Feeds

Notes on Vista forensics

Part two: Digesting the differences

Website security in corporate America

Vista as an examination platform

Vista's much touted Aero interface may give the impression that "Minority Report" style crime-busting is just around the corner but, sadly, we're not quite there yet.

Perhaps unsurprisingly given the changes to some aspects of Vista of interest to forensic examiners (e.g. file structure, the Registry, the Recycle Bin, etc.) a number of issues with existing forensic software packages have already been identified and vendors continue to work on new releases in response.

Although many of the issues identified are directly related to the analysis of Vista on a suspect drive a number of other problems have been reported by those running Vista as the platform upon which the forensic package itself is running (it should be noted that in some cases Vista is not yet officially supported by the developer in these cases).

The problems are not only related to forensic software, however, and while some may be addressed with a simple driver update others may be considered even more fundamental as Scott A Moulton of Forensic Strategy Services, LLC. explains: "I still have major problems mounting large drives under Vista. I use many 1 terabyte or 2 terabyte drives and Vista is absolutely worthless on these drives - I'm lucky if Vista does not actually mess the drive up. Deleting files is a nightmare and sometimes takes days. Just simply copying files is so slow it is unbearable.

"I received quite a few responses from people who have had similar issues and it seems that DRM [Digital Rights Management] may be the most probable cause. They've found that Vista tries to check each file to see if there is a protection flag on it or not before even deleting the file."

Despite these issues, Vista retains much of previous versions of Windows and some third party tools are expected to function largely as before. Where changes do need to be made in some tools they may be minor. For example, most of the Sysinternals tools commonly used in many Windows live response scenarios are expected to work under Vista without modification. One exception is Process Explorer, a minor modification to which in order to enable full functionality is expected within the next few months.

Conclusions

Computer forensic examination does not only involve searching an individual's computer for evidence of their own wrongdoing but also includes situations where the system itself has been attacked, commonly resulting in data loss, alteration or a denial of service. In addition to the deliberate targeting of individual systems over a network the threats posed by malware downloaded through web browsing or email use are well documented.

One of Microsoft's goals with Vista is to significantly improve the security of the operating system and although the act of investigation is necessarily one which takes place after an incident has occurred, the effect of hardening the system against common attacks in the first place is one which may impact the number of incidents of this type which require investigation.

So, where does this leave us? I think the first thing to keep in mind is that the playing field hasn't changed overnight just because Vista has been released to the public.

In fact, there are a number of reasons to believe that the uptake of Vista amongst existing users might be relatively slow so whatever impact it does have may be fairly gradual (even Steve Ballmer, Microsoft's chief executive, has admitted that earlier sales forecasts may have been "overly aggressive").

Secondly, the changes in Vista most likely to affect forensic examiners are probably most accurately described as evolutionary rather than revolutionary. There really isn't much which we haven't seen before in some shape or other and already developed strategies to deal with. Undoubtedly there will be cases where new features do present difficulties but investigators will adapt their approach accordingly, perhaps moving towards a greater emphasis on live analysis or network-based evidence collection where appropriate.

And finally, taking a broader view, if Microsoft delivers on its promise to improve the security of our increasingly connected world then we all benefit. For the time being though, the fight between those with something to hide and those tasked with uncovering electronic evidence continues.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.