Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista For Forensic Investigators

Posted by kdawson on from the recovering-it dept.

Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."

20 of 125 comments (clear)

  1. Oh n0es by mboverload · · Score: 4, Interesting

    The smart people already use drive encryption via TrueCrypt and other methods.

    This may make it easier for the not so completely stupid criminals to protect themselves, but I doubt it will have any real effect.

    People are stupid. Thats why they get caught.

    1. Re:Oh n0es by mboverload · · Score: 3, Informative

      If you didn't RTFA, which I don't blame you, it's short on any radical ideas or editorials, there is one thing I didn't know before:

      Bitlocker (which encrypts the whole windows volume ala Truecrypt but bootable) requires a TPM 1.2 chip in it, which you'd be hard pressed to find in ANY computer.

    2. Re:Oh n0es by THESuperShawn · · Score: 4, Informative

      Actually, that's not correct. Bitlocker does not "require" TPM 1.2, it CAN be used without it. You can boot from a USB drive, make a few edits in the local policy, or manually set the 48 digit recovery password just to name a few.

      And just about any computer manufactured after January 2006 will have TPM 1.2.

      --
      Repant. Thy end is sheer.
    3. Re:Oh n0es by Detritus · · Score: 4, Insightful
      See the Fifth Amendment.

      The defendant has no obligation to provide the prosecution with incriminating information.

      --
      Mea navis aericumbens anguillis abundat
    4. Re:Oh n0es by Detritus · · Score: 4, Interesting

      There is a legal distinction between testimony and material objects like diaries and journals. From what I've read, a court can compel someone to hand over material objects, like a safe, but it can't compel someone to say the combination. This issue came up quite often during Prohibition. Many rum runners kept their business records in code. The government would often seize these records during a raid. The government used their own cryptanalysts to break the codes and testify in court as expert witnesses.

      --
      Mea navis aericumbens anguillis abundat
    5. Re:Oh n0es by ucblockhead · · Score: 3, Informative

      In the past, courts have rules that an encryption key is analogous to a physical key, and like a physical key, can be demanded with a warrant.

      --
      The cake is a pie
    6. Re:Oh n0es by Beefysworld · · Score: 3, Informative

      I can't believe this didn't get a bite. US citizens aside, this article relates to any other country that uses Vista, so it's a worthwhile topic. Just because one country's constitution states something, doesn't mean that all has been said and done.

  2. Vista is for criminals, it assists encryption by Anonymous Coward · · Score: 4, Funny

    If someone uses encryption, then obviously they are trying to hide somthing illegal or unlawful.

    In Linux, encryption is done with unusual and special commands in conjuction with mounting a "loop" device to a filesystem; requiring administrator privileges to try to encrypt data like that, and adding to the subversion of a system with evidence of a corrupt administrator.

    What kind of administrator would allow encryption on a filesystem? Obviously, a criminal.

    Information is meant to be free, and open source. Encryption is somthing we would expect Mycrow$oft to use to help criminals be found by the good god-fearing men and women of the DEA/FBI/CIA/GATT/IMF/IRS just to atone for their sins.

    Good people use OSX.

    Call me,
      Eve.

  3. Wow. by eviloverlordx · · Score: 4, Funny

    I would've figured that the investigators' computers would be too slow from running Vista to investigate much of anything.

    --
    'Loose' is when your pants are three sizes too big. 'Lose' is when you misuse 'loose'.
  4. No encryption by default by 5,+Troll · · Score: 4, Informative

    One misconception is that encryption in Vista is turned on "by default." Actually, it is not. In fact, it is not even available in most versions of Vista. Vista is available in five SKUs, only two of which support encryption (a feature known as "BitLocker", or "BitLocker Drive Encryption" - BDE). Vista Home Basic, Media Edition, and Business *do not* support BDE. Vista Enterprise and Ultimate - the two more expensive editions - do support BDE. Also, encryption is not turned on by default. An important step during encryption involves defining the encryption and decryption keys. This cannot be done by default by someone other than the owner of the system. If it could, then that someone else would be able to gain access to the secure data - exactly what is trying to be controlled.

    --
    Please mod me only (+) Underrated or (-) Troll
    1. Re:No encryption by default by RedElf · · Score: 4, Insightful

      With Vista, the OS from MS that phones home more than any previous release, can we really trust it not to "Phone Home" the encryption keys of bitlocker once it's enabled?

      --
      You know, I have one simple request. And that is to have sharks with frickin' laser beams attached to their heads!
    2. Re:No encryption by default by sunwukong · · Score: 3, Funny

      They could be sending credit card numbers, or SSNs, or your personal files, or your porn, or even every single piece of data on your computer!

      I've never read a more self-redundant sentence.

  5. If they want to bust you, they will by heretic108 · · Score: 3, Insightful

    I see from TFA that they're shitting themselves at the prospect of widespread drive-level encryption. They console themselves with the fact that only the high-end Vista versions support BitLocker.

    But in the end, encryption offers only limited protection. If some well-resourced hostile authority wants to take you down, there's endless options for framing you up. For instance, they could mess with your ISP's logs to fabricate http hits to k1dd13 pr0n sites, or infect your box with a bot that hits such sites on your behalf, which will cause the hits without messing with the ISP's logs...

    --
    -- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
    1. Re:If they want to bust you, they will by mboverload · · Score: 3, Informative

      Criminals usually aren't smart enough to enable drive encryption or buy a $400 copy of Windows Vista. They are probably not smart enough to even install TrueCrypt, which is by far the most incredibly easy to use encryption product on the market.

      And by the way, what kind of bozo puts incriminating evidence on a computer period? Unless they deal in child pornography they wouldn't even have that data on the computer. (Unless you're that one idiot that used Microsoft word to print off a fake suicide note)

      Like I've said, "civilians with encryption" mean nothing. We've had strong encryption for over a decade and I don't see the average pimp encrypting his Microsoft Money 2007 databases that keep track of his hoes. Most people don't use encryption and never will until it's a box click away. Until they forget their password and realize that Uncle Jimmy with his magical computer toolkit can't save them.

    2. Re:If they want to bust you, they will by nine-times · · Score: 3, Insightful

      I see from TFA that they're shitting themselves at the prospect of widespread drive-level encryption.

      Whenever it comes to these things, I find myself in a bit of a quandary. Of course I want various criminals to get busted, but these investigators are essentially relying on poor security to get their information. I generally want computers to have good security. I don't like the idea of people being able to see my personal info or browsing history, but I'm also not really hiding anything.

      oh well...

    3. Re:If they want to bust you, they will by Qzukk · · Score: 3, Insightful

      *mboverload is sad because he hears these arguments from people but doesn't know how to fight against it. Someone help.*

      "If you have nothing to hide, then you won't mind taking out a newspaper ad with your SSN, your DOB, your credit card numbers, your mother's maiden name, and your driver's license number. Either you have something to hide, or you'll quickly learn that you had something you should have kept hidden."

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  6. encypted backups? by RedElf · · Score: 5, Interesting

    After reading the article (I know we're not supposed to do that) I'm a little confused on if you backup an encrypted volume if the backup is also encrypted. If not, doesn't that defeat the whole purpose of encrypting that data in the first place?

    --
    You know, I have one simple request. And that is to have sharks with frickin' laser beams attached to their heads!
  7. I find it funny. by figleaf · · Score: 3, Funny

    that the article mentions Slashdot and Register as a reference for a Microsoft OS.

  8. Encryption use is low anyway... by Blittzed · · Score: 3, Interesting

    Part of my job entails working with law enforcement officials in the field of digital forensics. They have told me that the use of any encryption system by criminals is very low, to the point of non-existent. This is fortunate for the Police, as it makes it easier for them to keep these scumbags off the streets (unfortunately a lot of the crime they deal with is child pornography). There are so many barriers to Bitlockers use (TPM, correct version of Vista, off by default etc etc), that its widespread use just doesn't seem likely. If the bad guys aren't using EFS and other encryption systems now, and these are easy to implement, why would they bother of going through the hassle to use Bitlocker? There are also laws being enacted in certain countries to force the bad guy to give up passwords/ keys etc (ie we are going to lock you up until you give it to use so you may as well do it now...).

    --
    "They looked deep into my soul and assigned me a number based on the order in which I joined"
  9. Re:BitLocker is no impediment to police... by pipatron · · Score: 3, Informative

    This is why you should use TrueCrypt with the hidden volume feature. You can, after some extortion, give them your key to the main truecrypt volume, but there is no way to know if there is another volume inside the one you just gave them access to.

    --
    c++; /* this makes c bigger but returns the old value */