Microsoft Vista Forensics

1
Microsoft Vista Forensics

• Mike Pinch, CISA, CISM, PMP
• October 2007

2
Agenda

• Computer Forensics Overview
• Why Vista?
• Evidence Acquisition Techniques
• Hard Drive Analysis Pros and Cons
• Live Analysis Pros and Cons
• Different Versions of Vista
• Key Vista Technologies
• BitLocker Encryption
• Encrypting File System
• Shadow Copy
• Transaction NTFS
• Vista Instant Search
• Microsoft Advertising Approach
• Forensic Tools
• EnCase Toolkit
• Demonstration
• Closing Thoughts
• Questions

3
Computer Forensics Overview

• The preservation, identification, extraction,
  documentation, and interpretation of computer
  media for evidentiary and/or root cause analysis
• Computer crime is slowly being realized as a huge
  industry
• Forensic analyses can be performed on both
  compromised machines and (suspected) attacking
  machines

4
Why Vista?

• Microsoft Vista is the successor to the most
  popular OS of all time, Windows XP
• Forensic techniques rarely change, but each
  successive OS will provide new places and
  techniques to hide (and recover) data
• Vista is no different it provides some HUGE
  opportunities

5
Evidence Acquisition Techniques

• Two methods
• Live Analysis
• Often used to collect data that is not likely to
  be used in court, or less critical intrusions
• Pull the Plug
• Freezes the computer at its current state,
  allows for more reliance over data preservation

6
Hard Drive Analysis

• Literally means, pulling the plug.
• This method preserves the current state of the
  hard drive, retaining disk integrity.
• Unable to recover volatile data.
• Using the shutdown process will modify files, and
  possibly set off traps set by the intruder to
  destroy data.
• This is the preferred method of analysis.

7
Live Analysis

• Allows for collection of data from volatile
  locations such as RAM and cache.
• Often will provide extremely useful data.
• Dangerous because of time bombs that can be left
  by intruders.
• Requires installation of software to capture
  data, possibly erasing critical data and spoiling
  the preservation of the system.

8
Different Versions of Vista

• Six in total
• Home Basic
• Home Premium
• Business
• Ultimate
• Enterprise
• Starter

9
Vista Technologies(Forensically Interesting)

• Bitlocker
• EFS
• Backup and Restore
• Shadow Copy
• Instant Search

10
BitLocker

• The big name feature at the time of rollout,
  although it is only available on premium and
  enterprise editions.
• Provides a means of encrypting all data on the
  hard drive, using the AES algorithm. You must
  enable this feature manually.
• Used through a Trusted Platform Module (TPM)
  Chip included on many new computers that provides
  encrypt/decrypt and integrity checking
  capabilities in pre-boot.
• Machines without TPM lets users lock data with a
  key, such as a fingerprint, usb drive, or
  password.
• Will allow different combinations of the above
  validation procedures for 1 or 2 factor
  authentication.

11
BitLocker Management

• If the system is part of an Active Directory
  environment, administrators can configure group
  policies to silently escrow keys into Active
  Directory.
• Technology is old news been around for many
  years.
• While a drive encrypted by BitLocker will likely
  prevent a forensic analysis, its impact is
  expected to be negligible, due to the low volume
  of installations with the option, and the ability
  for enterprise editions to be managed by system
  administrators.
• Enterprises will need to develop policies around
  BitLocker use it needs to be required or
  prevented.

12
EFS

• Similar to BitLocker, however provides encryption
  on specific folders, not the entire drive.
• Technology has been available on previous
  versions of Windows, back to NT.
• Vista version adds ability to utilize external
  memory cards to maintain keys.
• Keys can be maintained centrally through
  Administrators

13
Cracking EFS

• Attackers with access to the Windows directory
  can attempt dictionary attacks to find the user's
  password with lighting speed, and the vast
  majority of passwords will fall within a day.
• The page file contains clear text data, which can
  be exploited.
• The encryption process creates temporary copies
  of files that are deleted after the encryption
  process, but they can be recovered after the fact
  by disk analysis tools.

14
Shadow Copy

• Automatically saves previous versions of files
  you work with.
• Uses incremental backups, which allows for many
  copies of old files to be stored on your machine.
• Feature is enabled by default.
• Allows an investigator to create accurate
  timelines and view old versions of documents.

15
Transactional NTFS

• Transactional NT File System
• This is the format used to store data on the hard
  drive by Microsoft Vista.
• Provides atomicity in writing files. When a file
  is updated or modified and then saved, rather
  than rewriting the changes to the file, it writes
  a new copy of the file. This provides data
  integrity in the case of error or crash while the
  file is being written.
• Considers its operations as transactions,
  allowing critical changes to be grouped into a
  transaction. This transaction is only
  completed when all operations have been completed
  successfully. This prevents system crashes and
  errors from damaging files.
• Overall, T-NTFS provides for greater data
  integrity, but also leaves a huge trail of old
  data for the forensic investigator to examine.

16
Instant Search

• In order to facilitate its highly vaunted
  Instant Search capability, Microsoft has
  implemented what can be thought of as the Gold
  Mine for forensic investigators.
• Vista utilizes your unused drive space and
  indexes the applications you use, the files you
  use, the websites you visit, and so on.
• This option is automatically turned on.

17
Advertising

• Microsoft recently filed for a patent that
  outlines their approach for targeted
  advertising based on hard drive content.
• This, combined with Instant Search data indexing
  is setting the stage for the most targeted
  advertising the computer industry has ever seen.
• Microsoft patent language
• An advertising framework may reside on a user
  computer, whether it's a part of the OS, an
  application or integrated within applications.
  Applications, tools, or utilities may use an
  application program interface to report context
  data tags such as key words or other information
  that may be used to target advertisements. The
  advertising framework may host several components
  for receiving and processing the context data,
  refining the data, requesting advertisements from
  an advertising supplier, for receiving and
  forwarding advertisements to a display client for
  presentation, and for providing data back to the
  advertising supplier. Various display clients may
  also use an application program interface for
  receiving advertisements from the advertising
  framework. An application, such as a word
  processor or email client, may serve as both a
  source of context data and as a display client.
  Stipulations may be made by the application
  hosting the display client with respect to the
  nature of acceptable advertising, restrictions on
  use of alternate display clients, as well as,
  specifying supported media.

18
Windows Forensics Tools

• Prodiscover
• Livewire
• EnCase
• Helix
• Mandiant
• Spader
• - Free Software
• - For law enforcement only

19
EnCase Toolkit

• A toolset available to complete forensics
  analyses on Microsoft systems.
• Has its own programming language to develop
  custom tests.
• Will allow for recovery of just about any piece
  of data from a Windows system

20
Conducting an Analysis

• Considerable subjective judgment should be
  completed prior to developing your test approach.
• Different scenarios include
• Looking for deleted files
• Examining a compromised machine
• Examining a suspected attacker
• Searching for activity history

21
Demonstration
22
Closing Thoughts

• In an effort to provide ever better convenience,
  more and more of your activity is being recorded.
  This is a big plus for forensics technicians.
• Detailed security policies should be developed in
  an enterprise environment to centrally manage the
  use of the discussed features. Business users
  should not have the option to opt in/out of these
  features.
• Vistas tools move the forensic investigation
  allow much more work to be done within the OS
  itself, rather than just on the drive volume
  alone.

23

• Questions / Comments / Discussion

24
Credits

• Computer Forensics Incident Response
  Essentials. Addison-Wesley. Kruse, Heiser, 2003
• TechRepublic
• Arstechnica
• TechRepublic
• US Patent Office
• Microsoft
• Abanet