Vista Makes Forensic PC Exam Easier for Lawyers

Katharine writes "Jason Krause, a legal affairs writer for the American Bar Association's 'ABA Journal' reports in the July issue that Windows Vista will be a boon for those looking for forensic evidence of wrongdoing on defendants' PC's and a nightmare for defendants who hoped their past computer activities would not be revealed. Krause quotes attorney R. Lee Barrett, 'From a [legal] defense perspective, [Vista] scares me to death. One of the things I have a hard time educating my clients on is the volume of data that's now discoverable.' This is primarily attributable to Shadow Copy, TxF and Instant Search."

Another Use for VMWare

[ScottyKUtah]

If one was stuck with Vista, I could see VMWare being quite popular. Just run all of your "other activities" under a VMware computer. If the computer ever falls into enemy hands, just wipe out the virtual computer and you're good to go.

Another reason I'm sticking with XP.

Re:Another Use for VMWare

Another reason I'm sticking with FOSS. You will have to upgrade the OS eventually, why not choose free one from the beginning?

Re:Another Use for VMWare

[Hork_Monkey]

Still, Windows will create artifacts (lnk files, histories, etc) to the files on either Truecrypt volume. A skilled forensic person will be able to testify that volume you provided the password for does not have the correlating files that can be seen in the artifacts.

While they will not be able to prove they contain the suspect data, plausible deniability becomes less plausible.

Much of forensics is being able to correlate the existence of a known file on a filesystem against other evidence, such as another computer that did not employ the protective measures. The point of the article is that TrueCrypt is not enough (and really hasn't been due to the number of artifacts that XP already leaves)- you will have to take a number of measures to cover your tracks which can be quite time intensive.

TrueCrypt is a wonderful product. I use it myself to encrypt corporate data. However, every now and then I play with EnCase on my laptop to see what is left behind and it makes me even more paranoid when I have nothing to hide.

Re:Another Use for VMWare

[Courageous]

While they will not be able to prove they contain the suspect data, plausible deniability becomes less plausible.


If this were a criminal case, wouldn't one invoke the 5th Amendment? Sorry charley, no keys forthcoming?

C//

It's not the function that's the problem

These are all legitimate, useful features. It's the implementation that's wrong.

All potentially damaging (ie, all) data should be written to an encrypted store in such a way that recovering it from a lost/stolen/seized machine is hard to impossible without assistance from the owner. That's just good design practice in an environment where there is more than enough computing power available.

I'm aware that there are places where you have to hand your keys over to law enforcement... with which I have no real problem provided the due process of law is followed. But at least properly managed/segmented encryption can prevent a fishing trip. And in the worst case if you were being falsely accused of something really awful then you might decide that the penalties for not handing over the keys were less severe than the penalties for having the data available. At least you would get the choice.

Re:It's not the function that's the problem

[Ravnen]

I would say that falls under permission. If there is a court order, you can refuse it, but you will face the legal consequences.

Re:It's not the function that's the problem

[IAmTheDave]

Not to mention that you're talking about legitimate functions of a computer - things that people get with other operating systems too (like my beloved OSX - Time Machine and Spotlight in Leopard, for instance, each have indexes, even if my backup drive is not attached).

It burns me a little that "Vista" and "Microsoft" are in this posting/article because it's the technologies that make people's lives easier that also make them more open to computer forensics finding deleted data, etc.

However, while I'm sure the community here could come up with a million things that they wouldn't want law enforcement to get their hands on, and let's leave your 600GB music/movie collection out of this, so what that it's easier to discover that someone had child porno on their computers? This "ease of discovery" only comes after both suspicion of a crime are filed along with a judge-ordered subpoena. If you find yourself in this situation, well, I hate to my bones to say it, but if you didn't do anything wrong, what do you have to be worried about???

(Note: I hate that "if you've done nothing wrong" argument, but in this case it applies since you're already suspected of a crime and some sort of search/seizure documents have been filed for your computer equipment.)

Re:Just some more...

[GotenXiao]

What good points? It has a resource intensive "shiny" interface. It has levels of DRM heretofore unseen in an operating system. It is claimed that it is secure, yet still has gaping security holes. It is claimed that it is safe, yet has to be made un-safe for users to be able to do anything with it. It is expensive, clunky, space consuming, privacy invading, insecure, unsafe, and is more interested in protecting the interests of major Hollywood distributors than its users.

Care to highlight why I'd want to use Vista?

Re:Just some more...

[bl8n8r]

> Vista is actually selling quite well
No, Vista is being pre-installed on new computers.
Vista is not selling well, people do not want it, and
companies are being told to stay away from it*

> and many people I know are using it without any complaints.
Many people I know are switching to Ubuntu. See how that statement works?

> Why are the good points about Vista never mentioned on Slashdot?
Um because most of the people that come here just see history repeating
itself.

[*]
http://www.tech.co.uk/computing/software/operating -systems/features/why-nobody-wants-windows-vista
http://www.businessweek.com/technology/content/nov 2006/tc20061129_739121.htm
http://www.theinquirer.net/default.aspx?article=37 721

Nothing too new about this....

[SubliminalVortex]

For quite some time, it's become easier to find out anyone's business as they used their computer, even in Windows XP. It just seems that with Window Vista, it's easier to make the discovery. Keep in mind, it's not just the operating system doing the copies, but it's also applications that do so as well.

From the "temporarily copied" documents viewed in Microsoft Outlook, to the cached images stored by Internet Explorer, and still yet to the meta-data stored in Word documents. (There have a been a few times I have read a Word document meant to be anonymous only to find the creator in the document's properties.)

While it might take the career of the computer forensic scientist down a peg and be a boon for any prosecutor, it does nothing more than make it easier to find information that hasn't been deleted by force from its owner.

Don't be surprised if the market now swarms with applications that will allow you to 'view' data while wiping all trace evidence after it's been seen; or still yet allowing you to create documents that are completely wiped of meta-data. Sure, you won't be able to find something unless the search has to delegate to its bits and bytes, but at least they can't find someone's manifesto by name. (Of course, you have to be sure that it wasn't e-mailed.)

It's encroachment on privacy like this that creates entirely new markets for people to leech from the truly paranoid; which seems to be quite a majority of the population since everyone seems to have some skeleton in their closet.

On a funny note, this one co-worker had an embarrassing image pop up every time he went to print; the image itself was attached to an e-mail from a co-worker who loved to send around joke e-mails. He wasn't able to get rid of the image from the preview, until I pointed him to the directory (which is stamped in the registry) where Outlook stores its temporary files (usually most attachments, images, etc.) Apparently this fellow never opens any e-mail from this co-worker anymore.

Computer OS

[Skiron]

What is forgotten here is an OS really should be an OS - designed to run the computer and what not.

Now, when that OS has deliberate code to track and monitor a users 'usage', it really is no more a tool to run a computer, but rather a tool to watch a user. The main job of that code is absolute control of the computer taken away from the user.

MS have been trying to do this for years, and now it looks like they have succeeded ~ and the sheep follow and buy the crap.

It is pretty scary that this succeeds at all. I mean, nobody in their right mind would buy a car that recorded every single journey and 'phoned home' every time you exceeded a speed limit, or the car stopped at changing traffic lights, even though you didn't need to... the world would be in uproar and the car would most definitely not sell at all.

Yet the sheep still but this crap...

VMWare/VirtualPC not a solution

[guruevi]

If you haven't tried it yet do the following: corrupt the networking part in VPC (or disable networking in VMWare), then load Windows Vista or XP SP2 and use it on a regular basis (you don't even have to load anything, no updates or so), never allowing networking and since it's a corporate version you don't need to activate.

I think after about 90 days (more or less, I don't use it that much) I have noticed the Windows installation corrupts itself everytime with the same error (blue screen on startup saying it can't find a specific file in the \system folder), call Microsoft and all they know is that you should apply the latest patches (but I'm not on the Internet, I'm in a controlled environment)

I have had it with different systems (Mac, PC, Linux) and there was no special software running on the virtual machines and all networking and file transferring was blocked.