windows vista serious challenges for digital investigators
Download
Skip this Video
Download Presentation
Windows Vista Serious Challenges for Digital Investigators

Loading in 2 Seconds...

play fullscreen
1 / 23

Windows Vista: Serious Challenges for Digital Investigations - PowerPoint PPT Presentation


  • 478 Views
  • Uploaded on

Windows Vista Serious Challenges for Digital Investigators. Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta. Vista Overview. Not all users are the same: GenerationX Internet Multimedia Social Networking Gaming Middle-Aged (Baby Boomers) Tech-Savvy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Windows Vista: Serious Challenges for Digital Investigations' - mike_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
windows vista serious challenges for digital investigators

Windows VistaSerious Challenges for Digital Investigators

Authors: Darren Hayes

Shareq Qureshi

Presented By: Prerna Gupta

vista overview
Vista Overview

Not all users are the same:

  • GenerationX
    • Internet
    • Multimedia
    • Social Networking
    • Gaming
  • Middle-Aged (Baby Boomers)
    • Tech-Savvy
  • Senior Citizens
security changes
Security Changes
  • User Account Control
  • Firewall
  • Authentication
  • Network Access Protection
  • Windows Service Hardening
  • Anti-Malware
  • Data Protection
  • Windows Parental Controls
firewall
Firewall
  • Application Aware Outbound Filtering
  • Group Policy Settings (Enterprise Administrators)
  • Application Can Run Locally But Not Communicate Across a Network
  • IPv6 Connection Filtering
authentication
Authentication
  • Custom Authentication:
  • Biometrics
  • Tokens
  • Authentication for Passwords & Smart Cards
anti malware
Anti-Malware
  • Windows Defender
  • Pop-Ups
  • Slow Performance
  • Spyware
  • Software Explorer
  • Windows Live OneCare (Spyware & Anti-Virus)
  • Real-Time Protection
data protection
Data Protection
  • Offline Attacks
  • BitLocker Drive Encryption
    • Trusted Platform Module (Secure Generation of Cryptographic Keys
  • Encrypted File System
benefits to investigations
Benefits to Investigations
  • Control, Ownership & Intent
    • Varying levels of Users
    • New methods of Authentication
  • Scheduled Backup & Restore
    • Automatic Shadow Copy by Default
      • 15% of Volume Reserved
challenges to investigators
Challenges to Investigators
  • Encryption
    • BitLocker Drive Encryption
      • Hard Drive (AES – TPM)
    • Encrypted File System
    • Encrypted E-Mail
      • Windows Mail
  • Reduction in Metadata
  • Automatic Defragmentation
event logging
Event Logging
  • Time, SID, Source, Message
  • More than 50 Logs by Default
  • C:/Windows/system32/winevt/Logs/
  • Application.evtx
  • HardwareEvents.evtx
  • Internet Explorer.evtx
  • Security.evtx
  • Setup.evtx.
  • System.evtx, More…..
changes in evidence
Changes in Evidence
  • System Time Event
    • Events are XML but Encoded rather in BXML
    • Practical Test on Windows XP and Vista
    • Person wants to Change the System Time after the Crime
    • Possible in Both, but shown only in Vista
disk defragmentation
Disk Defragmentation
  • Works Same way in XP as in Vista
  • Simplified GUI but More Concern to Investigators
  • Disk Fragmentation is Scheduled to Work Automatically
  • Implication with Regard to Recovery of Deleted Files
last access dates
Last Access Dates
  • In Windows XP are no Longer Updated
  • In Windows Vista, this Feature is Enabled by Default
  • This Default Setting Obviously has a Severe Impact
  • Date Stamps as Part of their Analysis.
windows firewall
Windows Firewall
  • Filter Incoming and Outgoing Network Connections
  • From a Forensic Perspective - Logging Mechanism
  • The Log is Disabled by Default
  • C:\windows\system32\LogFiles\Firewall\pfirewall.log
windows search engine
Windows Search Engine
  • Windows Vista - New Search Engine and Indexing Feature
  • Users can Now Save their Searches and Review the Results
    • C:\Users\XXXX\Searches
    • The Indexing Service - Quickly Locate Files
    • “C:\ProgramData\Microsoft\Search\Data\Appliations\Windows\Projects\systemIndex\Indexer\CiFiles”
    • Vista maintains Several Index Files
shadow volume copy
Shadow Volume Copy
  • Act as a Block Device
  • A layer Between the Device & File System
  • Application Writes Data to Disk
  • Upon Write, Overwritten Block Moves to Shadow Copy
  • Shadow Copy Holds only Blocks that Changed
conclusion
Conclusion
  • Problem of Control, Ownership & Intent
  • Challenges with BitLocker Encryption & TPM
  • Restoration & Shadow Copy are Helpful
ad