Feeds

Notes on Vista forensics

Part two: Digesting the differences

Providing a secure and efficient Helpdesk

One last point which involves RAM, application usage and a new feature in Vista. As most computer users will know, there often comes a time when our machines slow to a crawl due to too many applications making demands on available memory. The most straightforward solution to this problem (other than running fewer programs at the same time, of course) is to add extra RAM but this can still be a daunting task for those with little technical knowledge.

Vista offers a solution to this problem in the shape of ReadyBoost, a new feature which allows attached flash memory devices to be used as extra memory. However, examiners should be aware of two important points.

irst, although strictly speaking ReadyBoost does provide extra memory the data held on the flash device is actually also present in the host machine's RAM - the intended benefit of the feature is that it provides faster access to this data for certain types of operations.

Second, the data on the device is AES-128 encrypted. It's too early to say how often examiners are likely to encounter ReadyBoost in practice (reports on its effectiveness appear mixed so its popularity may be limited) but with our attention being more and more focused on evidence sources beyond the hard drive it is at least something to be aware of.

System files and metadata

Log files are often a useful source of information and changes to the Event Viewer in Vista mean that log files are now created in an XML compliant .elf format (rather than as .evt files seen previously). Any scripts which are used to locate and parse log files may need to be updated.

The hidden file "thumbs.db" introduced in previous Windows versions which has been of such interest to investigators over the past few years has also undergone a significant change. In fact this file has been replaced by a number of "thumbcache_xxx.db" files which are now located within a user's profile at

\Users\<USER NAME>\AppData\Local\Microsoft\Windows\Explorer

Another change to be aware of is that the Disk Cleanup Wizard included with Vista may be used to delete these thumbnails. (Note: in some cases Microsoft now refers to thumbnails as "icons" or "live icons".)

Metadata can be described as data about data. In the world of computer forensics, metadata is usually discussed in terms of information held about a file, a well known example of which is the information associated with a Word document which can include various details such as the author's name, comments and revision history (in fact, this particular example is so well known that Microsoft was forced to create a tool to help users remove the data in question!) Metadata on Windows systems becomes even more interesting when you examine multiple file streams, a concept first introduced in NT 3.51, which allow you to associate extra information with a file on an NTFS filesystem.

Although the information held in these streams may appear invisible to the typical user, it can be a rich source of information to the examiner. This potential repository for data could also be used to hide information and so it has become an essential area to cover during an investigation.

Although NTFS is the recommended file system for Vista Microsoft no longer believes that alternate data streams (ADS) are the best method for associating metadata with a file, primarily due to the fact that this extra information is not included when the file is transferred under certain circumstances (e.g. to a non-NTFS volume or when sent as an attachment).

Instead, Vista developers are being encouraged to include metadata within files themselves and this is another area where useful information may be uncovered by the examiner. It should be noted, however, that ADS functionality is still present within Vista so it should not be ignored during an investigation.

Returning to the user experience once again, another important develoment as far as metadata is concerned is that Microsoft is now encouraging users to add such data to their own files though the use of "tags" or "metatags". Primarily seen as a way to help users rate, organize and search through their content, user-generated tags may prove to be a useful source of information during certain types of investigation. However, the flip side of this potential benefit is that Vista also makes it relatively easy (through a file's Properties tab) for users to remove metadata.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.