Slashdot Mirror
Vista For Forensic Investigators
Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."
If you didn't RTFA, which I don't blame you, it's short on any radical ideas or editorials, there is one thing I didn't know before:
Bitlocker (which encrypts the whole windows volume ala Truecrypt but bootable) requires a TPM 1.2 chip in it, which you'd be hard pressed to find in ANY computer.
One misconception is that encryption in Vista is turned on "by default." Actually, it is not. In fact, it is not even available in most versions of Vista. Vista is available in five SKUs, only two of which support encryption (a feature known as "BitLocker", or "BitLocker Drive Encryption" - BDE). Vista Home Basic, Media Edition, and Business *do not* support BDE. Vista Enterprise and Ultimate - the two more expensive editions - do support BDE. Also, encryption is not turned on by default. An important step during encryption involves defining the encryption and decryption keys. This cannot be done by default by someone other than the owner of the system. If it could, then that someone else would be able to gain access to the secure data - exactly what is trying to be controlled.
Please mod me only (+) Underrated or (-) Troll
Criminals usually aren't smart enough to enable drive encryption or buy a $400 copy of Windows Vista. They are probably not smart enough to even install TrueCrypt, which is by far the most incredibly easy to use encryption product on the market.
And by the way, what kind of bozo puts incriminating evidence on a computer period? Unless they deal in child pornography they wouldn't even have that data on the computer. (Unless you're that one idiot that used Microsoft word to print off a fake suicide note)
Like I've said, "civilians with encryption" mean nothing. We've had strong encryption for over a decade and I don't see the average pimp encrypting his Microsoft Money 2007 databases that keep track of his hoes. Most people don't use encryption and never will until it's a box click away. Until they forget their password and realize that Uncle Jimmy with his magical computer toolkit can't save them.
Actually, that's not correct. Bitlocker does not "require" TPM 1.2, it CAN be used without it. You can boot from a USB drive, make a few edits in the local policy, or manually set the 48 digit recovery password just to name a few.
And just about any computer manufactured after January 2006 will have TPM 1.2.
Repant. Thy end is sheer.
This is why you should use TrueCrypt with the hidden volume feature. You can, after some extortion, give them your key to the main truecrypt volume, but there is no way to know if there is another volume inside the one you just gave them access to.
c++;
In the past, courts have rules that an encryption key is analogous to a physical key, and like a physical key, can be demanded with a warrant.
The cake is a pie
I can't believe this didn't get a bite. US citizens aside, this article relates to any other country that uses Vista, so it's a worthwhile topic. Just because one country's constitution states something, doesn't mean that all has been said and done.