type to printer on lpt1
          md newdir > nul -- redirect output to nul

          • by dotgain (630123)

            It's existed in the NUL form going right back to early DOS days (and before, in CPM etc I think), which exists whatever directory you're in. Other device names include CON (console), AUX, PRN, COM1, LPT1 etc.

            And to really rub your nose in it, Windows won't allow you to create a file or directory anywhere with any of those names. Just what I need from a filesystem: An historically bound list of arbitrary letter combinations that I can't use as a filename anywhere. Oh well, at least it's saved them the tro

            • by pe1chl (90186)
              Not only with those reserved names, but with any extension as well.
              You cannot name your Word document AUX.DOC or NUL.DOC

              The funny thing is that not all applications recognize (like Word) that it is unwise to save your file as NUL.whatever. They just save the file and make you looking for it later.
              • by sakasune (772886)
                Just tried in Word 2003 to save NUL.doc and AUX.doc and it warned me that its a reserved device name. Notepad too.
    • It depends on why you're encrypting and how you're backing up. In this case, copying the files to an unencrypted disk will give you unencrypted files.

      In short, the purpose of encrypting your hard drive in this way is to prevent hacking from someone who as physical access to the machine. For example, if you give me a standard XP system, I can use a boot CD to reset your passwords. I can boot to another OS and access your files directly. If your system is up and running, Windows will protect your files w

      • by x2A (858210)
        Unless you backup the volume (take an image) rather than the files, then you get the raw encrypted data.

        • Are you telling me that if you use bitlocker and you copy files from your computer (running the installed version of Windows) to another drive or a network share, you'll get gibberish on the other end? I'll admit that I've never used bitlocker, but if that's true then it's going to be damn near useless for most uses.
          • by x2A (858210)
            "and you copy files from your computer"

            No, I said if you take an image of the volume instead of copying the files, ie, if you access the raw hdd data, before filesystem driver tries to translate it.

            • Just a point of fact, you said that unless you take an image, rather than copying files, you get raw encrypted data. That's the opposite of what you're saying now.
              • by x2A (858210)
                Let me introduce you to a thing called "CONTEXT"... if you read my post in context, you'll see it means totally the oposite thing.

                Original post: "In this case, copying the files to an unencrypted disk will give you unencrypted files"
                My post: "Unless you backup the volume (take an image) rather than the files"

                IOW: Copying the files gives you unencrypted files, unless you backup the volume (take an image), rather than copy the files"

                Make sense now?

    • Re: (Score:3, Interesting)

      by nwetters (93281)
      You should worry more about the disk cache. Previously opened files are cached in RAM in an unencrypted state.

      Firewire ports and PCMCIA slots have direct memory access, so can be used to copy an image of your computer's RAM even if no one is logged in. This can recover useful forensic material even after a reboot cycle, as modern BIOS's don't clear RAM.

      It looks like Vista's disk encryption is useless if you switch on the PC and access files.
  • by figleaf (672550) on Tuesday April 17, 2007 @05:54PM (#18775135) Homepage
    that the article mentions Slashdot and Register as a reference for a Microsoft OS.

  • by Blittzed (657028) on Tuesday April 17, 2007 @06:33PM (#18775623)
    Part of my job entails working with law enforcement officials in the field of digital forensics. They have told me that the use of any encryption system by criminals is very low, to the point of non-existent. This is fortunate for the Police, as it makes it easier for them to keep these scumbags off the streets (unfortunately a lot of the crime they deal with is child pornography). There are so many barriers to Bitlockers use (TPM, correct version of Vista, off by default etc etc), that its widespread use just doesn't seem likely. If the bad guys aren't using EFS and other encryption systems now, and these are easy to implement, why would they bother of going through the hassle to use Bitlocker? There are also laws being enacted in certain countries to force the bad guy to give up passwords/ keys etc (ie we are going to lock you up until you give it to use so you may as well do it now...).
    • "oops, that was the destroy all data password".. sorry about that i was so shaken up by being jailed when i am innocent that i was confused and gave you the wrong one.
      • "oops, that was the destroy all data password".. sorry about that i was so shaken up by being jailed when i am innocent that i was confused and gave you the wrong one.
        "Oh, we understand, that's fine. We only tried it on a copy of your drive; care to try again with another copy? We'll give you lots of time to calm down, relax, and think about it."
        • by nurb432 (527695)
          With full TPM enabled in hardware ( which is coming soon to a nightmare near you ) you wont be able to use a copy of the HD.
          • Re: (Score:1, Interesting)

            by Anonymous Coward
            This is true, but with fully TPM enabled hardware, they will, because they will be able to get the hardware key from the manufacturer.
      • by x2A (858210)
        "That's okay, we were working on an image we took directly off the drive... try again"

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      There are also laws being enacted in certain countries to force the bad guy to give up passwords/ keys etc (ie we are going to lock you up until you give it to use so you may as well do it now...).

      That's awesome - as long as you have some way to tell who the "bad guys" are before you get their password. Otherwise what you are talking about is making the use of encryption a jailable offence.
      • by Blittzed (657028)
        Fair enough point, and I need to be a bit careful about what I say, but the guys I work with don't normally just grab people at random. If they show up at your door, then they usually already know what they are going to find. The seizure is so that a case can be made and put before a judge / court. They have more than enough work than they can handle now without doing random PC seizures.
    • by Jugalator (259273)
      There are also laws being enacted in certain countries to force the bad guy to give up passwords/ keys etc (ie we are going to lock you up until you give it to use so you may as well do it now...).

      Wow...

      Well, good some encryption tools implement plausible deniability then.
    • by jonbryce (703250)
      I guess there is a very big difference between the technical ability of child pornographers and the people who do things like sell crack cocaine by the tonne or arrange to fly planes into skyscrapers.

      Your experience of the use of encryption probably stems from the fact that you work with local police on small scale criminals rathern than for the CIA on big inernational operations.
  • How are they going to find anything looking through Windows?
  • by Opportunist (166417) on Tuesday April 17, 2007 @09:19PM (#18777189)
    Reading those comments, more than the article itself.

    Peruse them and you might notice something. Well? Right. A handful deals with the problem of having your notebook stolen, while the majority discusses the effects of it on a search. I.e. more people being concerned of the effects to a search than to having your computer stolen.

    Makes me wonder... does it tell me something 'bout the people here or about the governments we live in?
    • by QCompson (675963)

      Reading those comments, more than the article itself.

      That's pretty obvious. The article is about Vista and computer forensic investigation. That would be why most of the comments are focusing on a search and seizure situation.
  • by v1 (525388) on Wednesday April 18, 2007 @06:57AM (#18780111) Homepage Journal
    The macintosh home folder security is called "filevault", and uses encryption to encrypt the entire user home folder, where most of the user information is. The actual key to the vault is large (128bit aes?) and is stored at the start of the vault, but the key is encrypted using the password the user provides when it is created. Another copy is stored there, encrypted using the master password's certificate, which is encrypted using the master password. So if you lose your password and lose the master password, the data is truly gone forever, and there is no "back door" at Apple. There's nothing stopping you from deleting the master key, it's one document easily located. There is no known back door to the filevault system, and the system is very careful to point out if you lose the password and master password, your data is irrecoverable. The master key requires you to enter a password because the key itself is also encrypted, so simply having access to the master key certificate is not useful in breaking into a locked vault, because the master password is required still.

    From what I have heard, all rumor and third-party, windows' encrypted home folders is worthless from a true security standpoint. I have been told that there is a master key in use similar to the master password in OS X, but that it is not one that the user makes, it comes pre-made from microsoft. No one outside microsoft has the private key to unlock that certificate. So if you lose your password, YOU are screwed, but if microsoft really wanted into your data they could get into it. (or let someone else into it) I don't know if there is a documented way to erase this copy of the image's crypto key encrypted with microsoft's back door password. Also I wonder if an administrator could simply reset the password on the account and then login with the new password to just waltz by the entire security of the system?

    How much of this is fact and how much is fiction? We have seen time and time again that security by secrecy and security by "but we would NEVER misuse our master key" is a complete laugh, because (A) the secret ALWAYS gets out, and (B) someone ALWAYS ends up misusing the master key. In this respect I feel sorry for the windows users because the wolves are guarding the sheep.

    Sidenote: OS X also has a built-in feature that lets you create a regular encrypted disk image. When you make one of those, the machine's master password is not used to store another encrypted copy of the image key as with filevault, so those disk images have only one actual key. I use this to store a password list on my flash drive because of how easy they are to lose, and I am completely confident that anyone that finds the flash drive will be absolutely unable to access my information. I assume that a 3rd party solution is required for windows users?

    Somewhat OT, but I have also been told that it's essentially impossible for even an administrator to just read another user's data on the same hard drive, that they have to "take ownership" of the files to read thm, thus altering the data. Yet viruses apparently can multiply at will, infecting all accounts on the computer. Why is it that the viruses have no problem circumventing windows security while at the same time it's nigh imposible for the administrator to do the same thing? Tha does not make sense.
  • Considering the NSA were "consulted" by MS, they must have a key. DVD Jon is just the person to "jimmy" the lock on this door.

    I wonder how the Chinese and Russians view this "consultation"?

"Why can't we ever attempt to solve a problem in this country without having a 'War' on it?" -- Rich Thomson, talk.politics.misc

Working...