Notes on Vista forensics

One last point which involves RAM, application usage and a new feature in Vista. As most computer users will know, there often comes a time when our machines slow to a crawl due to too many applications making demands on available memory. The most straightforward solution to this problem (other than running fewer programs at the same time, of course) is to add extra RAM but this can still be a daunting task for those with little technical knowledge.

Vista offers a solution to this problem in the shape of ReadyBoost, a new feature which allows attached flash memory devices to be used as extra memory. However, examiners should be aware of two important points.

irst, although strictly speaking ReadyBoost does provide extra memory the data held on the flash device is actually also present in the host machine's RAM - the intended benefit of the feature is that it provides faster access to this data for certain types of operations.

Second, the data on the device is AES-128 encrypted. It's too early to say how often examiners are likely to encounter ReadyBoost in practice (reports on its effectiveness appear mixed so its popularity may be limited) but with our attention being more and more focused on evidence sources beyond the hard drive it is at least something to be aware of.

System files and metadata

Log files are often a useful source of information and changes to the Event Viewer in Vista mean that log files are now created in an XML compliant .elf format (rather than as .evt files seen previously). Any scripts which are used to locate and parse log files may need to be updated.

The hidden file "thumbs.db" introduced in previous Windows versions which has been of such interest to investigators over the past few years has also undergone a significant change. In fact this file has been replaced by a number of "thumbcache_xxx.db" files which are now located within a user's profile at

\Users\<USER NAME>\AppData\Local\Microsoft\Windows\Explorer

Another change to be aware of is that the Disk Cleanup Wizard included with Vista may be used to delete these thumbnails. (Note: in some cases Microsoft now refers to thumbnails as "icons" or "live icons".)

Metadata can be described as data about data. In the world of computer forensics, metadata is usually discussed in terms of information held about a file, a well known example of which is the information associated with a Word document which can include various details such as the author's name, comments and revision history (in fact, this particular example is so well known that Microsoft was forced to create a tool to help users remove the data in question!) Metadata on Windows systems becomes even more interesting when you examine multiple file streams, a concept first introduced in NT 3.51, which allow you to associate extra information with a file on an NTFS filesystem.

Although the information held in these streams may appear invisible to the typical user, it can be a rich source of information to the examiner. This potential repository for data could also be used to hide information and so it has become an essential area to cover during an investigation.

Although NTFS is the recommended file system for Vista Microsoft no longer believes that alternate data streams (ADS) are the best method for associating metadata with a file, primarily due to the fact that this extra information is not included when the file is transferred under certain circumstances (e.g. to a non-NTFS volume or when sent as an attachment).

Instead, Vista developers are being encouraged to include metadata within files themselves and this is another area where useful information may be uncovered by the examiner. It should be noted, however, that ADS functionality is still present within Vista so it should not be ignored during an investigation.

Returning to the user experience once again, another important develoment as far as metadata is concerned is that Microsoft is now encouraging users to add such data to their own files though the use of "tags" or "metatags". Primarily seen as a way to help users rate, organize and search through their content, user-generated tags may prove to be a useful source of information during certain types of investigation. However, the flip side of this potential benefit is that Vista also makes it relatively easy (through a file's Properties tab) for users to remove metadata.