Windows Vista Serious Challenges for Digital Investigators - PowerPoint PPT Presentation

About This Presentation
Title:

Windows Vista Serious Challenges for Digital Investigators

Description:

Windows Defender. Pop-Ups. Slow Performance. Spyware. Software Explorer ... Windows Vista - New Search Engine and Indexing Feature ... – PowerPoint PPT presentation

Number of Views:102
Avg rating:3.0/5.0
Slides: 24
Provided by: darren
Learn more at: http://csis.pace.edu
Category:

less

Transcript and Presenter's Notes

Title: Windows Vista Serious Challenges for Digital Investigators


1
Windows VistaSerious Challenges for Digital
Investigators
  • Authors Darren Hayes
  • Shareq Qureshi
  • Presented By Prerna Gupta

2
Vista Overview
  • Not all users are the same
  • GenerationX
  • Internet
  • Multimedia
  • Social Networking
  • Gaming
  • Middle-Aged (Baby Boomers)
  • Tech-Savvy
  • Senior Citizens

3
Security Changes
  • User Account Control
  • Firewall
  • Authentication
  • Network Access Protection
  • Windows Service Hardening
  • Anti-Malware
  • Data Protection
  • Windows Parental Controls

4
Firewall
  • Application Aware Outbound Filtering
  • Group Policy Settings (Enterprise Administrators)
  • Application Can Run Locally But Not Communicate
    Across a Network
  • IPv6 Connection Filtering

5
Authentication
  • Custom Authentication
  • Biometrics
  • Tokens
  • Authentication for Passwords Smart Cards

6
Anti-Malware
  • Windows Defender
  • Pop-Ups
  • Slow Performance
  • Spyware
  • Software Explorer
  • Windows Live OneCare (Spyware Anti-Virus)
  • Real-Time Protection

7
Data Protection
  • Offline Attacks
  • BitLocker Drive Encryption
  • Trusted Platform Module (Secure Generation of
    Cryptographic Keys
  • Encrypted File System

8
Benefits to Investigations
  • Control, Ownership Intent
  • Varying levels of Users
  • New methods of Authentication
  • Scheduled Backup Restore
  • Automatic Shadow Copy by Default
  • 15 of Volume Reserved

9
Challenges to Investigators
  • Encryption
  • BitLocker Drive Encryption
  • Hard Drive (AES TPM)
  • Encrypted File System
  • Encrypted E-Mail
  • Windows Mail
  • Reduction in Metadata
  • Automatic Defragmentation

10
Event Logging
  • Time, SID, Source, Message
  • More than 50 Logs by Default
  • C/Windows/system32/winevt/Logs/
  • Application.evtx
  • HardwareEvents.evtx
  • Internet Explorer.evtx
  • Security.evtx
  • Setup.evtx.
  • System.evtx, More..

11
Changes in Evidence
  • System Time Event
  • Events are XML but Encoded rather in BXML
  • Practical Test on Windows XP and Vista
  • Person wants to Change the System Time after the
    Crime
  • Possible in Both, but shown only in Vista

12
Changes in Evidence(Cont.)
13
Event Viewer in XP
14
Event Viewer in Vista
15
Disk Defragmentation
  • Works Same way in XP as in Vista
  • Simplified GUI but More Concern to Investigators
  • Disk Fragmentation is Scheduled to Work
    Automatically
  • Implication with Regard to Recovery of Deleted
    Files

16
XP Disk Defragmenter
17
Vista Disk Defragmenter
18
Last Access Dates
  • In Windows XP are no Longer Updated
  • In Windows Vista, this Feature is Enabled by
    Default
  • This Default Setting Obviously has a Severe
    Impact
  • Date Stamps as Part of their Analysis.

19
Windows Firewall
  • Filter Incoming and Outgoing Network Connections
  • From a Forensic Perspective - Logging Mechanism
  • The Log is Disabled by Default
  • C\windows\system32\LogFiles\Firewall\pfirewall.lo
    g

20
Windows Search Engine
  • Windows Vista - New Search Engine and Indexing
    Feature
  • Users can Now Save their Searches and Review the
    Results
  • C\Users\XXXX\Searches
  • The Indexing Service - Quickly Locate Files
  • C\ProgramData\Microsoft\Search\Data\Appliations\
    Windows\Projects\systemIndex\Indexer\CiFiles
  • Vista maintains Several Index Files

21
Shadow Volume Copy
  • Act as a Block Device
  • A layer Between the Device File System
  • Application Writes Data to Disk
  • Upon Write, Overwritten Block Moves to Shadow
    Copy
  • Shadow Copy Holds only Blocks that Changed

22
n
23
Conclusion
  • Problem of Control, Ownership Intent
  • Challenges with BitLocker Encryption TPM
  • Restoration Shadow Copy are Helpful
Write a Comment
User Comments (0)
About PowerShow.com