Forgot your password?
typodupeerror
The Courts Government Operating Systems Software Windows Encryption Security Privacy IT News

Vista Makes Forensic PC Exam Easier for Lawyers 343

Posted by Zonk
from the can-i-introduce-you-to-some-nice-encryption dept.
Katharine writes "Jason Krause, a legal affairs writer for the American Bar Association's 'ABA Journal' reports in the July issue that Windows Vista will be a boon for those looking for forensic evidence of wrongdoing on defendants' PC's and a nightmare for defendants who hoped their past computer activities would not be revealed. Krause quotes attorney R. Lee Barrett, 'From a [legal] defense perspective, [Vista] scares me to death. One of the things I have a hard time educating my clients on is the volume of data that's now discoverable.' This is primarily attributable to Shadow Copy, TxF and Instant Search."
This discussion has been archived. No new comments can be posted.

Vista Makes Forensic PC Exam Easier for Lawyers

Comments Filter:
  • by ScottyKUtah (716120) on Saturday July 14, 2007 @07:15AM (#19858313)
    If one was stuck with Vista, I could see VMWare being quite popular. Just run all of your "other activities" under a VMware computer. If the computer ever falls into enemy hands, just wipe out the virtual computer and you're good to go.

    Another reason I'm sticking with XP.
    • by neonmonk (467567) on Saturday July 14, 2007 @07:21AM (#19858339)
      I do all my illegal activities on an Abacus.

      Mwa aha hah.
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Another reason I'm sticking with FOSS. You will have to upgrade the OS eventually, why not choose free one from the beginning?
    • by ls671 (1122017) on Saturday July 14, 2007 @07:24AM (#19858363) Homepage
      How are you going to wipe out the virtual computer once the computer is into ennemy hands ? ;-)
      • by PsyQo (1020321) on Saturday July 14, 2007 @07:38AM (#19858425)
        Put the entire virtual machine + disks on a encrypted truecrypt volume
        • by Gazzonyx (982402)
          Instead of using TrueCrypt, doesn't vista's version of NTFS (5?) still allow Alternate Data Streams? Wouldn't this be harder to detect?
          • by Sancho (17056)
            A forensics expert is going to know about ADS. There are plenty of utilities to search them out.
      • Have the virtual computer automatically reset on exit to a safe copy.

        Great if you want to emulate Win9x and not worry about instability over time.
    • by Detritus (11846)
      Bad idea. It's called obstruction of justice. Conrad Black was just convicted of that for removing many boxes of files from his office when he found out that he was being investigated.
      • Re: (Score:2, Insightful)

        by bigstrat2003 (1058574)
        I don't know if that really matters. If you have something that crucial to hide, what's an obstruction of justice conviction compared to whatever else you might get slapped with? I'd imagine for any serious criminal, the potential reward is very high (won't get in jail, yeah!), while the risk is relatively low (obstruction of justice, damn... but it beats life in prison!).
    • I assume by "wipe out" you mean "use a multi-pass file corrupter and eraser solution" because simply doing a DEL on the file won't keep it from being undeleted.

      Now, TrueCrypt is the perfect software for keeping secrets. You can even make a hidden partition that not even TrueCrypt knows exist unless you provide the correct password. Otherwise there is no way for TrueCrypt (or anyone) to see it. Not to mention you have a DIFFERENT password unlock a "dummy" partition where the hidden one resides in, with

    • by Jugalator (259273)

      Another reason I'm sticking with XP.

      You make it sound like these services (desktop search, shadow copy, ...) can't be easily turned off. :-p If you use Vista for other new features, there's not reason to switch. Just go to the Service Manager and just take it from there. However, if there's nothing you need in Vista, sure, you can go back, but then you shouldn't have switched in the first place.
  • by Anonymous Coward on Saturday July 14, 2007 @07:18AM (#19858333)
    These are all legitimate, useful features. It's the implementation that's wrong.

    All potentially damaging (ie, all) data should be written to an encrypted store in such a way that recovering it from a lost/stolen/seized machine is hard to impossible without assistance from the owner. That's just good design practice in an environment where there is more than enough computing power available.

    I'm aware that there are places where you have to hand your keys over to law enforcement... with which I have no real problem provided the due process of law is followed. But at least properly managed/segmented encryption can prevent a fishing trip. And in the worst case if you were being falsely accused of something really awful then you might decide that the penalties for not handing over the keys were less severe than the penalties for having the data available. At least you would get the choice.
    • by Ravnen (823845) on Saturday July 14, 2007 @07:30AM (#19858387)
      Vista actually has a full-drive encryption mechanism, called 'BitLocker'. If it's enabled, I suppose any attempt at forensic examination would require either (a) the permission of the owner, or (b) breaking the encryption.
      • Re: (Score:3, Informative)

        by Konster (252488)
        C) Or a court order to fork over the password.
        • Re: (Score:3, Funny)

          by Nerdgasm (714484)
          D) Or get the "enemy combatant" treatment in order to fork over the password.
        • by Ravnen (823845) on Saturday July 14, 2007 @08:04AM (#19858543)
          I would say that falls under permission. If there is a court order, you can refuse it, but you will face the legal consequences.
          • Re: (Score:3, Interesting)

            by IAmTheDave (746256)
            Not to mention that you're talking about legitimate functions of a computer - things that people get with other operating systems too (like my beloved OSX - Time Machine and Spotlight in Leopard, for instance, each have indexes, even if my backup drive is not attached).

            It burns me a little that "Vista" and "Microsoft" are in this posting/article because it's the technologies that make people's lives easier that also make them more open to computer forensics finding deleted data, etc.

            However, while I'm sure
            • by Sancho (17056)

              If you find yourself in this situation, well, I hate to my bones to say it, but if you didn't do anything wrong, what do you have to be worried about???
              Yeah. Right now, if you're at the point where they get to demand your password, you're pretty well in their power entirely. Although you maintain some rights (unless you're classified as an emeny combatant) the right to privacy is largely gone at this point.
            • by jedidiah (1196)
              Some fascist deciding to go on an adventuring campaign on some other continent to settle old family scores that leads to vast swaths of the populace being branded potential enemies of the state for just what they look like. You also have to consider that you don't have to worry about what you could call "cluefull racial profiling". You also have to worry about the idiots who are dumb as rocks and will generate their own flawed "watch list" and act on it.

              It's like anyone ever got the attention of law enforce
          • by arminw (717974) on Saturday July 14, 2007 @01:12PM (#19860269)
            ......If there is a court order......

            In the US at least is the 5th Amendment still part of the constitution? If you tell the court that giving out the password is like testifying against yourself, does the 5th still protect the accused? Did it ever really work that way?

            • Since things like computers didn't exist back when the Constitution was written. You can't just say "no" to anything that might convict you. For example you can't refuse to hand over a key to your house (not that they can't break the lock anyhow) or refuse to give a blood sample. So an encryption key is a real grey area. On the one hand, it isn't really testimony per se, it is more akin to a physical key and thus you should have to hand it over. On the other hand it is something that is stored solely in you
      • by Vexorian (959249)
        I guess it is useful, make privacy threatening features to force people to use the closed encryption mechanisms that make you unable to dual boot, ain't that awesome?
        • by SEMW (967629)

          I guess it is useful, make privacy threatening features to force people to use the closed encryption mechanisms that make you unable to dual boot, ain't that awesome?

          If you're going to troll, do it about something you know about. Despite the name, Bitlocker is logical volume encryption; nothing forces you to encrypt the whole drive. Nothing prevents you from having a dual-boot system.* Yes, I know there's a Register story that says otherwise; if you believe the Register, I have a bridge to sell you.

          *Caveat: if you're using a TPM module to do the encryption, you need to use the Windows boot loader rather than GRUB as the first boot loader. This is perfectly possi

    • TFA specifically mentioned "Discovery" which is a court procedure totally separate from search warrents and seizures. Civil discovery is a very frightening process: you can be compelled (under pain of contempt punishments) to produce anything the opposing lawyers ask for that is remotely relevant (might lead to evidence). Encryption is useless, you have to produce plaintext.

      My bigger concern is what happens to the excess (not admitted into evidence) data. IE, almost all of it. That really needs to be ke

    • by iamacat (583406)
      A good start will be to encrypt old versions of files with a public key, for which the private key will, as a factory default, not be retained. As an explicit user action, a new key pair can be generated, and the private key saved on a USB drive and/or encrypted with a conventional password. There will be no way for unauthorized users to distinguish between these two cases and compel the owner to reveal the password that he/she may or may not have.

      Coupled with a filesystem design that uses fresh secure rand
  • Progress? (Score:3, Funny)

    by simp (25997) on Saturday July 14, 2007 @07:23AM (#19858357)
    So now with shadow copy Vista not only saves all versions of goatse and tubgirl that I ever will encounter, I'm most likely unable to remove all traces to those pictures from my machine. And with instant search everybody can find them easily.

    Now that's progress.
  • by Anonymous Coward on Saturday July 14, 2007 @07:32AM (#19858395)
    To make sure my Windows is running at peak efficiency and performance, I got into the habit of completely reinstalling Windows every Thursday at 10am.
    This habit was developed during Win95, WinSE, WinXP SP1, and WinVista Beta

    What? There was evidence there? Ooops, sorry... my standard operating procedure wipes the disk once a week.
  • by Alain Williams (2972) <addw@phcomp.co.uk> on Saturday July 14, 2007 @08:26AM (#19858641) Homepage
    I can see the headlines now: "Criminals use Linux because MS Vista makes forensics easy".

    Then: you are using Linux, what have you got to hide ?

    The next step is: Only criminals use Linux

    I have just realised: I am typing this at a Linux box. I had better go down and turn myself in at the cop shop.

    • by mgiuca (1040724)
      As shown by this article, Microsoft is dedicated to freedom of information and sharing, while Linux is all about secrecy and locking information away! Boy did you Slashdot nerds bet on the wrong pony!
  • Following on from the runaway success of this http://ubuntusatanic.org/news/ [ubuntusatanic.org] and this http://tinyurl.com/nq9ut [tinyurl.com], I'm sure we'll soon have MAFIA, paedophile and Goatse *nix distros...the demand is there, c'mon RedHat, what are you waiting for?
  • For quite some time, it's become easier to find out anyone's business as they used their computer, even in Windows XP. It just seems that with Window Vista, it's easier to make the discovery. Keep in mind, it's not just the operating system doing the copies, but it's also applications that do so as well.

    From the "temporarily copied" documents viewed in Microsoft Outlook, to the cached images stored by Internet Explorer, and still yet to the meta-data stored in Word documents. (There have a been a few t

  • http://sourceforge.net/project/showfiles.php?group _id=37015 [sourceforge.net]

    Not sure if it helps in this case, though.
  • Computer OS (Score:3, Interesting)

    by Skiron (735617) on Saturday July 14, 2007 @09:50AM (#19859101) Homepage
    What is forgotten here is an OS really should be an OS - designed to run the computer and what not.

    Now, when that OS has deliberate code to track and monitor a users 'usage', it really is no more a tool to run a computer, but rather a tool to watch a user. The main job of that code is absolute control of the computer taken away from the user.

    MS have been trying to do this for years, and now it looks like they have succeeded ~ and the sheep follow and buy the crap.

    It is pretty scary that this succeeds at all. I mean, nobody in their right mind would buy a car that recorded every single journey and 'phoned home' every time you exceeded a speed limit, or the car stopped at changing traffic lights, even though you didn't need to... the world would be in uproar and the car would most definitely not sell at all.

    Yet the sheep still but this crap...
    • Re:Computer OS (Score:5, Insightful)

      by SEMW (967629) on Saturday July 14, 2007 @12:21PM (#19859943)
      "This is primarily attributable to Shadow Copy, TxF and Instant Search."

      Now, when that OS has deliberate code to track and monitor a users 'usage', it really is no more a tool to run a computer, but rather a tool to watch a user. The main job of that code is absolute control of the computer taken away from the user. ... MS have been trying to do this for years, and now it looks like they have succeeded ~ and the sheep follow and buy the crap.
      Did you read a different story to me? Exactly which one out of shadow copy, a transactional file system, and faster search (or, indeed, any other part of the OS) is designed to "track and monitor as user" or "[take] control of the computer away from the user"?
  • .... recovering all the spam mail you deleted, when the lawyers want to prove you to be some sort of pervert on perscription drugs.

    Seriously, this seems to contridict recent reports that linux is less secure then Vista.

    So when is all the MS promotional hype going to be exposed for what it really is, a bunch of contradictory lies.

    Is anyone keeping an accounting of all the Bull Shit coming out of Mircosoft promotion?

    So it can be added up to find MS OS is ad promoting spyware that takes up resources that can b
    • by Dunbal (464142)
      So when is all the MS promotional hype going to be exposed for what it really is, a bunch of contradictory lies.

            This was done YEARS ago, yet people keep buying their products.
    • by SEMW (967629)

      Seriously, this seems to contridict recent reports that linux is less secure then Vista.
      Ummm, no.

      Obviously Linux isn't less secure than Vista, but that has nothing to do with this. Data retention for the purposes of versioning ("shadow copy"), searching ("Instant Search") and file system integrity ("TxF") have, to a first approximation, little or nothing to do with security from external attacks.
  • How about that "restore previous versions" feature of Vista. You can bet that isn't going to cause some embarrassing moments.
    I assume something like wipe would do a unrecoverable delete.
    Does anybody know. If a program does fopen("myfile.txt", "w+") is a backup made?
    • by SEMW (967629)

      How about that "restore previous versions" feature of Vista. You can bet that isn't going to cause some embarrassing moments.
      From the summary: "...This is primarily attributable to Shadow Copy...".

      (BTW, previous versions can be deleted from Disk Clean-up, the "More Options" tab)
  • Is it safe? (Score:2, Funny)

    by careysb (566113)
    Arthur Dent: Is it safe? Ford Prefect: It's perfectly safe. It's just us who are in danger. -- Douglas Adams (HHGTTG)
  • by Kazoo the Clown (644526) on Saturday July 14, 2007 @11:51AM (#19859777)
    The Republican's sure aren't going to want to upgrade...
  • I read this fascinating article (probably a /. story) about how anti-computer forensics (the art of manipulating computer records and files and any and all data to hide evidence or forge false evidence) can beat computer forensics every time, because the whole idea of computer forensics is to trust what the computer says as truth. The only problem is, someone with enough knowledge of a computer can easily change any and all data... and leave no evidence of tampering. Date and time stamps can easily be man

  • by guruevi (827432) <evi@smokingcCOFFEEube.be minus caffeine> on Saturday July 14, 2007 @11:42PM (#19864289) Homepage
    If you haven't tried it yet do the following: corrupt the networking part in VPC (or disable networking in VMWare), then load Windows Vista or XP SP2 and use it on a regular basis (you don't even have to load anything, no updates or so), never allowing networking and since it's a corporate version you don't need to activate.

    I think after about 90 days (more or less, I don't use it that much) I have noticed the Windows installation corrupts itself everytime with the same error (blue screen on startup saying it can't find a specific file in the \system folder), call Microsoft and all they know is that you should apply the latest patches (but I'm not on the Internet, I'm in a controlled environment)

    I have had it with different systems (Mac, PC, Linux) and there was no special software running on the virtual machines and all networking and file transferring was blocked.

Real Users never know what they want, but they always know when your program doesn't deliver it.

Working...