Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista For Forensic Investigators

Posted by kdawson on from the recovering-it dept.

Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."

10 of 125 comments (clear)

  1. Oh n0es by mboverload · · Score: 4, Interesting

    The smart people already use drive encryption via TrueCrypt and other methods.

    This may make it easier for the not so completely stupid criminals to protect themselves, but I doubt it will have any real effect.

    People are stupid. Thats why they get caught.

    1. Re:Oh n0es by morgan_greywolf · · Score: 2, Interesting

      Bitlocker (which encrypts the whole windows volume ala Truecrypt but bootable) requires a TPM 1.2 chip in it, which you'd be hard pressed to find in ANY computer.


      At the risk of sounding like an overly-eager Apple fanboi (bleck!), recent Macs have an Infineon TPM 1.2 chip in them.
      --
      My blog
    2. Re:Oh n0es by Detritus · · Score: 4, Interesting

      There is a legal distinction between testimony and material objects like diaries and journals. From what I've read, a court can compel someone to hand over material objects, like a safe, but it can't compel someone to say the combination. This issue came up quite often during Prohibition. Many rum runners kept their business records in code. The government would often seize these records during a raid. The government used their own cryptanalysts to break the codes and testify in court as expert witnesses.

      --
      Mea navis aericumbens anguillis abundat
    3. Re:Oh n0es by grahamm · · Score: 2, Interesting

      In the past, courts have rules that an encryption key is analogous to a physical key, and like a physical key, can be demanded with a warrant. Does anyone know why they came to that decision rather than treating encrypted computer documents the same way as paper documents (journals, diaries etc) which are written in code? IANAL but AFAIK the precedent with the latter is that they cannot force you to decode them. In both cases they are in possession of the physical document - that they are unable to understand it is their problem.
  2. encypted backups? by RedElf · · Score: 5, Interesting

    After reading the article (I know we're not supposed to do that) I'm a little confused on if you backup an encrypted volume if the backup is also encrypted. If not, doesn't that defeat the whole purpose of encrypting that data in the first place?

    --
    You know, I have one simple request. And that is to have sharks with frickin' laser beams attached to their heads!
    1. Re:encypted backups? by nwetters · · Score: 2, Interesting

      You should worry more about the disk cache. Previously opened files are cached in RAM in an unencrypted state.

      Firewire ports and PCMCIA slots have direct memory access, so can be used to copy an image of your computer's RAM even if no one is logged in. This can recover useful forensic material even after a reboot cycle, as modern BIOS's don't clear RAM.

      It looks like Vista's disk encryption is useless if you switch on the PC and access files.

  3. Encryption use is low anyway... by Blittzed · · Score: 3, Interesting

    Part of my job entails working with law enforcement officials in the field of digital forensics. They have told me that the use of any encryption system by criminals is very low, to the point of non-existent. This is fortunate for the Police, as it makes it easier for them to keep these scumbags off the streets (unfortunately a lot of the crime they deal with is child pornography). There are so many barriers to Bitlockers use (TPM, correct version of Vista, off by default etc etc), that its widespread use just doesn't seem likely. If the bad guys aren't using EFS and other encryption systems now, and these are easy to implement, why would they bother of going through the hassle to use Bitlocker? There are also laws being enacted in certain countries to force the bad guy to give up passwords/ keys etc (ie we are going to lock you up until you give it to use so you may as well do it now...).

    --
    "They looked deep into my soul and assigned me a number based on the order in which I joined"
  4. Re:If they want to bust you, they will by quanticle · · Score: 2, Interesting

    I've found that the most effective counterargument is to point out that the whole "nothing to hide, nothing to fear" argument is based upon the presumption that the government is infallible and perfectly competent. Sure, I have nothing to hide. However, I do fear the government looking at bits and pieces of my personal data and then coming to an erroneous conclusion about my future behavior because they didn't get the whole picture.

    Also, I don't like the thought of government being able to make arbitrary decisions restricting your freedoms without at least giving you the chance to address their concerns. Encrypting my data makes the government come to me for the decryption key (chance are, they'll do this at least see if I'm willing to cooperate). This is a chance for me to ask what's going on and why they need this data.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  5. Re:No problem by Anonymous Coward · · Score: 1, Interesting

    This is true, but with fully TPM enabled hardware, they will, because they will be able to get the hardware key from the manufacturer.

  6. how secure is vista, really? by v1 · · Score: 2, Interesting

    The macintosh home folder security is called "filevault", and uses encryption to encrypt the entire user home folder, where most of the user information is. The actual key to the vault is large (128bit aes?) and is stored at the start of the vault, but the key is encrypted using the password the user provides when it is created. Another copy is stored there, encrypted using the master password's certificate, which is encrypted using the master password. So if you lose your password and lose the master password, the data is truly gone forever, and there is no "back door" at Apple. There's nothing stopping you from deleting the master key, it's one document easily located. There is no known back door to the filevault system, and the system is very careful to point out if you lose the password and master password, your data is irrecoverable. The master key requires you to enter a password because the key itself is also encrypted, so simply having access to the master key certificate is not useful in breaking into a locked vault, because the master password is required still.

    From what I have heard, all rumor and third-party, windows' encrypted home folders is worthless from a true security standpoint. I have been told that there is a master key in use similar to the master password in OS X, but that it is not one that the user makes, it comes pre-made from microsoft. No one outside microsoft has the private key to unlock that certificate. So if you lose your password, YOU are screwed, but if microsoft really wanted into your data they could get into it. (or let someone else into it) I don't know if there is a documented way to erase this copy of the image's crypto key encrypted with microsoft's back door password. Also I wonder if an administrator could simply reset the password on the account and then login with the new password to just waltz by the entire security of the system?

    How much of this is fact and how much is fiction? We have seen time and time again that security by secrecy and security by "but we would NEVER misuse our master key" is a complete laugh, because (A) the secret ALWAYS gets out, and (B) someone ALWAYS ends up misusing the master key. In this respect I feel sorry for the windows users because the wolves are guarding the sheep.

    Sidenote: OS X also has a built-in feature that lets you create a regular encrypted disk image. When you make one of those, the machine's master password is not used to store another encrypted copy of the image key as with filevault, so those disk images have only one actual key. I use this to store a password list on my flash drive because of how easy they are to lose, and I am completely confident that anyone that finds the flash drive will be absolutely unable to access my information. I assume that a 3rd party solution is required for windows users?

    Somewhat OT, but I have also been told that it's essentially impossible for even an administrator to just read another user's data on the same hard drive, that they have to "take ownership" of the files to read thm, thus altering the data. Yet viruses apparently can multiply at will, infecting all accounts on the computer. Why is it that the viruses have no problem circumventing windows security while at the same time it's nigh imposible for the administrator to do the same thing? Tha does not make sense.

    --
    I work for the Department of Redundancy Department.