Windows vista serious challenges for digital investigators
Download
1 / 23

Windows Vista: Serious Challenges for Digital Investigations - PowerPoint PPT Presentation


  • 477 Views
  • Uploaded on

Windows Vista Serious Challenges for Digital Investigators. Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta. Vista Overview. Not all users are the same: GenerationX Internet Multimedia Social Networking Gaming Middle-Aged (Baby Boomers) Tech-Savvy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Windows Vista: Serious Challenges for Digital Investigations' - mike_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Windows vista serious challenges for digital investigators l.jpg

Windows VistaSerious Challenges for Digital Investigators

Authors: Darren Hayes

Shareq Qureshi

Presented By: Prerna Gupta


Vista overview l.jpg
Vista Overview

Not all users are the same:

  • GenerationX

    • Internet

    • Multimedia

    • Social Networking

    • Gaming

  • Middle-Aged (Baby Boomers)

    • Tech-Savvy

  • Senior Citizens


Security changes l.jpg
Security Changes

  • User Account Control

  • Firewall

  • Authentication

  • Network Access Protection

  • Windows Service Hardening

  • Anti-Malware

  • Data Protection

  • Windows Parental Controls


Firewall l.jpg
Firewall

  • Application Aware Outbound Filtering

  • Group Policy Settings (Enterprise Administrators)

  • Application Can Run Locally But Not Communicate Across a Network

  • IPv6 Connection Filtering


Authentication l.jpg
Authentication

  • Custom Authentication:

  • Biometrics

  • Tokens

  • Authentication for Passwords & Smart Cards


Anti malware l.jpg
Anti-Malware

  • Windows Defender

  • Pop-Ups

  • Slow Performance

  • Spyware

  • Software Explorer

  • Windows Live OneCare (Spyware & Anti-Virus)

  • Real-Time Protection


Data protection l.jpg
Data Protection

  • Offline Attacks

  • BitLocker Drive Encryption

    • Trusted Platform Module (Secure Generation of Cryptographic Keys

  • Encrypted File System


Benefits to investigations l.jpg
Benefits to Investigations

  • Control, Ownership & Intent

    • Varying levels of Users

    • New methods of Authentication

  • Scheduled Backup & Restore

    • Automatic Shadow Copy by Default

      • 15% of Volume Reserved


Challenges to investigators l.jpg
Challenges to Investigators

  • Encryption

    • BitLocker Drive Encryption

      • Hard Drive (AES – TPM)

    • Encrypted File System

    • Encrypted E-Mail

      • Windows Mail

  • Reduction in Metadata

  • Automatic Defragmentation


Event logging l.jpg
Event Logging

  • Time, SID, Source, Message

  • More than 50 Logs by Default

  • C:/Windows/system32/winevt/Logs/

  • Application.evtx

  • HardwareEvents.evtx

  • Internet Explorer.evtx

  • Security.evtx

  • Setup.evtx.

  • System.evtx, More…..


Changes in evidence l.jpg
Changes in Evidence

  • System Time Event

    • Events are XML but Encoded rather in BXML

    • Practical Test on Windows XP and Vista

    • Person wants to Change the System Time after the Crime

    • Possible in Both, but shown only in Vista





Disk defragmentation l.jpg
Disk Defragmentation

  • Works Same way in XP as in Vista

  • Simplified GUI but More Concern to Investigators

  • Disk Fragmentation is Scheduled to Work Automatically

  • Implication with Regard to Recovery of Deleted Files




Last access dates l.jpg
Last Access Dates

  • In Windows XP are no Longer Updated

  • In Windows Vista, this Feature is Enabled by Default

  • This Default Setting Obviously has a Severe Impact

  • Date Stamps as Part of their Analysis.


Windows firewall l.jpg
Windows Firewall

  • Filter Incoming and Outgoing Network Connections

  • From a Forensic Perspective - Logging Mechanism

  • The Log is Disabled by Default

  • C:\windows\system32\LogFiles\Firewall\pfirewall.log


Windows search engine l.jpg
Windows Search Engine

  • Windows Vista - New Search Engine and Indexing Feature

  • Users can Now Save their Searches and Review the Results

    • C:\Users\XXXX\Searches

    • The Indexing Service - Quickly Locate Files

    • “C:\ProgramData\Microsoft\Search\Data\Appliations\Windows\Projects\systemIndex\Indexer\CiFiles”

    • Vista maintains Several Index Files


Shadow volume copy l.jpg
Shadow Volume Copy

  • Act as a Block Device

  • A layer Between the Device & File System

  • Application Writes Data to Disk

  • Upon Write, Overwritten Block Moves to Shadow Copy

  • Shadow Copy Holds only Blocks that Changed


Slide22 l.jpg
n


Conclusion l.jpg
Conclusion

  • Problem of Control, Ownership & Intent

  • Challenges with BitLocker Encryption & TPM

  • Restoration & Shadow Copy are Helpful


ad