Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista For Forensic Investigators

Posted by kdawson on from the recovering-it dept.

Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."

11 of 125 comments (clear)

  1. Re:Oh n0es by mboverload · · Score: 3, Informative

    If you didn't RTFA, which I don't blame you, it's short on any radical ideas or editorials, there is one thing I didn't know before:

    Bitlocker (which encrypts the whole windows volume ala Truecrypt but bootable) requires a TPM 1.2 chip in it, which you'd be hard pressed to find in ANY computer.

  2. No encryption by default by 5,+Troll · · Score: 4, Informative

    One misconception is that encryption in Vista is turned on "by default." Actually, it is not. In fact, it is not even available in most versions of Vista. Vista is available in five SKUs, only two of which support encryption (a feature known as "BitLocker", or "BitLocker Drive Encryption" - BDE). Vista Home Basic, Media Edition, and Business *do not* support BDE. Vista Enterprise and Ultimate - the two more expensive editions - do support BDE. Also, encryption is not turned on by default. An important step during encryption involves defining the encryption and decryption keys. This cannot be done by default by someone other than the owner of the system. If it could, then that someone else would be able to gain access to the secure data - exactly what is trying to be controlled.

    --
    Please mod me only (+) Underrated or (-) Troll
  3. Re:If they want to bust you, they will by mboverload · · Score: 3, Informative

    Criminals usually aren't smart enough to enable drive encryption or buy a $400 copy of Windows Vista. They are probably not smart enough to even install TrueCrypt, which is by far the most incredibly easy to use encryption product on the market.

    And by the way, what kind of bozo puts incriminating evidence on a computer period? Unless they deal in child pornography they wouldn't even have that data on the computer. (Unless you're that one idiot that used Microsoft word to print off a fake suicide note)

    Like I've said, "civilians with encryption" mean nothing. We've had strong encryption for over a decade and I don't see the average pimp encrypting his Microsoft Money 2007 databases that keep track of his hoes. Most people don't use encryption and never will until it's a box click away. Until they forget their password and realize that Uncle Jimmy with his magical computer toolkit can't save them.

  4. Re:Oh n0es by PitaBred · · Score: 2, Informative

    The notebook I bought last September has a TPM v1.2 chip in it... and I know many current other notebooks do. But TPM is primarily useful in the mobile space, anyway, not on the desktop space where most people keep their machines reasonably physically secure.

    --
    My blog. Good stuff (when I remember to update it). Read it.
  5. Re:Oh n0es by THESuperShawn · · Score: 4, Informative

    Actually, that's not correct. Bitlocker does not "require" TPM 1.2, it CAN be used without it. You can boot from a USB drive, make a few edits in the local policy, or manually set the 48 digit recovery password just to name a few.

    And just about any computer manufactured after January 2006 will have TPM 1.2.

    --
    Repant. Thy end is sheer.
  6. Re:BitLocker is no impediment to police... by pipatron · · Score: 3, Informative

    This is why you should use TrueCrypt with the hidden volume feature. You can, after some extortion, give them your key to the main truecrypt volume, but there is no way to know if there is another volume inside the one you just gave them access to.

    --
    c++; /* this makes c bigger but returns the old value */
  7. Re:If they want to bust you, they will by vux984 · · Score: 2, Informative

    If you look through my browser history then you don't respect and trust me.
    If you don't respect and trust me, than there is something fundamentally wrong with our relationship.

    If there is something fundamentally wrong with our relationship then I wish to end it. **OR**
    If there is something fundamentally wrong with our relationship then we need to fix that.

    As far as society, and police/government initiatives its the same baseic question of trust and respect. Do we want to live in a police state? What fundamentally separates a prisoner from a free citizen? Indeed what is freedom?

    Anyone who seriously advocates living in a world where 'if you have nothing to hide then you won't mind us looking' is right about not needing to worry about being arrested - they're whole world is a prison. They will accept having their papers inspected at borders, building entrances, and street corners. They will accept random searches of their homes, car, computer, and person. They will not flinch when they are required to account for their whereabouts 24x7 and subject to being monitored the whole time, for they live a perfect life.

    And when the state decides to finally reel them in the rest of the way and lock them in an even smaller cell, they'll have a perfectly rational explanation: people can't be trusted. We watch them all around the clock, but we only catch them after the damage is done.

    Better to prevent the damage outright! Why take a chance?

    And more importantly, the truly innocent will finally be safe.

    Who could object to that!?

  8. Re:Oh n0es by ucblockhead · · Score: 3, Informative

    In the past, courts have rules that an encryption key is analogous to a physical key, and like a physical key, can be demanded with a warrant.

    --
    The cake is a pie
  9. Re:Oh n0es by Anonymous Coward · · Score: 2, Informative
    I'm sure it's obvious by now, but just in case - IANAL

    Indeed, it is obvious. IANAL either and while there is some truth to your argument it is mostly false. The fifth amendment applies at any time. If the police go to your house and ask if you killed your wife, your refusal to answer can not be used as evidence of your guilt. If they ask for the combination to your safe, you can claim the fifth amendment and decline to answer.

    You can even invoke the fifth amendment as a witness. For example, if the police ask for your safe in order to prosecute your neighbor you can decline to answer on the grounds that you may incriminate yourself. There is a catch however. The court can grant you immunity from prosecution for any statements you make. If you still refuse to answer you can be held in contempt. Furthermore, if your statements lead to other evidence the other evidence can be used against you even if your own statements can not. So while telling the court that the combination is "I did it" can't be used against you, any evidence discovered inside the safe could be.

    Also note there is a huge difference between a search warrant and a subpoena. A search warrant is where a judge has granted the police the power to personally search your home and seize any evidence they find. A subpoena is where you are handed a document compelling you to present evidence.

    Also note the fifth amendment protection against self-incrimination only applies to criminal cases. If you are sued and refuse to supply evidence, such as a password, the court can assume that the evidence you are hiding favors the other party.

  10. Re:Oh n0es by Beefysworld · · Score: 3, Informative

    I can't believe this didn't get a bite. US citizens aside, this article relates to any other country that uses Vista, so it's a worthwhile topic. Just because one country's constitution states something, doesn't mean that all has been said and done.

  11. The Law by bussdriver · · Score: 2, Informative

    The past rulings indicate and its rather clear that the 5th amendment only applies if you hurt yourself with the information disclosed. There is a "Fisher Test" of requirements to get around the 5th:
    1) evidence exists
    2) the person has a key for getting/finding the evidence
    3) producing the key does not link the evidence to the person (aka authentication)
    Fisher v US

    Its like you have evidence in your safe but so do other people, so they can force you to open the safe despite the 5th- is my understanding of the ruling. Where it gets really tricky is when they offer immunity to get around the 5th as a setup to tie the person into some other crime they trump up from that evidence.

    Biometrics are another issue that I'm not sure they have rulings supporting. USA vs Dioniso has "The Fourth Amendment provides no protection for what "a person knowingly exposes to the public, even in his own home or office . . . ." 351?
    They rule that publically available information can not be hidden later on is my understanding and the example given was a persons' face. To me this indicates its possible that biometrics being public (fingerprint) could be taken from you with no 5th amendment protection. Naturally, the police can attack your security any way their please without your help and can lift your biometrics in many ways without going threw the court and I suspect when that situation is raised they possibly will extend the line of thought started on this case.

    I am not a lawyer.

    --
    Democracy Now! - uncensored, anti-establishment news