230 likes | 318 Views
Windows Vista Serious Challenges for Digital Investigators. Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta. Vista Overview. Not all users are the same: GenerationX Internet Multimedia Social Networking Gaming Middle-Aged (Baby Boomers) Tech-Savvy
E N D
Windows VistaSerious Challenges for Digital Investigators Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta
Vista Overview Not all users are the same: • GenerationX • Internet • Multimedia • Social Networking • Gaming • Middle-Aged (Baby Boomers) • Tech-Savvy • Senior Citizens
Security Changes • User Account Control • Firewall • Authentication • Network Access Protection • Windows Service Hardening • Anti-Malware • Data Protection • Windows Parental Controls
Firewall • Application Aware Outbound Filtering • Group Policy Settings (Enterprise Administrators) • Application Can Run Locally But Not Communicate Across a Network • IPv6 Connection Filtering
Authentication • Custom Authentication: • Biometrics • Tokens • Authentication for Passwords & Smart Cards
Anti-Malware • Windows Defender • Pop-Ups • Slow Performance • Spyware • Software Explorer • Windows Live OneCare (Spyware & Anti-Virus) • Real-Time Protection
Data Protection • Offline Attacks • BitLocker Drive Encryption • Trusted Platform Module (Secure Generation of Cryptographic Keys • Encrypted File System
Benefits to Investigations • Control, Ownership & Intent • Varying levels of Users • New methods of Authentication • Scheduled Backup & Restore • Automatic Shadow Copy by Default • 15% of Volume Reserved
Challenges to Investigators • Encryption • BitLocker Drive Encryption • Hard Drive (AES – TPM) • Encrypted File System • Encrypted E-Mail • Windows Mail • Reduction in Metadata • Automatic Defragmentation
Event Logging • Time, SID, Source, Message • More than 50 Logs by Default • C:/Windows/system32/winevt/Logs/ • Application.evtx • HardwareEvents.evtx • Internet Explorer.evtx • Security.evtx • Setup.evtx. • System.evtx, More…..
Changes in Evidence • System Time Event • Events are XML but Encoded rather in BXML • Practical Test on Windows XP and Vista • Person wants to Change the System Time after the Crime • Possible in Both, but shown only in Vista
Disk Defragmentation • Works Same way in XP as in Vista • Simplified GUI but More Concern to Investigators • Disk Fragmentation is Scheduled to Work Automatically • Implication with Regard to Recovery of Deleted Files
Last Access Dates • In Windows XP are no Longer Updated • In Windows Vista, this Feature is Enabled by Default • This Default Setting Obviously has a Severe Impact • Date Stamps as Part of their Analysis.
Windows Firewall • Filter Incoming and Outgoing Network Connections • From a Forensic Perspective - Logging Mechanism • The Log is Disabled by Default • C:\windows\system32\LogFiles\Firewall\pfirewall.log
Windows Search Engine • Windows Vista - New Search Engine and Indexing Feature • Users can Now Save their Searches and Review the Results • C:\Users\XXXX\Searches • The Indexing Service - Quickly Locate Files • “C:\ProgramData\Microsoft\Search\Data\Appliations\Windows\Projects\systemIndex\Indexer\CiFiles” • Vista maintains Several Index Files
Shadow Volume Copy • Act as a Block Device • A layer Between the Device & File System • Application Writes Data to Disk • Upon Write, Overwritten Block Moves to Shadow Copy • Shadow Copy Holds only Blocks that Changed
Conclusion • Problem of Control, Ownership & Intent • Challenges with BitLocker Encryption & TPM • Restoration & Shadow Copy are Helpful