This article was first published in 2007 at http://www.securityfocus.com/infocus/1889 and is reprinted with permission
by Jamie Morris
Forensic Focus (www.forensicfocus.com)
While the fundamental principles of computer forensics remain largely unchallenged, the landscape upon which investigators operate is constantly changing. A combination of new technologies and changing habits of use means that forensic examiners must always strive to keep up to date with the latest developments. One of the most anticipated new product releases this year is the Microsoft operating system Windows Vista. Vista was under development for a long time with Microsoft promising a raft of new features together with major improvements to security. Regardless of how quickly Vista is adopted by existing businesses and consumers – and there are good reasons to suppose that its uptake will be somewhat slower than Microsoft’s early estimates – it seems almost certain that this new OS will continue the trend of Microsoft’s dominance in the operating system market and wise computer forensics professionals will want to start thinking about the implications now. It should also be borne in mind that Vista will not only become a platform for investigation but also, at some stage, the operating system used by many investigators themselves for acquiring, analyzing and reporting.
At the time of writing, Vista is a very new product for almost all businesses and consumers and its features lie waiting to be fully discovered. In fact, the impact of Vista will not be determined solely through its technological offerings but also by the way in which it shapes users’ patterns of behaviour. This article, the first in a two-part series, will take a look at what we know now about those changes in Vista which seem likely to have the most impact on computer forensic investigations, starting with the built-in encryption and backup features. Before doing so, though, let’s take a quick look at the various flavours of Vista which are available…
Accurate identification of the specific version of an operating system is always important during an investigation. With Vista it is more crucial than ever because different features with important implications for examiners are available on a per edition basis, most notably perhaps the inclusion of backup and encryption facilities.
There are six main editions of Vista [ref 1], with a small number of variations in certain locations due to anti-trust rulings. Four editions are most likely to be found in the home or small to medium sized business environment and they are Home Basic, Home Premium, Business and Ultimate while the Enterprise edition is aimed at large organisations and Starter edition is intended exclusively for emerging markets.
Forensic professionals should note the following:
– “BitLocker Drive Encryption” is available in the Enterprise and Ultimate editions.
– “Encrypting File System (EFS)”, “Shadow Copy” and “Complete PC Backup and Restore” are available in the Business, Enterprise and Ultimate editions.
– “Scheduled and Network Backup” is available in the Home Premium, Business, Enterprise and Ultimate editions
Let’s take a look at what these features involve and what implications they may have for investigators.
“BitLocker Drive Encryption”
Initially there were some concerns within the computer forensics community that the proposed encryption features of Vista, especially BitLocker, would result in a huge increase in the amount of encrypted data confronting examiners. However, it is now clear that these features will be limited to the higher end editions of Vista only and are not implemented by default. Nevertheless, BitLocker continues to inspire debate (see the recent article at The Register [ref 2] and related discussion at Slashdot [ref 3]).
What exactly is BitLocker, though? In a nutshell, BitLocker provides AES encryption of all data on a Windows Vista volume (note: “volume” rather than “disk”, despite the name) combined with integrity checking of the boot process used to load the OS, the primary purpose of these features being to protect data even if an attacker manages to circumvent the operating system or remove the hardware storage device. It should be noted that volume encryption is not new, other packages offering similar features are on the market and have been for some time. However, something which sets BitLocker apart from other encryption packages is its use of the Trusted Platform Module TPM 1.2 . Further details of Trusted Platform Modules can be found in the FAQ provided by the Trusted Computing Group [ref 4] but a TPM can be summarised very briefly as a microcontroller which securely stores data used in cryptographic or security processes (e.g. keys, digital certificates and passwords) with the aim of increasing the security of certain applications and features. When using a TPM chip to provide added security BitLocker can be configured to either boot the system on completion of a successful integrity check of the boot files or (in theory at least) to require the entry of a PIN or USB device containing a startup key. BitLocker can also operate without TPM support through the use of a key located on a USB device inserted at system startup. Whatever the case, examiners need to be aware of the implications for what may need to be searched for and collected when a BitLocker system is seized (e.g. motherboard, USB drive, recovery key/password etc.).
So, what does BitLocker mean for forensic examiners? In a recent, and highly recommended, Cyberspeak podcast [ref 5] Jesse Kornblum talks in some detail about the impact of BitLocker and the growth in importance of memory analysis for first responders. In the discussion with the show’s hosts which follows, the suggestion is made that now may be the time when memory capture (and subsequent analysis) becomes the accepted norm for forensic examiners when first approaching a suspect machine rather than the more traditional option of “pulling the plug.” Undoubtedly, BitLocker presents a challenge – after all, one of Microsoft’s goals with BitLocker is to protect data even when the storage device has been removed from the user’s physical control, a scenario not entirely dissimilar to lawful seizure! However, as BitLocker is only available in two editions of Vista and needs to be purposefully enabled on an appropriately formatted drive – not to mention the hardware requirements for TPM – its seems unlikely that its use will be widespread initially. We should also remember that even where BitLocker is in use, the specific circumstances of the investigation such as the ability to seize appropriate hardware or gain access to the volume by initiating a recovery procedure mean that evidence may still be recovered in a straightforward fashion. Yes, the stakes have changed and the bar has been raised, but while BitLocker certainly represents a step towards more powerful and ubiquitous encryption it seems unlikely that its inclusion represents the watershed moment that some had feared.
“Encrypting File System (EFS)”
EFS is a feature available in the Business, Enterprise, and Ultimate editions of Windows Vista and provides file and folder level encryption on NTFS volumes (using the AES algorithm). In comparison with the hardware and setup requirements of BitLocker, EFS simply requires a checkbox to be ticked in the file or folder’s properties to be enabled, although in larger environments it may be that the encryption is more likely set through Group Policies or scripting rather than by individual users. EFS is not new, it can also be found in 2000, XP and Server 2003, and as such would not appear to provide forensic examiners with a radically new challenge (one new feature to note in Vista’s implementaion of EFS, however, is that encryption certificates can now be stored on smart cards). As with BitLocker, or indeed any other form of encryption, live response and the use of standard recovery procedures – especially at the enterprise level – are likely to be key components of any plan to analyze encrypted data.
“Backup and Restore”
In contrast to encryption, some new features can actually work to the forensic examiner’s advantage. One example is the increased prevalence of backup and restore functionality within Vista. “The Backup and Restore Center” [ref 6] is a GUI-based wizard available in the Home Premium, Business, Ultimate, and Enterprise editions of Vista which enables users to schedule automatic backups of selected files (as well as providing a method for recovery). Generally speaking, users (especially home and small office users) are incredibly poor at backing up their data and where they do take the necessary steps to do so they are inconsistent at best, often backing up once and then forgetting to do so again for months at a time. The automatic scheduling component of “The Backup and Restore Center” should increase the chances of recent backups being available for examiners. Backups can be created on external media as well so investigators should, as always, take into account the presence of DVDs, CDs, external hard drives etc. when securing a scene. Another feature called “Complete PC Backup and Restore” [ref 7] is available in the Business, Ultimate, and Enterprise editions only and functions as a disaster recovery tool. Crucial differences between this feature and the “The Backup and Restore Center” include the fact that operating system and program files, together with data related to a user’s own operating environment, are also included in the backup. Overall, although backup and restore options have been available in some form within previous Microsoft products, their goal with Vista has been to make the functionality more visible and intuitive. If by doing so they are able to increase the amount of historical information available for examination then investigators are likely to benefit as a result.
“Scheduled and Network Backup”
Available in the Home Premium, Business, Ultimate and Enterprise editions of Vista, “Scheduled and Network Backup” is a feature which does exactly what you might expect and allows backups to be made at regular, pre-defined intervals. Handy for the user…even handier for the investigator examining the user’s data and past activity.
“Shadow Copy, System Protection and Previous Versions”
Shadow Copy functionality automatically creates daily copies of files and folders with a view to maintaining system integrity (Shadow Copies can also be created manually by setting a “restore point”) [ref 8]. Previously seen in Windows Server 2003 this functionality is now available in the Business, Enterprise, and Ultimate editions of Vista. Of note for forensic practitioners is that, unlike other recovery features such as “Backup and Restore”, the automatic creation of shadow copies is enabled by default (although it needs to be explicitly enabled for external volumes) and shadow copies are held locally – the default setting reserves 15% of a volume’s disk space for shadow copies. It should also be noted that the system works by saving only incremental changes rather than full copies of files or folder. Shadow copy functionality is administered via the System Protection tab (Control Panel -> System Properties) and can be utilized by right clicking a file or folder within Windows Explorer and selecting “Restore previous versions”. Similar types of “snapshot” functionality have existed in previous Windows operating systems to some degree but Vista’s implementation represents a greater push by Microsoft towards encouraging its use by the end user rather than just applications or system administrators.[By the way, if you’re starting to think that the combination of all these new features with the variety of Vista versions upon which they run is somewhat confusing then take heart…so does Microsoft (judging by the number of inconsistencies in some of their online material!)]
The File System
Detailed, comprehensive information from Microsoft about all the changes implemented in Vista’s file system is fairly hard to come by, with perhaps the most obvious improvement offered at a lower level being Transactional NTFS (TxF) [ref 9], a feature which allows a series of file system operations (collectively termed a “transaction”) either to be carried out in its entirety or rolled back. Although this may be beneficial for system integrity it would not appear to have immediate significance from an investigative standpoint. Changes to some data objects, however, may well be of significance and in the next article we will be taking a closer look at how Vista handles file metadata. Overall, in the absence of the introduction of a brand new file system (such as WinFS), it seems reasonable to assume that the changes introduced with Vista will be relatively few but unless further information is forthcoming from Microsoft then testing and analysis, such as that carried out by Brian Carrier on previous versions of NTFS for his 2005 book “File System Forensic Analysis” [ref 10], may remain the best source of new knowledge at the file system level.
In this article we have taken a fairly high level view of some of the new features in Vista which may be of interest to forensic investigators. In part two of this series we will be looking in further detail at these changes and concentrating on the typical user activities which commonly come under the scope of an investigation, such as web browsing and email usage.
References[ref 1] http://www.microsoft.com/windows/products/windowsvista/editions/choose.mspx
[ref 2] http://www.theregister.co.uk/2007/02/02/computer_forensics_vista/
[ref 3] http://it.slashdot.org/it/07/02/05/2254247.shtml
[ref 4] https://www.trustedcomputinggroup.org/faq/TPMFAQ/
[ref 5] http://cyberspeak.libsyn.com/index.php?post_id=175719
[ref 6] http://www.microsoft.com/windows/products/windowsvista/features/
[ref 7] http://www.microsoft.com/windows/products/windowsvista/features/
[ref 8] http://www.microsoft.com/windows/products/windowsvista/features/
details/shadowcopy.mspx [ref 9] http://msdn2.microsoft.com/en-us/library/aa365456.aspx [ref 10] http://www.digital-evidence.org/fsfa/