Feeds

Notes on Vista forensics

Part two: Digesting the differences

SANS - Survey on application security programs

Vista as an examination platform

Vista's much touted Aero interface may give the impression that "Minority Report" style crime-busting is just around the corner but, sadly, we're not quite there yet.

Perhaps unsurprisingly given the changes to some aspects of Vista of interest to forensic examiners (e.g. file structure, the Registry, the Recycle Bin, etc.) a number of issues with existing forensic software packages have already been identified and vendors continue to work on new releases in response.

Although many of the issues identified are directly related to the analysis of Vista on a suspect drive a number of other problems have been reported by those running Vista as the platform upon which the forensic package itself is running (it should be noted that in some cases Vista is not yet officially supported by the developer in these cases).

The problems are not only related to forensic software, however, and while some may be addressed with a simple driver update others may be considered even more fundamental as Scott A Moulton of Forensic Strategy Services, LLC. explains: "I still have major problems mounting large drives under Vista. I use many 1 terabyte or 2 terabyte drives and Vista is absolutely worthless on these drives - I'm lucky if Vista does not actually mess the drive up. Deleting files is a nightmare and sometimes takes days. Just simply copying files is so slow it is unbearable.

"I received quite a few responses from people who have had similar issues and it seems that DRM [Digital Rights Management] may be the most probable cause. They've found that Vista tries to check each file to see if there is a protection flag on it or not before even deleting the file."

Despite these issues, Vista retains much of previous versions of Windows and some third party tools are expected to function largely as before. Where changes do need to be made in some tools they may be minor. For example, most of the Sysinternals tools commonly used in many Windows live response scenarios are expected to work under Vista without modification. One exception is Process Explorer, a minor modification to which in order to enable full functionality is expected within the next few months.

Conclusions

Computer forensic examination does not only involve searching an individual's computer for evidence of their own wrongdoing but also includes situations where the system itself has been attacked, commonly resulting in data loss, alteration or a denial of service. In addition to the deliberate targeting of individual systems over a network the threats posed by malware downloaded through web browsing or email use are well documented.

One of Microsoft's goals with Vista is to significantly improve the security of the operating system and although the act of investigation is necessarily one which takes place after an incident has occurred, the effect of hardening the system against common attacks in the first place is one which may impact the number of incidents of this type which require investigation.

So, where does this leave us? I think the first thing to keep in mind is that the playing field hasn't changed overnight just because Vista has been released to the public.

In fact, there are a number of reasons to believe that the uptake of Vista amongst existing users might be relatively slow so whatever impact it does have may be fairly gradual (even Steve Ballmer, Microsoft's chief executive, has admitted that earlier sales forecasts may have been "overly aggressive").

Secondly, the changes in Vista most likely to affect forensic examiners are probably most accurately described as evolutionary rather than revolutionary. There really isn't much which we haven't seen before in some shape or other and already developed strategies to deal with. Undoubtedly there will be cases where new features do present difficulties but investigators will adapt their approach accordingly, perhaps moving towards a greater emphasis on live analysis or network-based evidence collection where appropriate.

And finally, taking a broader view, if Microsoft delivers on its promise to improve the security of our increasingly connected world then we all benefit. For the time being though, the fight between those with something to hide and those tasked with uncovering electronic evidence continues.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.