Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Makes Forensic PC Exam Easier for Lawyers

Posted by Zonk on from the can-i-introduce-you-to-some-nice-encryption dept.

Katharine writes "Jason Krause, a legal affairs writer for the American Bar Association's 'ABA Journal' reports in the July issue that Windows Vista will be a boon for those looking for forensic evidence of wrongdoing on defendants' PC's and a nightmare for defendants who hoped their past computer activities would not be revealed. Krause quotes attorney R. Lee Barrett, 'From a [legal] defense perspective, [Vista] scares me to death. One of the things I have a hard time educating my clients on is the volume of data that's now discoverable.' This is primarily attributable to Shadow Copy, TxF and Instant Search."

3 of 343 comments (clear)

  1. Another Use for VMWare by ScottyKUtah · · Score: 4, Interesting

    If one was stuck with Vista, I could see VMWare being quite popular. Just run all of your "other activities" under a VMware computer. If the computer ever falls into enemy hands, just wipe out the virtual computer and you're good to go.

    Another reason I'm sticking with XP.

    --
    He who laughs last is at 300 baud.
    1. Re:Another Use for VMWare by Hork_Monkey · · Score: 4, Interesting

      Still, Windows will create artifacts (lnk files, histories, etc) to the files on either Truecrypt volume. A skilled forensic person will be able to testify that volume you provided the password for does not have the correlating files that can be seen in the artifacts.

      While they will not be able to prove they contain the suspect data, plausible deniability becomes less plausible.

      Much of forensics is being able to correlate the existence of a known file on a filesystem against other evidence, such as another computer that did not employ the protective measures. The point of the article is that TrueCrypt is not enough (and really hasn't been due to the number of artifacts that XP already leaves)- you will have to take a number of measures to cover your tracks which can be quite time intensive.

      TrueCrypt is a wonderful product. I use it myself to encrypt corporate data. However, every now and then I play with EnCase on my laptop to see what is left behind and it makes me even more paranoid when I have nothing to hide.

  2. It's not the function that's the problem by Anonymous Coward · · Score: 5, Interesting

    These are all legitimate, useful features. It's the implementation that's wrong.

    All potentially damaging (ie, all) data should be written to an encrypted store in such a way that recovering it from a lost/stolen/seized machine is hard to impossible without assistance from the owner. That's just good design practice in an environment where there is more than enough computing power available.

    I'm aware that there are places where you have to hand your keys over to law enforcement... with which I have no real problem provided the due process of law is followed. But at least properly managed/segmented encryption can prevent a fishing trip. And in the worst case if you were being falsely accused of something really awful then you might decide that the penalties for not handing over the keys were less severe than the penalties for having the data available. At least you would get the choice.