Windows vista serious challenges for digital investigators
Download
1 / 23

Windows Vista Serious Challenges for Digital Investigators - PowerPoint PPT Presentation


  • 479 Views
  • Uploaded on

Windows Vista Serious Challenges for Digital Investigators. Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta. Vista Overview. Not all users are the same: GenerationX Internet Multimedia Social Networking Gaming Middle-Aged (Baby Boomers) Tech-Savvy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Windows Vista Serious Challenges for Digital Investigators' - mike_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Windows vista serious challenges for digital investigators l.jpg

Windows VistaSerious Challenges for Digital Investigators

Authors: Darren Hayes

Shareq Qureshi

Presented By: Prerna Gupta


Vista overview l.jpg
Vista Overview

Not all users are the same:

  • GenerationX

    • Internet

    • Multimedia

    • Social Networking

    • Gaming

  • Middle-Aged (Baby Boomers)

    • Tech-Savvy

  • Senior Citizens


Security changes l.jpg
Security Changes

  • User Account Control

  • Firewall

  • Authentication

  • Network Access Protection

  • Windows Service Hardening

  • Anti-Malware

  • Data Protection

  • Windows Parental Controls


Firewall l.jpg
Firewall

  • Application Aware Outbound Filtering

  • Group Policy Settings (Enterprise Administrators)

  • Application Can Run Locally But Not Communicate Across a Network

  • IPv6 Connection Filtering


Authentication l.jpg
Authentication

  • Custom Authentication:

  • Biometrics

  • Tokens

  • Authentication for Passwords & Smart Cards


Anti malware l.jpg
Anti-Malware

  • Windows Defender

  • Pop-Ups

  • Slow Performance

  • Spyware

  • Software Explorer

  • Windows Live OneCare (Spyware & Anti-Virus)

  • Real-Time Protection


Data protection l.jpg
Data Protection

  • Offline Attacks

  • BitLocker Drive Encryption

    • Trusted Platform Module (Secure Generation of Cryptographic Keys

  • Encrypted File System


Benefits to investigations l.jpg
Benefits to Investigations

  • Control, Ownership & Intent

    • Varying levels of Users

    • New methods of Authentication

  • Scheduled Backup & Restore

    • Automatic Shadow Copy by Default

      • 15% of Volume Reserved


Challenges to investigators l.jpg
Challenges to Investigators

  • Encryption

    • BitLocker Drive Encryption

      • Hard Drive (AES – TPM)

    • Encrypted File System

    • Encrypted E-Mail

      • Windows Mail

  • Reduction in Metadata

  • Automatic Defragmentation


Event logging l.jpg
Event Logging

  • Time, SID, Source, Message

  • More than 50 Logs by Default

  • C:/Windows/system32/winevt/Logs/

  • Application.evtx

  • HardwareEvents.evtx

  • Internet Explorer.evtx

  • Security.evtx

  • Setup.evtx.

  • System.evtx, More…..


Changes in evidence l.jpg
Changes in Evidence

  • System Time Event

    • Events are XML but Encoded rather in BXML

    • Practical Test on Windows XP and Vista

    • Person wants to Change the System Time after the Crime

    • Possible in Both, but shown only in Vista





Disk defragmentation l.jpg
Disk Defragmentation

  • Works Same way in XP as in Vista

  • Simplified GUI but More Concern to Investigators

  • Disk Fragmentation is Scheduled to Work Automatically

  • Implication with Regard to Recovery of Deleted Files




Last access dates l.jpg
Last Access Dates

  • In Windows XP are no Longer Updated

  • In Windows Vista, this Feature is Enabled by Default

  • This Default Setting Obviously has a Severe Impact

  • Date Stamps as Part of their Analysis.


Windows firewall l.jpg
Windows Firewall

  • Filter Incoming and Outgoing Network Connections

  • From a Forensic Perspective - Logging Mechanism

  • The Log is Disabled by Default

  • C:\windows\system32\LogFiles\Firewall\pfirewall.log


Windows search engine l.jpg
Windows Search Engine

  • Windows Vista - New Search Engine and Indexing Feature

  • Users can Now Save their Searches and Review the Results

    • C:\Users\XXXX\Searches

    • The Indexing Service - Quickly Locate Files

    • “C:\ProgramData\Microsoft\Search\Data\Appliations\Windows\Projects\systemIndex\Indexer\CiFiles”

    • Vista maintains Several Index Files


Shadow volume copy l.jpg
Shadow Volume Copy

  • Act as a Block Device

  • A layer Between the Device & File System

  • Application Writes Data to Disk

  • Upon Write, Overwritten Block Moves to Shadow Copy

  • Shadow Copy Holds only Blocks that Changed


Slide22 l.jpg
n


Conclusion l.jpg
Conclusion

  • Problem of Control, Ownership & Intent

  • Challenges with BitLocker Encryption & TPM

  • Restoration & Shadow Copy are Helpful