Vista For Forensic Investigators 125
Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."
Oh n0es (Score:5, Interesting)
This may make it easier for the not so completely stupid criminals to protect themselves, but I doubt it will have any real effect.
People are stupid. Thats why they get caught.
encypted backups? (Score:5, Interesting)
Re:Oh n0es (Score:3, Interesting)
At the risk of sounding like an overly-eager Apple fanboi (bleck!), recent Macs have an Infineon TPM 1.2 chip in them.
Encryption use is low anyway... (Score:3, Interesting)
Re:Oh n0es (Score:5, Interesting)
Re:If they want to bust you, they will (Score:3, Interesting)
Also, I don't like the thought of government being able to make arbitrary decisions restricting your freedoms without at least giving you the chance to address their concerns. Encrypting my data makes the government come to me for the decryption key (chance are, they'll do this at least see if I'm willing to cooperate). This is a chance for me to ask what's going on and why they need this data.
Re:No problem (Score:1, Interesting)
Re:encypted backups? (Score:3, Interesting)
Firewire ports and PCMCIA slots have direct memory access, so can be used to copy an image of your computer's RAM even if no one is logged in. This can recover useful forensic material even after a reboot cycle, as modern BIOS's don't clear RAM.
It looks like Vista's disk encryption is useless if you switch on the PC and access files.
Re:Oh n0es (Score:3, Interesting)
how secure is vista, really? (Score:3, Interesting)
From what I have heard, all rumor and third-party, windows' encrypted home folders is worthless from a true security standpoint. I have been told that there is a master key in use similar to the master password in OS X, but that it is not one that the user makes, it comes pre-made from microsoft. No one outside microsoft has the private key to unlock that certificate. So if you lose your password, YOU are screwed, but if microsoft really wanted into your data they could get into it. (or let someone else into it) I don't know if there is a documented way to erase this copy of the image's crypto key encrypted with microsoft's back door password. Also I wonder if an administrator could simply reset the password on the account and then login with the new password to just waltz by the entire security of the system?
How much of this is fact and how much is fiction? We have seen time and time again that security by secrecy and security by "but we would NEVER misuse our master key" is a complete laugh, because (A) the secret ALWAYS gets out, and (B) someone ALWAYS ends up misusing the master key. In this respect I feel sorry for the windows users because the wolves are guarding the sheep.
Sidenote: OS X also has a built-in feature that lets you create a regular encrypted disk image. When you make one of those, the machine's master password is not used to store another encrypted copy of the image key as with filevault, so those disk images have only one actual key. I use this to store a password list on my flash drive because of how easy they are to lose, and I am completely confident that anyone that finds the flash drive will be absolutely unable to access my information. I assume that a 3rd party solution is required for windows users?
Somewhat OT, but I have also been told that it's essentially impossible for even an administrator to just read another user's data on the same hard drive, that they have to "take ownership" of the files to read thm, thus altering the data. Yet viruses apparently can multiply at will, infecting all accounts on the computer. Why is it that the viruses have no problem circumventing windows security while at the same time it's nigh imposible for the administrator to do the same thing? Tha does not make sense.