Vista For Forensic Investigators

Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."

Oh n0es

[mboverload]

The smart people already use drive encryption via TrueCrypt and other methods.

This may make it easier for the not so completely stupid criminals to protect themselves, but I doubt it will have any real effect.

People are stupid. Thats why they get caught.

Re:Oh n0es

[mboverload]

If you didn't RTFA, which I don't blame you, it's short on any radical ideas or editorials, there is one thing I didn't know before:

Bitlocker (which encrypts the whole windows volume ala Truecrypt but bootable) requires a TPM 1.2 chip in it, which you'd be hard pressed to find in ANY computer.

Re:Oh n0es

[PitaBred]

The notebook I bought last September has a TPM v1.2 chip in it... and I know many current other notebooks do. But TPM is primarily useful in the mobile space, anyway, not on the desktop space where most people keep their machines reasonably physically secure.

Re:Oh n0es

[morgan_greywolf]

Bitlocker (which encrypts the whole windows volume ala Truecrypt but bootable) requires a TPM 1.2 chip in it, which you'd be hard pressed to find in ANY computer.

At the risk of sounding like an overly-eager Apple fanboi (bleck!), recent Macs have an Infineon TPM 1.2 chip in them.

Re:Oh n0es

[THESuperShawn]

Actually, that's not correct. Bitlocker does not "require" TPM 1.2, it CAN be used without it. You can boot from a USB drive, make a few edits in the local policy, or manually set the 48 digit recovery password just to name a few.

And just about any computer manufactured after January 2006 will have TPM 1.2.

Re:Oh n0es

[Detritus]

See the Fifth Amendment.

The defendant has no obligation to provide the prosecution with incriminating information.

Re:Oh n0es

[Detritus]

There is a legal distinction between testimony and material objects like diaries and journals. From what I've read, a court can compel someone to hand over material objects, like a safe, but it can't compel someone to say the combination. This issue came up quite often during Prohibition. Many rum runners kept their business records in code. The government would often seize these records during a raid. The government used their own cryptanalysts to break the codes and testify in court as expert witnesses.

Re:Oh n0es

[ucblockhead]

In the past, courts have rules that an encryption key is analogous to a physical key, and like a physical key, can be demanded with a warrant.

Re:Oh n0es

I'm sure it's obvious by now, but just in case - IANAL

Indeed, it is obvious. IANAL either and while there is some truth to your argument it is mostly false. The fifth amendment applies at any time. If the police go to your house and ask if you killed your wife, your refusal to answer can not be used as evidence of your guilt. If they ask for the combination to your safe, you can claim the fifth amendment and decline to answer.

You can even invoke the fifth amendment as a witness. For example, if the police ask for your safe in order to prosecute your neighbor you can decline to answer on the grounds that you may incriminate yourself. There is a catch however. The court can grant you immunity from prosecution for any statements you make. If you still refuse to answer you can be held in contempt. Furthermore, if your statements lead to other evidence the other evidence can be used against you even if your own statements can not. So while telling the court that the combination is "I did it" can't be used against you, any evidence discovered inside the safe could be.

Also note there is a huge difference between a search warrant and a subpoena. A search warrant is where a judge has granted the police the power to personally search your home and seize any evidence they find. A subpoena is where you are handed a document compelling you to present evidence.

Also note the fifth amendment protection against self-incrimination only applies to criminal cases. If you are sued and refuse to supply evidence, such as a password, the court can assume that the evidence you are hiding favors the other party.

Re:Oh n0es

[Beefysworld]

I can't believe this didn't get a bite. US citizens aside, this article relates to any other country that uses Vista, so it's a worthwhile topic. Just because one country's constitution states something, doesn't mean that all has been said and done.

Re:Oh n0es

[grahamm]

In the past, courts have rules that an encryption key is analogous to a physical key, and like a physical key, can be demanded with a warrant. Does anyone know why they came to that decision rather than treating encrypted computer documents the same way as paper documents (journals, diaries etc) which are written in code? IANAL but AFAIK the precedent with the latter is that they cannot force you to decode them. In both cases they are in possession of the physical document - that they are unable to understand it is their problem.

Vista is for criminals, it assists encryption

If someone uses encryption, then obviously they are trying to hide somthing illegal or unlawful.

In Linux, encryption is done with unusual and special commands in conjuction with mounting a "loop" device to a filesystem; requiring administrator privileges to try to encrypt data like that, and adding to the subversion of a system with evidence of a corrupt administrator.

What kind of administrator would allow encryption on a filesystem? Obviously, a criminal.

Information is meant to be free, and open source. Encryption is somthing we would expect Mycrow$oft to use to help criminals be found by the good god-fearing men and women of the DEA/FBI/CIA/GATT/IMF/IRS just to atone for their sins.

Good people use OSX.

Call me,
  Eve.

Wow.

[eviloverlordx]

I would've figured that the investigators' computers would be too slow from running Vista to investigate much of anything.

No encryption by default

[5,+Troll]

One misconception is that encryption in Vista is turned on "by default." Actually, it is not. In fact, it is not even available in most versions of Vista. Vista is available in five SKUs, only two of which support encryption (a feature known as "BitLocker", or "BitLocker Drive Encryption" - BDE). Vista Home Basic, Media Edition, and Business *do not* support BDE. Vista Enterprise and Ultimate - the two more expensive editions - do support BDE. Also, encryption is not turned on by default. An important step during encryption involves defining the encryption and decryption keys. This cannot be done by default by someone other than the owner of the system. If it could, then that someone else would be able to gain access to the secure data - exactly what is trying to be controlled.

Re:No encryption by default

[RedElf]

With Vista, the OS from MS that phones home more than any previous release, can we really trust it not to "Phone Home" the encryption keys of bitlocker once it's enabled?

Re:No encryption by default

[sunwukong]

They could be sending credit card numbers, or SSNs, or your personal files, or your porn, or even every single piece of data on your computer!

I've never read a more self-redundant sentence.

If they want to bust you, they will

[heretic108]

I see from TFA that they're shitting themselves at the prospect of widespread drive-level encryption. They console themselves with the fact that only the high-end Vista versions support BitLocker.

But in the end, encryption offers only limited protection. If some well-resourced hostile authority wants to take you down, there's endless options for framing you up. For instance, they could mess with your ISP's logs to fabricate http hits to k1dd13 pr0n sites, or infect your box with a bot that hits such sites on your behalf, which will cause the hits without messing with the ISP's logs...

Re:If they want to bust you, they will

[mboverload]

Criminals usually aren't smart enough to enable drive encryption or buy a $400 copy of Windows Vista. They are probably not smart enough to even install TrueCrypt, which is by far the most incredibly easy to use encryption product on the market.

And by the way, what kind of bozo puts incriminating evidence on a computer period? Unless they deal in child pornography they wouldn't even have that data on the computer. (Unless you're that one idiot that used Microsoft word to print off a fake suicide note)

Like I've said, "civilians with encryption" mean nothing. We've had strong encryption for over a decade and I don't see the average pimp encrypting his Microsoft Money 2007 databases that keep track of his hoes. Most people don't use encryption and never will until it's a box click away. Until they forget their password and realize that Uncle Jimmy with his magical computer toolkit can't save them.

Re:If they want to bust you, they will

[nine-times]

I see from TFA that they're shitting themselves at the prospect of widespread drive-level encryption.

Whenever it comes to these things, I find myself in a bit of a quandary. Of course I want various criminals to get busted, but these investigators are essentially relying on poor security to get their information. I generally want computers to have good security. I don't like the idea of people being able to see my personal info or browsing history, but I'm also not really hiding anything.

oh well...

Re:If they want to bust you, they will

[mboverload]

IF YOU HAVE NOTHING TO HIDE THEN YOU WON'T MIND US LOOKING THROUGH YOUR BROWSER HISTORY, MR NINE

*mboverload is sad because he hears these arguments from people but doesn't know how to fight against it. Someone help.*

Re:If they want to bust you, they will

[Qzukk]

*mboverload is sad because he hears these arguments from people but doesn't know how to fight against it. Someone help.*

"If you have nothing to hide, then you won't mind taking out a newspaper ad with your SSN, your DOB, your credit card numbers, your mother's maiden name, and your driver's license number. Either you have something to hide, or you'll quickly learn that you had something you should have kept hidden."

Re:If they want to bust you, they will

[vux984]

If you look through my browser history then you don't respect and trust me.
If you don't respect and trust me, than there is something fundamentally wrong with our relationship.

If there is something fundamentally wrong with our relationship then I wish to end it. **OR**
If there is something fundamentally wrong with our relationship then we need to fix that.

As far as society, and police/government initiatives its the same baseic question of trust and respect. Do we want to live in a police state? What fundamentally separates a prisoner from a free citizen? Indeed what is freedom?

Anyone who seriously advocates living in a world where 'if you have nothing to hide then you won't mind us looking' is right about not needing to worry about being arrested - they're whole world is a prison. They will accept having their papers inspected at borders, building entrances, and street corners. They will accept random searches of their homes, car, computer, and person. They will not flinch when they are required to account for their whereabouts 24x7 and subject to being monitored the whole time, for they live a perfect life.

And when the state decides to finally reel them in the rest of the way and lock them in an even smaller cell, they'll have a perfectly rational explanation: people can't be trusted. We watch them all around the clock, but we only catch them after the damage is done.

Better to prevent the damage outright! Why take a chance?

And more importantly, the truly innocent will finally be safe.

Who could object to that!?

Re:If they want to bust you, they will

[quanticle]

I've found that the most effective counterargument is to point out that the whole "nothing to hide, nothing to fear" argument is based upon the presumption that the government is infallible and perfectly competent. Sure, I have nothing to hide. However, I do fear the government looking at bits and pieces of my personal data and then coming to an erroneous conclusion about my future behavior because they didn't get the whole picture.

Also, I don't like the thought of government being able to make arbitrary decisions restricting your freedoms without at least giving you the chance to address their concerns. Encrypting my data makes the government come to me for the decryption key (chance are, they'll do this at least see if I'm willing to cooperate). This is a chance for me to ask what's going on and why they need this data.

Re:If they want to bust you, they will

[Oktober+Sunset]

The correct reply to that arguement is: "cool, can I come over to your house and install these Web Cams in your house, specifically, your bedroom and your shower, they are gunna broadcast on the internet 24/7"

Also, demand all government officials (including senators and the president) must be bugged and have their movements and conversation monitored 24/7, and the full details made public, with archives and live feed to ensure that they aren't corrupt. Remember, they won't object if they have nothing to hide.

encypted backups?

[RedElf]

After reading the article (I know we're not supposed to do that) I'm a little confused on if you backup an encrypted volume if the backup is also encrypted. If not, doesn't that defeat the whole purpose of encrypting that data in the first place?

Re:encypted backups?

[nwetters]

You should worry more about the disk cache. Previously opened files are cached in RAM in an unencrypted state.

Firewire ports and PCMCIA slots have direct memory access, so can be used to copy an image of your computer's RAM even if no one is logged in. This can recover useful forensic material even after a reboot cycle, as modern BIOS's don't clear RAM.

It looks like Vista's disk encryption is useless if you switch on the PC and access files.

I find it funny.

[figleaf]

that the article mentions Slashdot and Register as a reference for a Microsoft OS.

Encryption use is low anyway...

[Blittzed]

Part of my job entails working with law enforcement officials in the field of digital forensics. They have told me that the use of any encryption system by criminals is very low, to the point of non-existent. This is fortunate for the Police, as it makes it easier for them to keep these scumbags off the streets (unfortunately a lot of the crime they deal with is child pornography). There are so many barriers to Bitlockers use (TPM, correct version of Vista, off by default etc etc), that its widespread use just doesn't seem likely. If the bad guys aren't using EFS and other encryption systems now, and these are easy to implement, why would they bother of going through the hassle to use Bitlocker? There are also laws being enacted in certain countries to force the bad guy to give up passwords/ keys etc (ie we are going to lock you up until you give it to use so you may as well do it now...).

Re:BitLocker is no impediment to police...

[pipatron]

This is why you should use TrueCrypt with the hidden volume feature. You can, after some extortion, give them your key to the main truecrypt volume, but there is no way to know if there is another volume inside the one you just gave them access to.

BDE, a fitting name...

[plasmacutter]

if i remember correctly from 4-5 years ago.. BDE also stood for "borland database engine".. or in colloquial english, the spyware that kazza installed.

now microsoft has made it a feature in their new os, giving us greater spyware value by cutting out the middle man!

Know what's interesting?

[Opportunist]

Reading those comments, more than the article itself.

Peruse them and you might notice something. Well? Right. A handful deals with the problem of having your notebook stolen, while the majority discusses the effects of it on a search. I.e. more people being concerned of the effects to a search than to having your computer stolen.

Makes me wonder... does it tell me something 'bout the people here or about the governments we live in?

The Law

[bussdriver]

The past rulings indicate and its rather clear that the 5th amendment only applies if you hurt yourself with the information disclosed. There is a "Fisher Test" of requirements to get around the 5th:
1) evidence exists
2) the person has a key for getting/finding the evidence
3) producing the key does not link the evidence to the person (aka authentication)
Fisher v US

Its like you have evidence in your safe but so do other people, so they can force you to open the safe despite the 5th- is my understanding of the ruling. Where it gets really tricky is when they offer immunity to get around the 5th as a setup to tie the person into some other crime they trump up from that evidence.

Biometrics are another issue that I'm not sure they have rulings supporting. USA vs Dioniso has "The Fourth Amendment provides no protection for what "a person knowingly exposes to the public, even in his own home or office . . . ." 351?
They rule that publically available information can not be hidden later on is my understanding and the example given was a persons' face. To me this indicates its possible that biometrics being public (fingerprint) could be taken from you with no 5th amendment protection. Naturally, the police can attack your security any way their please without your help and can lift your biometrics in many ways without going threw the court and I suspect when that situation is raised they possibly will extend the line of thought started on this case.

I am not a lawyer.

how secure is vista, really?

[v1]

The macintosh home folder security is called "filevault", and uses encryption to encrypt the entire user home folder, where most of the user information is. The actual key to the vault is large (128bit aes?) and is stored at the start of the vault, but the key is encrypted using the password the user provides when it is created. Another copy is stored there, encrypted using the master password's certificate, which is encrypted using the master password. So if you lose your password and lose the master password, the data is truly gone forever, and there is no "back door" at Apple. There's nothing stopping you from deleting the master key, it's one document easily located. There is no known back door to the filevault system, and the system is very careful to point out if you lose the password and master password, your data is irrecoverable. The master key requires you to enter a password because the key itself is also encrypted, so simply having access to the master key certificate is not useful in breaking into a locked vault, because the master password is required still.

From what I have heard, all rumor and third-party, windows' encrypted home folders is worthless from a true security standpoint. I have been told that there is a master key in use similar to the master password in OS X, but that it is not one that the user makes, it comes pre-made from microsoft. No one outside microsoft has the private key to unlock that certificate. So if you lose your password, YOU are screwed, but if microsoft really wanted into your data they could get into it. (or let someone else into it) I don't know if there is a documented way to erase this copy of the image's crypto key encrypted with microsoft's back door password. Also I wonder if an administrator could simply reset the password on the account and then login with the new password to just waltz by the entire security of the system?

How much of this is fact and how much is fiction? We have seen time and time again that security by secrecy and security by "but we would NEVER misuse our master key" is a complete laugh, because (A) the secret ALWAYS gets out, and (B) someone ALWAYS ends up misusing the master key. In this respect I feel sorry for the windows users because the wolves are guarding the sheep.

Sidenote: OS X also has a built-in feature that lets you create a regular encrypted disk image. When you make one of those, the machine's master password is not used to store another encrypted copy of the image key as with filevault, so those disk images have only one actual key. I use this to store a password list on my flash drive because of how easy they are to lose, and I am completely confident that anyone that finds the flash drive will be absolutely unable to access my information. I assume that a 3rd party solution is required for windows users?

Somewhat OT, but I have also been told that it's essentially impossible for even an administrator to just read another user's data on the same hard drive, that they have to "take ownership" of the files to read thm, thus altering the data. Yet viruses apparently can multiply at will, infecting all accounts on the computer. Why is it that the viruses have no problem circumventing windows security while at the same time it's nigh imposible for the administrator to do the same thing? Tha does not make sense.