Notes on Vista forensics
Part two: Digesting the differences
Vista as an examination platform
Vista's much touted Aero interface may give the impression that "Minority Report" style crime-busting is just around the corner but, sadly, we're not quite there yet.
Perhaps unsurprisingly given the changes to some aspects of Vista of interest to forensic examiners (e.g. file structure, the Registry, the Recycle Bin, etc.) a number of issues with existing forensic software packages have already been identified and vendors continue to work on new releases in response.
Although many of the issues identified are directly related to the analysis of Vista on a suspect drive a number of other problems have been reported by those running Vista as the platform upon which the forensic package itself is running (it should be noted that in some cases Vista is not yet officially supported by the developer in these cases).
The problems are not only related to forensic software, however, and while some may be addressed with a simple driver update others may be considered even more fundamental as Scott A Moulton of Forensic Strategy Services, LLC. explains: "I still have major problems mounting large drives under Vista. I use many 1 terabyte or 2 terabyte drives and Vista is absolutely worthless on these drives - I'm lucky if Vista does not actually mess the drive up. Deleting files is a nightmare and sometimes takes days. Just simply copying files is so slow it is unbearable.
"I received quite a few responses from people who have had similar issues and it seems that DRM [Digital Rights Management] may be the most probable cause. They've found that Vista tries to check each file to see if there is a protection flag on it or not before even deleting the file."
Despite these issues, Vista retains much of previous versions of Windows and some third party tools are expected to function largely as before. Where changes do need to be made in some tools they may be minor. For example, most of the Sysinternals tools commonly used in many Windows live response scenarios are expected to work under Vista without modification. One exception is Process Explorer, a minor modification to which in order to enable full functionality is expected within the next few months.
Computer forensic examination does not only involve searching an individual's computer for evidence of their own wrongdoing but also includes situations where the system itself has been attacked, commonly resulting in data loss, alteration or a denial of service. In addition to the deliberate targeting of individual systems over a network the threats posed by malware downloaded through web browsing or email use are well documented.
One of Microsoft's goals with Vista is to significantly improve the security of the operating system and although the act of investigation is necessarily one which takes place after an incident has occurred, the effect of hardening the system against common attacks in the first place is one which may impact the number of incidents of this type which require investigation.
So, where does this leave us? I think the first thing to keep in mind is that the playing field hasn't changed overnight just because Vista has been released to the public.
In fact, there are a number of reasons to believe that the uptake of Vista amongst existing users might be relatively slow so whatever impact it does have may be fairly gradual (even Steve Ballmer, Microsoft's chief executive, has admitted that earlier sales forecasts may have been "overly aggressive").
Secondly, the changes in Vista most likely to affect forensic examiners are probably most accurately described as evolutionary rather than revolutionary. There really isn't much which we haven't seen before in some shape or other and already developed strategies to deal with. Undoubtedly there will be cases where new features do present difficulties but investigators will adapt their approach accordingly, perhaps moving towards a greater emphasis on live analysis or network-based evidence collection where appropriate.
And finally, taking a broader view, if Microsoft delivers on its promise to improve the security of our increasingly connected world then we all benefit. For the time being though, the fight between those with something to hide and those tasked with uncovering electronic evidence continues.
This article originally appeared in Security Focus.
Copyright © 2007, SecurityFocus
Sponsored: Data Loss Prevention & Data Theft Prevention