Feeds

Notes on Vista forensics

Part two: Digesting the differences

Secure remote control for conventional and virtual desktops

One last point which involves RAM, application usage and a new feature in Vista. As most computer users will know, there often comes a time when our machines slow to a crawl due to too many applications making demands on available memory. The most straightforward solution to this problem (other than running fewer programs at the same time, of course) is to add extra RAM but this can still be a daunting task for those with little technical knowledge.

Vista offers a solution to this problem in the shape of ReadyBoost, a new feature which allows attached flash memory devices to be used as extra memory. However, examiners should be aware of two important points.

irst, although strictly speaking ReadyBoost does provide extra memory the data held on the flash device is actually also present in the host machine's RAM - the intended benefit of the feature is that it provides faster access to this data for certain types of operations.

Second, the data on the device is AES-128 encrypted. It's too early to say how often examiners are likely to encounter ReadyBoost in practice (reports on its effectiveness appear mixed so its popularity may be limited) but with our attention being more and more focused on evidence sources beyond the hard drive it is at least something to be aware of.

System files and metadata

Log files are often a useful source of information and changes to the Event Viewer in Vista mean that log files are now created in an XML compliant .elf format (rather than as .evt files seen previously). Any scripts which are used to locate and parse log files may need to be updated.

The hidden file "thumbs.db" introduced in previous Windows versions which has been of such interest to investigators over the past few years has also undergone a significant change. In fact this file has been replaced by a number of "thumbcache_xxx.db" files which are now located within a user's profile at

\Users\<USER NAME>\AppData\Local\Microsoft\Windows\Explorer

Another change to be aware of is that the Disk Cleanup Wizard included with Vista may be used to delete these thumbnails. (Note: in some cases Microsoft now refers to thumbnails as "icons" or "live icons".)

Metadata can be described as data about data. In the world of computer forensics, metadata is usually discussed in terms of information held about a file, a well known example of which is the information associated with a Word document which can include various details such as the author's name, comments and revision history (in fact, this particular example is so well known that Microsoft was forced to create a tool to help users remove the data in question!) Metadata on Windows systems becomes even more interesting when you examine multiple file streams, a concept first introduced in NT 3.51, which allow you to associate extra information with a file on an NTFS filesystem.

Although the information held in these streams may appear invisible to the typical user, it can be a rich source of information to the examiner. This potential repository for data could also be used to hide information and so it has become an essential area to cover during an investigation.

Although NTFS is the recommended file system for Vista Microsoft no longer believes that alternate data streams (ADS) are the best method for associating metadata with a file, primarily due to the fact that this extra information is not included when the file is transferred under certain circumstances (e.g. to a non-NTFS volume or when sent as an attachment).

Instead, Vista developers are being encouraged to include metadata within files themselves and this is another area where useful information may be uncovered by the examiner. It should be noted, however, that ADS functionality is still present within Vista so it should not be ignored during an investigation.

Returning to the user experience once again, another important develoment as far as metadata is concerned is that Microsoft is now encouraging users to add such data to their own files though the use of "tags" or "metatags". Primarily seen as a way to help users rate, organize and search through their content, user-generated tags may prove to be a useful source of information during certain types of investigation. However, the flip side of this potential benefit is that Vista also makes it relatively easy (through a file's Properties tab) for users to remove metadata.

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.