While the fundamental principles of computer forensics remain largely unchallenged, the landscape upon which investigators operate is constantly changing. A combination of new technologies and changing habits of use means that forensic examiners must always strive to keep up to date with the latest developments. One of the most anticipated new product releases this year is the Microsoft operating system Windows Vista. Vista was under development for a long time with Microsoft promising a raft of new features together with major improvements to security.
Regardless of how quickly Vista is adopted by existing businesses and consumers - and there are good reasons to suppose that its uptake will be somewhat slower than Microsoft's early estimates - it seems almost certain that this new OS will continue the trend of Microsoft's dominance in the operating system market and wise computer forensics professionals will want to start thinking about the implications now. It should also be borne in mind that Vista will not only become a platform for investigation but also, at some stage, the operating system used by many investigators themselves for acquiring, analyzing and reporting.
At the time of writing, Vista is a very new product for almost all businesses and consumers and its features lie waiting to be fully discovered. In fact, the impact of Vista will not be determined solely through its technological offerings but also by the way in which it shapes users' patterns of behaviour.
This article, the first in a two-part series, takes a high level look at what we know now about those changes in Vista which seem likely to have the most impact on computer forensic investigations, starting with the built-in encryption, backup, and system protection features. Next time, part two will continue the discussion with a concentration on typical user activities such as web browser and e-mail usage.
Before looking at the encryption and backup changes in Vista, let's take a quick look at the various flavours of Vista which are available...
Comparing Vista editions
Accurate identification of the specific version of an operating system is always important during an investigation. With Vista it is more crucial than ever because different features with important implications for examiners are available on a per edition basis, most notably perhaps the inclusion of backup and encryption facilities.
There are six main editions of Vista, with a small number of variations in certain locations due to anti-trust rulings. Four editions are most likely to be found in the home or small to medium sized business environment and they are Home Basic, Home Premium, Business and Ultimate while the Enterprise edition is aimed at large organizations and the Starter edition is intended exclusively for emerging markets.
Forensic professionals should note the following:
- "BitLocker Drive Encryption" is available in the Enterprise and Ultimate editions.
- "Encrypting File System (EFS)", "Shadow Copy" and "Complete PC Backup and Restore" are available in the Business, Enterprise and Ultimate editions.
- "Scheduled and Network Backup" is available in the Home Premium, Business, Enterprise and Ultimate editions.
Let's take a look at what these features involve and what implications they may have for investigators.
"BitLocker drive encryption"
Initially there were some concerns within the computer forensics community that the proposed encryption features of Vista, especially BitLocker, would result in a huge increase in the amount of encrypted data confronting examiners. However, it is now clear that these features will be limited to the higher end editions of Vista only and are not implemented by default. Nevertheless, BitLocker continues to inspire debate (see the recent news article at The Register and related discussion at Slashdot.
What exactly is BitLocker, though? In a nutshell, BitLocker provides AES encryption of all data on a Windows Vista volume (note the term, "volume" rather than "disk," despite the name) combined with integrity checking of the boot process used to load the OS. The primary purpose of these features is to protect data even if an attacker manages to circumvent the operating system or remove the hardware storage device. It should be noted that volume encryption is not new; other packages offering similar features are on the market and have been for some time. However, something which sets BitLocker apart from other encryption packages is its use of the Trusted Platform Module TPM 1.2 . Further details of Trusted Platform Modules can be found in the FAQ provided by the Trusted Computing Group, however a TPM can be summarized very briefly as a microcontroller which securely stores data used in cryptographic or security processes (e.g. keys, digital certificates and passwords) with the aim of increasing the security of certain applications and features.
When using a TPM chip to provide added security, BitLocker can be configured to either boot the system on completion of a successful integrity check of the boot files or (in theory at least) to require the entry of a PIN or USB device containing a startup key. BitLocker can also operate without TPM support through the use of a key located on a USB device inserted at system startup. Whatever the case, examiners need to be aware of the implications for what may need to be searched for and collected when a BitLocker system is seized (such as the motherboard, USB drive, recovery key/password, and so on).