Vista For Forensic Investigators

Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."

Oh n0es

[mboverload]

The smart people already use drive encryption via TrueCrypt and other methods.

This may make it easier for the not so completely stupid criminals to protect themselves, but I doubt it will have any real effect.

People are stupid. Thats why they get caught.

Re:Oh n0es

[THESuperShawn]

Actually, that's not correct. Bitlocker does not "require" TPM 1.2, it CAN be used without it. You can boot from a USB drive, make a few edits in the local policy, or manually set the 48 digit recovery password just to name a few.

And just about any computer manufactured after January 2006 will have TPM 1.2.

Re:Oh n0es

[Detritus]

See the Fifth Amendment.

The defendant has no obligation to provide the prosecution with incriminating information.

Re:Oh n0es

[Detritus]

There is a legal distinction between testimony and material objects like diaries and journals. From what I've read, a court can compel someone to hand over material objects, like a safe, but it can't compel someone to say the combination. This issue came up quite often during Prohibition. Many rum runners kept their business records in code. The government would often seize these records during a raid. The government used their own cryptanalysts to break the codes and testify in court as expert witnesses.

Vista is for criminals, it assists encryption

If someone uses encryption, then obviously they are trying to hide somthing illegal or unlawful.

In Linux, encryption is done with unusual and special commands in conjuction with mounting a "loop" device to a filesystem; requiring administrator privileges to try to encrypt data like that, and adding to the subversion of a system with evidence of a corrupt administrator.

What kind of administrator would allow encryption on a filesystem? Obviously, a criminal.

Information is meant to be free, and open source. Encryption is somthing we would expect Mycrow$oft to use to help criminals be found by the good god-fearing men and women of the DEA/FBI/CIA/GATT/IMF/IRS just to atone for their sins.

Good people use OSX.

Call me,
  Eve.

Wow.

[eviloverlordx]

I would've figured that the investigators' computers would be too slow from running Vista to investigate much of anything.

No encryption by default

[5,+Troll]

One misconception is that encryption in Vista is turned on "by default." Actually, it is not. In fact, it is not even available in most versions of Vista. Vista is available in five SKUs, only two of which support encryption (a feature known as "BitLocker", or "BitLocker Drive Encryption" - BDE). Vista Home Basic, Media Edition, and Business *do not* support BDE. Vista Enterprise and Ultimate - the two more expensive editions - do support BDE. Also, encryption is not turned on by default. An important step during encryption involves defining the encryption and decryption keys. This cannot be done by default by someone other than the owner of the system. If it could, then that someone else would be able to gain access to the secure data - exactly what is trying to be controlled.

Re:No encryption by default

[RedElf]

With Vista, the OS from MS that phones home more than any previous release, can we really trust it not to "Phone Home" the encryption keys of bitlocker once it's enabled?

encypted backups?

[RedElf]

After reading the article (I know we're not supposed to do that) I'm a little confused on if you backup an encrypted volume if the backup is also encrypted. If not, doesn't that defeat the whole purpose of encrypting that data in the first place?