Feeds

Notes on Vista forensics

Part two: Digesting the differences

5 things you didn’t know about cloud backup

Vista as an examination platform

Vista's much touted Aero interface may give the impression that "Minority Report" style crime-busting is just around the corner but, sadly, we're not quite there yet.

Perhaps unsurprisingly given the changes to some aspects of Vista of interest to forensic examiners (e.g. file structure, the Registry, the Recycle Bin, etc.) a number of issues with existing forensic software packages have already been identified and vendors continue to work on new releases in response.

Although many of the issues identified are directly related to the analysis of Vista on a suspect drive a number of other problems have been reported by those running Vista as the platform upon which the forensic package itself is running (it should be noted that in some cases Vista is not yet officially supported by the developer in these cases).

The problems are not only related to forensic software, however, and while some may be addressed with a simple driver update others may be considered even more fundamental as Scott A Moulton of Forensic Strategy Services, LLC. explains: "I still have major problems mounting large drives under Vista. I use many 1 terabyte or 2 terabyte drives and Vista is absolutely worthless on these drives - I'm lucky if Vista does not actually mess the drive up. Deleting files is a nightmare and sometimes takes days. Just simply copying files is so slow it is unbearable.

"I received quite a few responses from people who have had similar issues and it seems that DRM [Digital Rights Management] may be the most probable cause. They've found that Vista tries to check each file to see if there is a protection flag on it or not before even deleting the file."

Despite these issues, Vista retains much of previous versions of Windows and some third party tools are expected to function largely as before. Where changes do need to be made in some tools they may be minor. For example, most of the Sysinternals tools commonly used in many Windows live response scenarios are expected to work under Vista without modification. One exception is Process Explorer, a minor modification to which in order to enable full functionality is expected within the next few months.

Conclusions

Computer forensic examination does not only involve searching an individual's computer for evidence of their own wrongdoing but also includes situations where the system itself has been attacked, commonly resulting in data loss, alteration or a denial of service. In addition to the deliberate targeting of individual systems over a network the threats posed by malware downloaded through web browsing or email use are well documented.

One of Microsoft's goals with Vista is to significantly improve the security of the operating system and although the act of investigation is necessarily one which takes place after an incident has occurred, the effect of hardening the system against common attacks in the first place is one which may impact the number of incidents of this type which require investigation.

So, where does this leave us? I think the first thing to keep in mind is that the playing field hasn't changed overnight just because Vista has been released to the public.

In fact, there are a number of reasons to believe that the uptake of Vista amongst existing users might be relatively slow so whatever impact it does have may be fairly gradual (even Steve Ballmer, Microsoft's chief executive, has admitted that earlier sales forecasts may have been "overly aggressive").

Secondly, the changes in Vista most likely to affect forensic examiners are probably most accurately described as evolutionary rather than revolutionary. There really isn't much which we haven't seen before in some shape or other and already developed strategies to deal with. Undoubtedly there will be cases where new features do present difficulties but investigators will adapt their approach accordingly, perhaps moving towards a greater emphasis on live analysis or network-based evidence collection where appropriate.

And finally, taking a broader view, if Microsoft delivers on its promise to improve the security of our increasingly connected world then we all benefit. For the time being though, the fight between those with something to hide and those tasked with uncovering electronic evidence continues.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?