Vista Makes Forensic PC Exam Easier for Lawyers

Katharine writes "Jason Krause, a legal affairs writer for the American Bar Association's 'ABA Journal' reports in the July issue that Windows Vista will be a boon for those looking for forensic evidence of wrongdoing on defendants' PC's and a nightmare for defendants who hoped their past computer activities would not be revealed. Krause quotes attorney R. Lee Barrett, 'From a [legal] defense perspective, [Vista] scares me to death. One of the things I have a hard time educating my clients on is the volume of data that's now discoverable.' This is primarily attributable to Shadow Copy, TxF and Instant Search."

Another Use for VMWare

[ScottyKUtah (716120)]

If one was stuck with Vista, I could see VMWare being quite popular. Just run all of your "other activities" under a VMware computer. If the computer ever falls into enemy hands, just wipe out the virtual computer and you're good to go.

Another reason I'm sticking with XP.

Re:Another Use for VMWare

[neonmonk (467567)]

I do all my illegal activities on an Abacus.

Mwa aha hah.

Re:Another Use for VMWare

[by Anonymous Coward]

You'll be disappointed to learn of Microsoft's new Abacus Retentive Summation Environment (ARSE) tracking extension, which is being made mandatory for all abacuses from 2007 onwards. I guarantee you'll barely notice the performance penalty. :)

Re:Another Use for VMWare

[by Anonymous Coward]

Looks like you'll be the first person Microsoft sues for ARSE-Crack.

Obligatory

[thegnu (557446)]

I do all my illegal activities on an Abacus.
Red bead attempting to slide right.
Cancel or Allow?

Re:Another Use for VMWare

[ls671 (1122017)]

How are you going to wipe out the virtual computer once the computer is into ennemy hands ? ;-)

Re:Another Use for VMWare

[PsyQo (1020321)]

Put the entire virtual machine + disks on a encrypted truecrypt volume

Re:Another Use for VMWare

[Hatta (162192)]

TrueCrypt provides plausible deniability. So just have 2 encrypted directories. One for relatively safe stuff, one for the really bad shit. If someone forces you to give them a password, give them the relatively safe one. Since truecrypt volumes are indistinguishable from random data it's impossible for them to know there's anything else in that chunk of encrypted data.

Re:Another Use for VMWare

[Hork_Monkey (580728)]

Still, Windows will create artifacts (lnk files, histories, etc) to the files on either Truecrypt volume. A skilled forensic person will be able to testify that volume you provided the password for does not have the correlating files that can be seen in the artifacts.

While they will not be able to prove they contain the suspect data, plausible deniability becomes less plausible.

Much of forensics is being able to correlate the existence of a known file on a filesystem against other evidence, such as another computer that did not employ the protective measures. The point of the article is that TrueCrypt is not enough (and really hasn't been due to the number of artifacts that XP already leaves)- you will have to take a number of measures to cover your tracks which can be quite time intensive.

TrueCrypt is a wonderful product. I use it myself to encrypt corporate data. However, every now and then I play with EnCase on my laptop to see what is left behind and it makes me even more paranoid when I have nothing to hide.

Re:Another Use for VMWare

[Hatta (162192)]

Do your browsing on a QEMU image kept in the truecrypt volume. No traces.

Re:Another Use for VMWare

[ScrewMaster (602015)]

The problem with that idea is that you are talking about a technological solution to a cultural problem. That's been discussed here on Slashdot before: so many things have been criminalized that even your "relative safe" stuff could still land you in jail. The bar has been lowered on what the law considers "bad shit".

Personally, if I had any really bad shit on my system I'd probably just have a buried NAS box somewhere on (or even off) the premises. Probably would be best if there were a hardwired connection to it: wouldn't want the Feds to use a sniffer and figure out you have the thing. Oh sure, if they really wanted to they could find it, but why make it easy? Hide the cabling and hide the point at which it attaches to the rest of your LAN. Probably want the box to run a watchdog task that will disable it completely if it detects that specific machines on the LAN have disappeared (as in "having been confiscated".) That way, even if someone performing forensics notices that there was another network drive mapped, by the time they get back to search for another machine it won't be detectable unless they start tearing down your walls.

Of course, you'd be a lot safer not having that bad shit in the first place.

Re:Another Use for VMWare

[smitty_one_each (243267)]

Because freedom requires commitment and effort.

It's not the function that's the problem

[by Anonymous Coward]

These are all legitimate, useful features. It's the implementation that's wrong.

All potentially damaging (ie, all) data should be written to an encrypted store in such a way that recovering it from a lost/stolen/seized machine is hard to impossible without assistance from the owner. That's just good design practice in an environment where there is more than enough computing power available.

I'm aware that there are places where you have to hand your keys over to law enforcement... with which I have no real problem provided the due process of law is followed. But at least properly managed/segmented encryption can prevent a fishing trip. And in the worst case if you were being falsely accused of something really awful then you might decide that the penalties for not handing over the keys were less severe than the penalties for having the data available. At least you would get the choice.

Re:It's not the function that's the problem

[Ravnen (823845)]

Vista actually has a full-drive encryption mechanism, called 'BitLocker'. If it's enabled, I suppose any attempt at forensic examination would require either (a) the permission of the owner, or (b) breaking the encryption.

Re:It's not the function that's the problem

[Ravnen (823845)]

I would say that falls under permission. If there is a court order, you can refuse it, but you will face the legal consequences.

Re:It's not the function that's the problem

[arminw (717974)]

......If there is a court order......

In the US at least is the 5th Amendment still part of the constitution? If you tell the court that giving out the password is like testifying against yourself, does the 5th still protect the accused? Did it ever really work that way?

How is this possible? I reinstall Win every week

[by Anonymous Coward]

To make sure my Windows is running at peak efficiency and performance, I got into the habit of completely reinstalling Windows every Thursday at 10am.
This habit was developed during Win95, WinSE, WinXP SP1, and WinVista Beta

What? There was evidence there? Ooops, sorry... my standard operating procedure wipes the disk once a week.

Message to criminals: Use Linux

[Alain Williams (2972)]

I can see the headlines now: "Criminals use Linux because MS Vista makes forensics easy".

Then: you are using Linux, what have you got to hide ?

The next step is: Only criminals use Linux

I have just realised: I am typing this at a Linux box. I had better go down and turn myself in at the cop shop.

Re:Just some more...

[mrchaotica (681592)]

Why are the good points about Vista never mentioned on Slashdot?

Because there aren't any. Seriously. I've been using Vista (Business) all summer; I should know. Yes, it has fancy GPU-accelerated graphics. But they don't do me any good because they suck my battery life (it's the difference between lasting through a lecture worth of note-taking in OneNote, or not). Yes, it has better support for Tablet PCs... but only ever so slightly better. Other than that, the only differences I notice between it and XP are all negative: shitty or missing drivers, annoying bugs, infuriating UAC (if it asked me to confirm an action once, it'd be okay. But it often asks me twice: once by the app, and once by the OS). It's so bad that -- even though Tablet PC users should have the most improved experience in Vista of any group -- I'm switching either back to XP or to Ubuntu once the semester is over.

Re:Just some more...

[adamwright (536224)]

Disclaimer: I use Mac laptops, Linux servers, and Windows desktops (in the main). I am *not* a Microsoft shill.

Right, karma to burn. How the hell is this "Informative"? "+5 Groupthink", or "+5 Telling me what I want to hear", sure. But there is no information here at all - Vista does have some "good features", regardless of what some people think. Answering your points specifically

1) Eye Candy: If you don't like it, turn it off.
2) Missing or shitting drivers: I have not noticed, nor do I know anyone who has noticed, Vista not supporting hardware that XP supported. Shitty drivers, well, this is a more reasonable concern, but it applies in my experience only to graphics, and then only to people for whom a 5-10% drop in performance (until nVidia get their ass in gear) is a "shitty problem". It's *vastly* better than Linux in this regard.
3) UAC: You're doing it wrong. I have not seen a UAC prompt that wasn't because I launched an app that required admin priviledges for weeks. Sure, when you're setting up the system, you get them a lot - much like in Linux, where you prefix half the first weeks commands with "sudo". After that, if you're seeing it more than once or twice a week, you need to seriously look at what kinds of software you're running that constantly need "root" access.

As to a sample of "good points"

1) New graphics and sound stack is vastly superior - I can set sound volume on a per application basis, automatically, using an simple interface built right in. No more stupid Flash in Firefox blaring away at 80db when I'm listening to music via iTunes.
2) Integrated search - Works as well as Spotlight for me, and I thought Spotlight was the best thing since sliced bread.
3) UAC - Yes, in my eyes, this is a good thing (and the biggest step forward in Vista). Windows no longer uses an "Admin for everything" model, something most people have been crying out for it do have for years.

Does it add anything *huge* over OS X, or even XP? No. Since when has a new OS release added anything world changing? They have been, since OS X 10.0, Linux 2 and Windows 2000, incremental. Is the DRM stuff a bad route? Yes. Does Vista use too many resources? Well, the idle footprint over my OS X machine isn't significantly greater - I would say it *does* use a too much, but frankly, as my machine is fairly modern, I don't notice. In many operations, it's faster than XP.

Should we all move to desktop Ubuntu? I don't know - I use Linux on servers, but it's still not ready for desktops, in my eyes. A technically semi-literate friend installed it on his Laptop, as someone had preached too him, and it *mostly* worked - except sound, which was a huge pain in the ass, and even I (with years of Linux experience) couldn't make work. Mostly is not good enough (he bought an OS X laptop to replace it, and is very happy). When Linux sorts out these issues, and gets a decent suite of end user software (no, Openoffice is not good enough to be an Office replacement), I might consider putting friends and familiy onto it.

Is Vista the devil? No. It's no worse than XP, and has several significant features that make it better, much like XP over 2000.

Re:Just some more...

[Ravnen (823845)]

The article just says it's easier to gather evidence from a PC with Vista than from a PC with an older version of Windows, like XP. It's also easier to gather evidence from a PC than from a box of papers, and easier to gather evidence when there is a box of papers than when there isn't. If you wish to be secure in your illegal activities, you'd probably be wise to avoid keeping any records at all.

As for privacy, to the extent that this sort of thing requires a legal order to hand over the information, I can't really see that it's an issue of privacy. If it is accepted that preserving the rule of law sometimes requires surrendering information that would otherwise be considered private, then that is the end of the matter: the information in such instances has ceased to be private.

If a PC is stolen, that is another matter, but in such cases, encryption can be used to prevent private data falling into the hands of thieves. This arguably makes a PC with appropriate encryption enabled safer than paper records.

Re:Just some more...

[Ravnen (823845)]

I'm afraid you're mistaken in suggesting that other systems do not use similar methods. Mac OS X, for example, includes Spotlight, which has similar implications to Windows Search, and the upcoming 10.5 version will include a feature called Time Machine, with similar implications to Shadow Copy in Windows. The use of ZFS might too introduce issues similar to those inherent in Transactional NTFS.

The reality is that most users like the ability to index and search their data, and to recover previous versions of a file, as well as the better reliability offered by transactional file operations. In the general case of a non-criminal user, these features provide far greater benefits than the potential harm of having their activities more effectively analysed by law enforcement officials, in the highly improbable case of a legal order to hand over their data.

Re:Just some more...

[by Anonymous Coward]

Yes, we know it's more resource intensive, but it's not just the interface that's doing it. One article is from an Apple fansite which either fails to understand or doesn't want to and the other doesn't claim it's the interface at all. Bad start.

The DRM only applies to (shock) DRM-enabled content that you buy. It was a choice between layering in the DRM or not allowing people to view that content on the PC at all, a choice enforced by the big media companies who own the content. Yes, Microsoft could have stood up and said no, and in doing so crippled Blu-ray and HD-DVD functionality in Vista. Surprisingly, despite Slashdot's wanton hatred of it (I don't particularly care for it either), very few consumers care about DRM, so they went ahead and gave people access to that content.

For security, two of your articles were published before Vista was even released to the public, and the only relevant link just explains that if an installer requests admin mode, you can give it admin mode and it can do what it likes, citing a 'malicious freeware Tetris installer'. The article fails to mention that this happens in the same way for both OS X and Linux, instead of trying to be useful and educate readers on using their common sense when downloading software.

Saying 'security has to be disabled for Vista to be useful' is just plain bullcrap. Turning off UAC merely stops giving you the choice to run programs as admin. UAC doesn't prevent any programs from running unless you say you don't want it to run. You may want to clarify that point.

Expense (as always) is in the eye of the beholder (I paid my £70 and have never regretted it), and considering hard drive costs are down to 30-40 cents a Gigabyte, then the extra space costs are inconsequential. As most people only get a new OS with a new computer they will probably never even concern themselves with this point.

You didn't provide links to prove 'clunky' or 'privacy-invading', which doesn't surprise me.

The article you linked to for 'insecure' says "Microsoft, Kaspersky and Sophos think that you don't need kernel access to keep it safe from viruses, but Symantec and McAfee don't agree. They're bigger than the other two vendors and Microsoft is biased so they must be right".

Your final link takes the cake because it links to a list of blogs and none of them mention Microsoft at all.

So, why would you want to use Vista? You wouldn't. Nothing to do with usability, or features, but because you obviously prefer using Linux to the extent that you're prepared to parrot the FSF line without actually understanding it.

My plus points with Vista include:

- Playing MP3s and DVDs without breaking the law (fair law or not, still a law)
- Being able to play the latest games without needing a degree in Computer Science
- Being able to perform 99% of my system tasks without referring to the CLI

Re:Not to worry

[arashi no garou (699761)]

Spoken like a true totalitarian. What happens when the laws change and the perfectly legal and moral things I do on my computer become immoral and illegal according to the government? Sorry bud, but I'll hang on to my privacy.

Re:Computer OS

[SEMW (967629)]

"This is primarily attributable to Shadow Copy, TxF and Instant Search."

Now, when that OS has deliberate code to track and monitor a users 'usage', it really is no more a tool to run a computer, but rather a tool to watch a user. The main job of that code is absolute control of the computer taken away from the user. ... MS have been trying to do this for years, and now it looks like they have succeeded ~ and the sheep follow and buy the crap.

Did you read a different story to me? Exactly which one out of shadow copy, a transactional file system, and faster search (or, indeed, any other part of the OS) is designed to "track and monitor as user" or "[take] control of the computer away from the user"?