What does BitLocker mean for forensic examiners? In a recent, and highly recommended, Cyberspeak podcast [ref 5] Jesse Kornblum talks in some detail about the impact of BitLocker and the growth in importance of memory analysis for first responders. In the discussion with the show's hosts which follows, the suggestion is made that now may be the time when memory capture (and subsequent analysis) becomes the accepted norm for forensic examiners when first approaching a suspect machine, rather than the more traditional option of "pulling the plug." Undoubtedly, BitLocker presents a challenge - after all, one of Microsoft's goals with BitLocker is to protect data even when the storage device has been removed from the user's physical control, a scenario not entirely dissimilar to lawful seizure! However, as BitLocker is only available in two editions of Vista and needs to be purposefully enabled on an appropriately formatted drive - not to mention the hardware requirements for TPM - its seems unlikely that its use will be widespread initially.

We should also remember that even where BitLocker is in use, the specific circumstances of the investigation such as the ability to seize appropriate hardware or gain access to the volume by initiating a recovery procedure mean that evidence may still be recovered in a straightforward fashion. Yes, the stakes have changed and the bar has been raised, but while BitLocker certainly represents a step towards more powerful and ubiquitous encryption it seems unlikely that its inclusion represents the watershed moment that some had feared.

"Encrypting File System (EFS)"

EFS is a feature available in the Business, Enterprise, and Ultimate editions of Windows Vista and provides file and folder level encryption on NTFS volumes (using the AES algorithm). In comparison with the hardware and setup requirements of BitLocker, EFS simply requires a checkbox to be ticked in the file or folder's properties to be enabled, although in larger environments it may be that the encryption is more likely set through Group Policies or scripting rather than by individual users. EFS is not new, it can also be found in Windows 2000, XP and Server 2003, and as such would not appear to provide forensic examiners with a radically new challenge (one new feature to note in Vista's implementaion of EFS, however, is that encryption certificates can now be stored on smart cards). As with BitLocker, or indeed any other form of encryption, live response and the use of standard recovery procedures - especially at the enterprise level - are likely to be key components of any plan to analyze encrypted data.

"Backup and Restore"

In contrast to encryption, some new features can actually work to the forensic examiner's advantage. One example is the increased prevalence of backup and restore functionality within Vista. "The Backup and Restore Center" [ref 6] is a GUI-based wizard available in the Home Premium, Business, Ultimate, and Enterprise editions of Vista which enables users to schedule automatic backups of selected files (as well as providing a method for recovery). Generally speaking, users (especially home and small office users) are incredibly poor at backing up their data and where they do take the necessary steps to do so they are inconsistent at best, often backing up once and then forgetting to do so again for months at a time. The automatic scheduling component of "The Backup and Restore Center" should increase the chances of recent backups being available for examiners. Backups can be created on external media as well so investigators should, as always, take into account the presence of DVDs, CDs, external hard drives etc. when securing a scene.

Another feature called "Complete PC Backup and Restore" [ref 7] is available in the Business, Ultimate, and Enterprise editions only and functions as a disaster recovery tool. Crucial differences between this feature and the "The Backup and Restore Center" include the fact that operating system and program files, together with data related to a user's own operating environment, are also included in the backup. Overall, although backup and restore options have been available in some form within previous Microsoft products, their goal with Vista has been to make the functionality more visible and intuitive. If by doing so they are able to increase the amount of historical information available for examination then investigators are likely to benefit as a result.

"Scheduled and Network Backup"

Available in the Home Premium, Business, Ultimate and Enterprise editions of Vista, "Scheduled and Network Backup" is a feature which does exactly what you might expect and allows backups to be made at regular, pre-defined intervals. Handy for the user...even handier for the investigator examining the user's data and past activity.

"Shadow Copy, System Protection" and previous versions

Shadow Copy functionality automatically creates daily copies of files and folders with a view to maintaining system integrity (Shadow Copies can also be created manually by setting a "restore point") [ref 8]. Previously seen in Windows Server 2003 this functionality is now available in the Business, Enterprise, and Ultimate editions of Vista. Of note for forensic practitioners is that, unlike other recovery features such as "Backup and Restore", the automatic creation of shadow copies is enabled by default (although it needs to be explicitly enabled for external volumes) and shadow copies are held locally - the default setting reserves 15% of a volume's disk space for shadow copies. It should also be noted that the system works by saving only incremental changes rather than full copies of files or folder.

Shadow copy functionality is administered via the System Protection tab (Control Panel -> System Properties) and can be utilized by right clicking a file or folder within Windows Explorer and selecting "Restore previous versions." Similar types of "snapshot" functionality have existed in previous Windows operating systems to some degree but Vista's implementation represents a greater push by Microsoft towards encouraging its use by the end user rather than just applications or system administrators.

If the reader is starting to think that the combination of all these new features with the variety of Vista versions upon which they run is somewhat confusing then take heart...so does Microsoft (judging by the number of inconsistencies in some of their online material!).

The file system

Detailed, comprehensive information from Microsoft about all the changes implemented in Vista's file system is fairly hard to come by, with perhaps the most obvious improvement offered at a lower level being Transactional NTFS (TxF) [ref 9], a feature which allows a series of file system operations (collectively termed a "transaction") either to be carried out in its entirety or rolled back. Although this may be beneficial for system integrity it would not appear to have immediate significance from an investigative standpoint. Changes to some data objects, however, may well be of significance and in the next article we will be taking a closer look at how Vista handles file metadata. Overall, in the absence of the introduction of a brand new file system (such as WinFS), it seems reasonable to assume that the changes introduced with Vista will be relatively few. Unless further information is forthcoming from Microsoft then testing and analysis, the information conveyed by Brian Carrier on previous versions of NTFS for his 2005 book "File System Forensic Analysis" [ref 10], may remain the best source of new knowledge at the file system level.

Concluding part one

In this article we have taken a fairly high level view of some of the new features in Vista which may be of interest to forensic investigators. In part two of this series we will be looking in further detail at these changes and concentrating on the typical user activities which commonly come under the scope of an investigation, such as web browsing and email usage.

References

[ref 1] http://www.microsoft.com/windows/products/windowsvista/ editions/choose.mspx
[ref 2] http://www.theregister.co.uk/2007/02/02/computer_forensics_vista/
[ref 3] http://it.slashdot.org/it/07/02/05/2254247.shtml
[ref 4] https://www.trustedcomputinggroup.org/faq/TPMFAQ/
[ref 5] http://cyberspeak.libsyn.com/index.php?post_id=175719
[ref 6] http://www.microsoft.com/windows/products/windowsvista/features/ details/backup.mspx
[ref 7] http://www.microsoft.com/windows/products/windowsvista/features/ details/completepcbackup.mspx
[ref 8] http://www.microsoft.com/windows/products/windowsvista/features/ details/shadowcopy.mspx
[ref 9] http://msdn2.microsoft.com/en-us/library/aa365456.aspx
[ref 10] http://www.digital-evidence.org/fsfa/

About the author

Jamie Morris is the founder of Forensic Focus, a popular computer forensics website where investigators are encouraged to share their knowledge and experiences.
View previous articles by this author on SecurityFocus.

Reprints or translations

Reprint or translation requests require prior approval from SecurityFocus.

© 2007 SecurityFocus

Comments?

Public comments for Infocus technical articles, as shown below, require technical merit to be published. General comments, article suggestions and feedback are encouraged but should be sent to the editorial team instead.