1 / 24

Microsoft Vista Forensics

Microsoft Vista Forensics. Mike Pinch, CISA, CISM, PMP October 2007. Agenda. Computer Forensics Overview Why Vista? Evidence Acquisition Techniques Hard Drive Analysis Pros and Cons Live Analysis Pros and Cons Different Versions of Vista Key Vista Technologies BitLocker Encryption

meris
Download Presentation

Microsoft Vista Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Microsoft Vista Forensics Mike Pinch, CISA, CISM, PMP October 2007

  2. Agenda • Computer Forensics Overview • Why Vista? • Evidence Acquisition Techniques • Hard Drive Analysis Pros and Cons • Live Analysis Pros and Cons • Different Versions of Vista • Key Vista Technologies • BitLocker Encryption • Encrypting File System • Shadow Copy • Transaction NTFS • Vista Instant Search • Microsoft Advertising Approach • Forensic Tools • EnCase Toolkit • Demonstration • Closing Thoughts • Questions

  3. Computer Forensics Overview • The preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis • Computer crime is slowly being realized as a huge industry • Forensic analyses can be performed on both compromised machines and (suspected) attacking machines

  4. Why Vista? • Microsoft Vista is the successor to the most popular OS of all time, Windows XP • Forensic techniques rarely change, but each successive OS will provide new places and techniques to hide (and recover) data • Vista is no different; it provides some HUGE opportunities

  5. Evidence Acquisition Techniques • Two methods • Live Analysis • Often used to collect data that is not likely to be used in court, or less “critical” intrusions • Pull the Plug • “Freezes” the computer at its current state, allows for more reliance over data preservation

  6. Hard Drive Analysis • Literally means, pulling the plug. • This method preserves the current state of the hard drive, retaining disk integrity. • Unable to recover volatile data. • Using the shutdown process will modify files, and possibly set off traps set by the intruder to destroy data. • This is the preferred method of analysis.

  7. Live Analysis • Allows for collection of data from volatile locations such as RAM and cache. • Often will provide extremely useful data. • Dangerous because of time bombs that can be left by intruders. • Requires installation of software to capture data, possibly erasing critical data and spoiling the “preservation” of the system.

  8. Different Versions of Vista • Six in total • Home Basic • Home Premium • Business • Ultimate • Enterprise • Starter

  9. Vista Technologies(Forensically Interesting) • Bitlocker • EFS • Backup and Restore • Shadow Copy • Instant Search

  10. BitLocker • The big name feature at the time of rollout, although it is only available on premium and enterprise editions. • Provides a means of encrypting all data on the hard drive, using the AES algorithm. You must enable this feature manually. • Used through a Trusted Platform Module (TPM) – Chip included on many new computers that provides encrypt/decrypt and integrity checking capabilities in pre-boot. • Machines without TPM lets users lock data with a “key”, such as a fingerprint, usb drive, or password. • Will allow different combinations of the above validation procedures for 1 or 2 factor authentication.

  11. BitLocker Management • If the system is part of an Active Directory environment, administrators can configure group policies to silently escrow keys into Active Directory. • Technology is old news – been around for many years. • While a drive encrypted by BitLocker will likely prevent a forensic analysis, its impact is expected to be negligible, due to the low volume of installations with the option, and the ability for enterprise editions to be managed by system administrators. • Enterprises will need to develop policies around BitLocker use; it needs to be required or prevented.

  12. EFS • Similar to BitLocker, however provides encryption on specific folders, not the entire drive. • Technology has been available on previous versions of Windows, back to NT. • Vista version adds ability to utilize external memory cards to maintain keys. • Keys can be maintained centrally through Administrators

  13. Cracking EFS • Attackers with access to the Windows directory can attempt dictionary attacks to find the user's password with lighting speed, and the vast majority of passwords will fall within a day. • The page file contains clear text data, which can be exploited. • The encryption process creates temporary copies of files that are “deleted” after the encryption process, but they can be recovered after the fact by disk analysis tools.

  14. Shadow Copy • Automatically saves previous versions of files you work with. • Uses incremental backups, which allows for many copies of old files to be stored on your machine. • Feature is enabled by default. • Allows an investigator to create accurate timelines and view old versions of documents.

  15. Transactional NTFS • Transactional NT File System • This is the format used to store data on the hard drive by Microsoft Vista. • Provides atomicity in writing files. When a file is updated or modified and then saved, rather than rewriting the changes to the file, it writes a new copy of the file. This provides data integrity in the case of error or crash while the file is being written. • Considers its operations as transactions, allowing critical changes to be grouped into a “transaction”. This “transaction” is only completed when all operations have been completed successfully. This prevents system crashes and errors from damaging files. • Overall, T-NTFS provides for greater data integrity, but also leaves a huge trail of old data for the forensic investigator to examine.

  16. Instant Search • In order to facilitate its highly vaunted “Instant Search” capability, Microsoft has implemented what can be thought of as the “Gold Mine” for forensic investigators. • Vista utilizes your unused drive space and indexes the applications you use, the files you use, the websites you visit, and so on. • This option is automatically turned on.

  17. Advertising • Microsoft recently filed for a patent that outlines their approach for “targeted advertising” based on hard drive content. • This, combined with Instant Search data indexing is setting the stage for the most targeted advertising the computer industry has ever seen. • Microsoft patent language: • “An advertising framework may reside on a user computer, whether it's a part of the OS, an application or integrated within applications. Applications, tools, or utilities may use an application program interface to report context data tags such as key words or other information that may be used to target advertisements. The advertising framework may host several components for receiving and processing the context data, refining the data, requesting advertisements from an advertising supplier, for receiving and forwarding advertisements to a display client for presentation, and for providing data back to the advertising supplier. Various display clients may also use an application program interface for receiving advertisements from the advertising framework. An application, such as a word processor or email client, may serve as both a source of context data and as a display client. Stipulations may be made by the application hosting the display client with respect to the nature of acceptable advertising, restrictions on use of alternate display clients, as well as, specifying supported media. “

  18. Windows Forensics Tools • Prodiscover • Livewire • EnCase • Helix * • Mandiant * • Spader ** * - Free Software ** - For law enforcement only

  19. EnCase Toolkit • A toolset available to complete forensics analyses on Microsoft systems. • Has its own programming language to develop custom tests. • Will allow for recovery of just about any piece of data from a Windows system

  20. Conducting an Analysis • Considerable subjective judgment should be completed prior to developing your test approach. • Different scenarios include • Looking for deleted files • Examining a compromised machine • Examining a suspected attacker • Searching for activity history

  21. Demonstration

  22. Closing Thoughts • In an effort to provide ever better convenience, more and more of your activity is being recorded. This is a big plus for forensics technicians. • Detailed security policies should be developed in an enterprise environment to centrally manage the use of the discussed features. Business users should not have the option to opt in/out of these features. • Vista’s tools move the forensic investigation allow much more work to be done within the OS itself, rather than just on the drive volume alone.

  23. Questions / Comments / Discussion

  24. Credits • Computer Forensics – Incident Response Essentials. Addison-Wesley. Kruse, Heiser, 2003 • TechRepublic • Arstechnica • TechRepublic • US Patent Office • Microsoft • Abanet

More Related