1. Windows Vista Serious Challenges for Digital Investigators Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta

2. Vista Overview Not all users are the same:  GenerationX Internet Multimedia Social Networking Gaming  Middle-Aged (Baby Boomers) Tech-Savvy  Senior Citizens

3. Security Changes  User Account Control  Firewall  Authentication  Network Access Protection  Windows Service Hardening  Anti-Malware  Data Protection  Windows Parental Controls

4. Firewall  Application Aware Outbound Filtering  Group Policy Settings (Enterprise Administrators)  Application Can Run Locally But Not Communicate Across a Network  IPv6 Connection Filtering

5. Authentication  Custom Authentication:  Biometrics  Tokens  Authentication for Passwords & Smart Cards

6. Anti-Malware  Windows Defender  Pop-Ups  Slow Performance  Spyware  Software Explorer  Windows Live OneCare (Spyware & Anti- Virus)  Real-Time Protection

7. Data Protection  Offline Attacks  BitLocker Drive Encryption Trusted Platform Module (Secure Generation of Cryptographic Keys  Encrypted File System

8. Benefits to Investigations  Control, Ownership & Intent Varying levels of Users New methods of Authentication  Scheduled Backup & Restore Automatic Shadow Copy by Default  15% of Volume Reserved

9. Challenges to Investigators  Encryption BitLocker Drive Encryption  Hard Drive (AES – TPM) Encrypted File System Encrypted E-Mail  Windows Mail  Reduction in Metadata  Automatic Defragmentation

10. Event Logging  Time, SID, Source, Message  More than 50 Logs by Default  C:/Windows/system32/winevt/Logs/  Application.evtx  HardwareEvents.evtx  Internet Explorer.evtx  Security.evtx  Setup.evtx.  System.evtx, More…..

11. Changes in Evidence  System Time Event Events are XML but Encoded rather in BXML Practical Test on Windows XP and Vista Person wants to Change the System Time after the Crime Possible in Both, but shown only in Vista

12. Changes in Evidence(Cont.)

13. Event Viewer in XP

14. Event Viewer in Vista

15. Disk Defragmentation  Works Same way in XP as in Vista  Simplified GUI but More Concern to Investigators  Disk Fragmentation is Scheduled to Work Automatically  Implication with Regard to Recovery of Deleted Files

16. XP Disk Defragmenter

17. Vista Disk Defragmenter

18. Last Access Dates  In Windows XP are no Longer Updated  In Windows Vista, this Feature is Enabled by Default  This Default Setting Obviously has a Severe Impact  Date Stamps as Part of their Analysis.

19. Windows Firewall  Filter Incoming and Outgoing Network Connections  From a Forensic Perspective - Logging Mechanism  The Log is Disabled by Default  C:\windows\system32\LogFiles\Firewall\pfirewall.log

20. Windows Search Engine  Windows Vista - New Search Engine and Indexing Feature  Users can Now Save their Searches and Review the Results  C:\Users\XXXX\Searches  The Indexing Service - Quickly Locate Files  “C:\ProgramData\Microsoft\Search\Data\Appliations \Windows\Projects\systemIndex\Indexer\CiFiles”  Vista maintains Several Index Files

21. Shadow Volume Copy  Act as a Block Device  A layer Between the Device & File System  Application Writes Data to Disk  Upon Write, Overwritten Block Moves to Shadow Copy  Shadow Copy Holds only Blocks that Changed

22. n

23. Conclusion  Problem of Control, Ownership & Intent  Challenges with BitLocker Encryption & TPM  Restoration & Shadow Copy are Helpful