Windows Vista Serious Challenges for Digital Investigators

1
Windows VistaSerious Challenges for Digital
Investigators

• Authors Darren Hayes
• Shareq Qureshi
• Presented By Prerna Gupta

2
Vista Overview

• Not all users are the same
• GenerationX
• Internet
• Multimedia
• Social Networking
• Gaming
• Middle-Aged (Baby Boomers)
• Tech-Savvy
• Senior Citizens

3
Security Changes

• User Account Control
• Firewall
• Authentication
• Network Access Protection
• Windows Service Hardening
• Anti-Malware
• Data Protection
• Windows Parental Controls

4
Firewall

• Application Aware Outbound Filtering
• Group Policy Settings (Enterprise Administrators)
• Application Can Run Locally But Not Communicate
  Across a Network
• IPv6 Connection Filtering

5
Authentication

• Custom Authentication
• Biometrics
• Tokens
• Authentication for Passwords Smart Cards

6
Anti-Malware

• Windows Defender
• Pop-Ups
• Slow Performance
• Spyware
• Software Explorer
• Windows Live OneCare (Spyware Anti-Virus)
• Real-Time Protection

7
Data Protection

• Offline Attacks
• BitLocker Drive Encryption
• Trusted Platform Module (Secure Generation of
  Cryptographic Keys
• Encrypted File System

8
Benefits to Investigations

• Control, Ownership Intent
• Varying levels of Users
• New methods of Authentication
• Scheduled Backup Restore
• Automatic Shadow Copy by Default
• 15 of Volume Reserved

9
Challenges to Investigators

• Encryption
• BitLocker Drive Encryption
• Hard Drive (AES TPM)
• Encrypted File System
• Encrypted E-Mail
• Windows Mail
• Reduction in Metadata
• Automatic Defragmentation

10
Event Logging

• Time, SID, Source, Message
• More than 50 Logs by Default
• C/Windows/system32/winevt/Logs/
• Application.evtx
• HardwareEvents.evtx
• Internet Explorer.evtx
• Security.evtx
• Setup.evtx.
• System.evtx, More..

11
Changes in Evidence

• System Time Event
• Events are XML but Encoded rather in BXML
• Practical Test on Windows XP and Vista
• Person wants to Change the System Time after the
  Crime
• Possible in Both, but shown only in Vista

12
Changes in Evidence(Cont.)
13
Event Viewer in XP
14
Event Viewer in Vista
15
Disk Defragmentation

• Works Same way in XP as in Vista
• Simplified GUI but More Concern to Investigators
• Disk Fragmentation is Scheduled to Work
  Automatically
• Implication with Regard to Recovery of Deleted
  Files

16
XP Disk Defragmenter
17
Vista Disk Defragmenter
18
Last Access Dates

• In Windows XP are no Longer Updated
• In Windows Vista, this Feature is Enabled by
  Default
• This Default Setting Obviously has a Severe
  Impact
• Date Stamps as Part of their Analysis.

19
Windows Firewall

• Filter Incoming and Outgoing Network Connections
• From a Forensic Perspective - Logging Mechanism
• The Log is Disabled by Default
• C\windows\system32\LogFiles\Firewall\pfirewall.lo
  g

20
Windows Search Engine

• Windows Vista - New Search Engine and Indexing
  Feature
• Users can Now Save their Searches and Review the
  Results
• C\Users\XXXX\Searches
• The Indexing Service - Quickly Locate Files
• C\ProgramData\Microsoft\Search\Data\Appliations\
  Windows\Projects\systemIndex\Indexer\CiFiles
• Vista maintains Several Index Files

21
Shadow Volume Copy

• Act as a Block Device
• A layer Between the Device File System
• Application Writes Data to Disk
• Upon Write, Overwritten Block Moves to Shadow
  Copy
• Shadow Copy Holds only Blocks that Changed

22
n
23
Conclusion

• Problem of Control, Ownership Intent
• Challenges with BitLocker Encryption TPM
• Restoration Shadow Copy are Helpful