With the introduction of Windows 10, Microsoft latest operating system, the team at Microsoft want to change, yet again, how we interact with our computers. They want to make our experience more personal.
Microsoft has introduced us to Windows Hello. Windows Hello is a biometric authentication technology that will provide instant access to your Windows 10 enabled device. This feature will allow you to access the computer using your face, iris, or fingerprint to unlock the device. All you will need to do to login will simply be to show your face, or scan your finger to an enabled device running Windows 10. Not only does Microsoft claim this is more convenient than typing a password, they say it's more secure.
https://
With this new technology of allowing a person to access a computer using facial recognition, the question I have is, from a Digital forensics and cyber investigation standpoint, will this allow us to recognize individuals as soon as they access a computer? Will Microsoft give us the ability to tap into this technology to identify a person who is to access child porn? When performing digital forensic analysis, we can show that a certain username was used to log into a computer system using artifacts found in Windows registry, but having an image of the person sitting in front of the device will change the whole gamut.
This sparked my interest and light bulbs went off when I read about this new feature. What a great way to identify a person who used a device should the artifacts become available during an investigation. I'm curious to read what others think.
…the question I have is, from a Digital forensics and cyber investigation standpoint, will this allow us to recognize individuals as soon as they access a computer? Will Microsoft give us the ability to tap into this technology to identify a person who is to access child porn? When performing digital forensic analysis, we can show that a certain username was used to log into a computer system using artifacts found in Windows registry, but having an image of the person sitting in front of the device will change the whole gamut.
This sparked my interest and light bulbs went off when I read about this new feature. What a great way to identify a person who used a device should the artifacts become available during an investigation. I'm curious to read what others think.
I'd like to know what you found when you tested it. You tested it out, right?
With the experience I've had in biometrics, my thinking wouldn't be that something would be taken away, as much as we now have additional artifacts to work with. Every time a new version of Windows has come out, there's been that majority of the "community" that goes all "ZOMG" spastic about something being "new" and having to change tools, etc. The simple facts are that (a) if you have a process, you're good, and (b) every new version of Windows has simply added more artifacts for us to use to achieve our analysis goals.
I worked with biometrics back in the early 2000s, and at that time, while you could use biometrics to log into a system, passwords didn't go away…while I had to use biometrics to log into the console, I could still access the system remotely with a password.
And you're not going to get an image of someone sitting in front of a computer, even with facial recognition. The image (facial recognition, or iris or fingerprint scanning) is likely going to reduce the "image" to an eigenvector, and then possibly hash it for storage. This is going to give the individual access to a particular profile, which takes us right back to all of the wonderful artifacts that we're used to working with.
If you're using *just* "artifacts found in Windows registry" to determine when someone logs in, then, well, I might suggest that you're already operating behind the power curve, and something like biometric access is going to be a challenge for you.
Don't get me wrong, I'm not busting on you…I'm not particularly smart, I just look back over the 16+ yrs of doing this work, and I see how things have gone, starting with the release of XP, then Vista, then Windows 7.
I appreciate your response. I must first say, I have zero experience with biometrics. I don't claim to be a super guru forensic expert. My initial thought was more along the lines of wouldn't this be cool to extract. In regards of having a snapshot of the individual. I guess we could say, more "Hollywood style forensics" than reality!? I have not tested the biometrics of this Windows 10 Hello feature, but an interest and something I wish to investigate further. Sure, zero experience with biometrics may be a challenge, but I'm sure I'll learn a lot along the way. A challenge hasn't slowed me down yet in this field.
I do know that artifacts found in the registry is not the answer to all. I am in that learning curve and working hard to build my knowledge in this field. I'm glad to know someone such as yourself with 16+ years experience took time to respond and appreciate any suggestions you have for someone who's still rather new to the field.
In regards of having a snapshot of the individual. I guess we could say, more "Hollywood style forensics" than reality!?
But would the hypothetic snapshot be good enough to distinguish the "evil" twin? 😯 ?
https://
Not really related, I know, still IMHO fun and JFYI
http//
jaclaz
I don't claim to be a super guru forensic expert.
You don't have to be.
My initial thought was more along the lines of wouldn't this be cool to extract.
I'm sorry, I'm not following…what would be cool to extract?
Sure, zero experience with biometrics may be a challenge, but I'm sure I'll learn a lot along the way. A challenge hasn't slowed me down yet in this field.
Good to hear. I don't think that "zero experience with biometrics" is going to be an issue.
Will Microsoft give us the ability to tap into this technology to identify a person who is to access child porn?
That's a question you may have to ask Microsoft or Microsoft developers – the people who go to the MSDN conferences and get briefed and trained on new technology.
I think it would be unlikely to get two entirely separate paths for authentication one for the standard username/passwords and one for biometrics. More likely, the biometrics will be connected to the normal user account, only there will be something else in place of the standard logon user interface (MSGINA.DLL) that does the biometrics part.
When performing digital forensic analysis, we can show that a certain username was used to log into a computer system using artifacts found in Windows registry, but having an image of the person sitting in front of the device will change the whole gamut.
Unlikely to happen – while there would be some kind of image, it is almost certainly discarded as soon as the face characteristics have been extracted. (There will probably be a database of registered face characteristics, though.) If you are lucky, it might mean that there's a new 'deleted file' artifact to pick up with that image – more likely is that it stays memory resident, and never hits a storage space, not even in pagefile. Having a stored image around seems to open the possibility for reinserting that image in the authentication path by some trickery.