Feeds

Notes on Vista forensics

Part two: Digesting the differences

High performance access to file storage

One last point which involves RAM, application usage and a new feature in Vista. As most computer users will know, there often comes a time when our machines slow to a crawl due to too many applications making demands on available memory. The most straightforward solution to this problem (other than running fewer programs at the same time, of course) is to add extra RAM but this can still be a daunting task for those with little technical knowledge.

Vista offers a solution to this problem in the shape of ReadyBoost, a new feature which allows attached flash memory devices to be used as extra memory. However, examiners should be aware of two important points.

irst, although strictly speaking ReadyBoost does provide extra memory the data held on the flash device is actually also present in the host machine's RAM - the intended benefit of the feature is that it provides faster access to this data for certain types of operations.

Second, the data on the device is AES-128 encrypted. It's too early to say how often examiners are likely to encounter ReadyBoost in practice (reports on its effectiveness appear mixed so its popularity may be limited) but with our attention being more and more focused on evidence sources beyond the hard drive it is at least something to be aware of.

System files and metadata

Log files are often a useful source of information and changes to the Event Viewer in Vista mean that log files are now created in an XML compliant .elf format (rather than as .evt files seen previously). Any scripts which are used to locate and parse log files may need to be updated.

The hidden file "thumbs.db" introduced in previous Windows versions which has been of such interest to investigators over the past few years has also undergone a significant change. In fact this file has been replaced by a number of "thumbcache_xxx.db" files which are now located within a user's profile at

\Users\<USER NAME>\AppData\Local\Microsoft\Windows\Explorer

Another change to be aware of is that the Disk Cleanup Wizard included with Vista may be used to delete these thumbnails. (Note: in some cases Microsoft now refers to thumbnails as "icons" or "live icons".)

Metadata can be described as data about data. In the world of computer forensics, metadata is usually discussed in terms of information held about a file, a well known example of which is the information associated with a Word document which can include various details such as the author's name, comments and revision history (in fact, this particular example is so well known that Microsoft was forced to create a tool to help users remove the data in question!) Metadata on Windows systems becomes even more interesting when you examine multiple file streams, a concept first introduced in NT 3.51, which allow you to associate extra information with a file on an NTFS filesystem.

Although the information held in these streams may appear invisible to the typical user, it can be a rich source of information to the examiner. This potential repository for data could also be used to hide information and so it has become an essential area to cover during an investigation.

Although NTFS is the recommended file system for Vista Microsoft no longer believes that alternate data streams (ADS) are the best method for associating metadata with a file, primarily due to the fact that this extra information is not included when the file is transferred under certain circumstances (e.g. to a non-NTFS volume or when sent as an attachment).

Instead, Vista developers are being encouraged to include metadata within files themselves and this is another area where useful information may be uncovered by the examiner. It should be noted, however, that ADS functionality is still present within Vista so it should not be ignored during an investigation.

Returning to the user experience once again, another important develoment as far as metadata is concerned is that Microsoft is now encouraging users to add such data to their own files though the use of "tags" or "metatags". Primarily seen as a way to help users rate, organize and search through their content, user-generated tags may prove to be a useful source of information during certain types of investigation. However, the flip side of this potential benefit is that Vista also makes it relatively easy (through a file's Properties tab) for users to remove metadata.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.