Forensics: Implications of Windows Vista

The document attached is entitled Forensic Implications of Windows Vista, by Barrie Stewart.

This is a detailed document about computer forensics and Vista, it appears to have disappeared from easy access on the web, so it’s posted here.  No rights are claimed over this, so if anybody wants this taking off this site, please contact the site.

Windows XP was launched in 2001 and has since been involved in many digital investigations. Over the last few years, forensic practitioners have developed a thorough understanding of this operating system and are fully aware of any challenges it may create during an investigation. Its successor, Windows Vista, was launched in January 2007 and is
fast on its way to becoming the platform of choice for new PCs. Vista introduces many new technologies and refines a number of features carried over from XP. This report focuses on some of these technologies and, in particular, what effect they have on digital investigations.

Read more……


Foreniscs Quizzes are on the move

The following quizzes have now been moved to the new site:

A selection of computer forensics tests and quizzes are available the parent site Where Is Your Data?, these include:

Computer Forensics – NTFS (1) (theory)

Computer Forensics – NTFS (2) (theory)

Computer Forensics  – Law (theory)

Who’s Who (in computer forensics and electronic discovery)

The following quizzes have not all been moved across to the new site yet, but are being moved across (all in good time)

Forensics: Importing Hashsets into EnCase (Part 2)

Part 2, of the series. Part 1, of how to import hashes into EnCase is available here.

Forensics: Importing Hashsets into EnCase (Part 1)

Forensics: Importing Hashsets into EnCase (Part 1)

Forensics: FTK Tips

Access Data latest tips for FTK, on YouTube.

Forensics: Hashes, do they work?

What’s the big deal about hashes?

This article follows on from the previous myths about “verification” in EnCase article.

Hashes are the back bone of computer forensics, they are used to identify and remove junk data with the NSRL/NIST list. They are used to de-duplicate files in computer forensics and electronic discovery, and they can also be used to de-dupe emails in electronic discovery. But, they also form the foundation of evidence security:

  • “If the hash has not been changed the data cannot be changed”
  • “The evidence cannot be tampered with because of the security of hash values”
  • “The evidence is protected by the hash values”

These are just some of the common statements about hash values made by many, if not all forensic investigators, to clients and courts alike.

But is this true?

Subjects such as hash collisions are not relevant for this article and other, far more gifted writers, have already ably demonstrated that, for the purposes of computer forensics, the MD5 and SHA-1 hash are mathematically secure.

It is not the issue of the mathematics and cryptography that is being debated here, but rather the protocol. Can a person stand up in court and state that:

The evidence cannot been tampered with because the hash has not been changed

The imaging process

Very briefly this is what happens to evidence drive during the imaging process, for both criminal and civil offences:

  • A suspect’s hard drive is connect to a computer (a hardware write blocker is normally used, but systems like Linux imaging platforms and software blockers can be used with or without hardware write blockers).
  • A hash value is calculated for the image
  • The hard drive is returned

For the criminal case the hard drive will be returned to a safe/evidence room, until it is required. During the case the defence, in theory, can ask to see the original and check the hash value.

For the civil case the hard drive will normally be returned to the user and, more often than not, the computer will be immediately booted, as the custodian/user/client needs to start working straight away.

This will immediately change the state of the disk; therefore the only evidence of the original hash value is the image. The civil investigator, if challenged, can refer to the original hash value to show the data has not changed since he took the image.

Different Data – Same Hash Value

In both of these scenarios there is one rather obvious problem, the evidence can be tampered with, and the hash remain unchanged.  It just depends on when the data is tampered with.

People debate the pros and cons of hash values and protecting media: SHA-1 v MD5, the software write blockers V hardware write blockers, Linux v Windows, ICS v Tableau, etc, but they never debate the far more common scenario  – bad people.

Note: Before going any further it should be made clear that there is no allegation that this has happened, it is merely a theory.

Let’s take those scenarios again:

  1. Person (A) gets takes possession of a hard drive of a suspect and then connects it to  their forensic computer.
  2. Person (A) then images  the data
  3. The computer calculates the hash value  = ABC123
  4. Person (A) provides evidence to court that the image at the time had the hash value ABC123 and has the same value now.

But, what if Person (A) was corrupt? What if Person (A) wanted to frame the suspect?

What if the sequence of events occurred as follows:

  1. Person (A) gets hold of a hard drive or a suspect and then connects it to their computer
    1. Person (A) runs a script that dumps illicit material into unallocated space.
  2. Person (A) then images  the data
  3. The computer calculates the hash value  = ABD123
  4. Person (A) provides evidence to court that the image at the time had the hash value ABD123 and has the same value now.

Item  1.1 would take minutes, if not seconds to run, and would be undetectable to the naked eye. Once the data was on the computer it could be impossible to prove that is had been added deliberately.

There would be no need for the procedure to change the dates, this means that it’s entirely possible to insert data and just lie about it.  The hash value of the image will not change and for a criminal case the hash value of the hard drive in storage would be the same as the image – because the illicit material was added before the hash value was calculated.

A physical example of this could be a crooked cop planting drugs on an suspect, the drugs would then be found (following the search) and put in sealed bag, and if the bag was opened later and tested it would be found to be drugs.  The evidence of the seals would be used to prove that the drugs had not been tampered with.  But this does not make any difference, the drugs were planted, the seals don’t help the person who has been set up.

Could it happen?

The scenario given has never been reported, there has never been a report of the police or a civil investigator inserting evidence onto a hard drive, nor is there reason to believe it has occurred and been unreported.  But could it happen? It is technically possible, but would people really do this?

Firstly the police have misused data many times in the UK; secondly people have lied on the stand, on more than one occasion – in relation to computer forensics. Thirdly, police officers have been convicted of all sorts of offences, from blackmail through to rape. Why? It’s not because the police are particularly corrupt, it’s just that they are selected from the public, and there are crooks in the public, therefore there will be some criminally minded individuals in the police, though much less than in the public as a whole.  If you’re willing to commit rape and blackmail your probably willing to add a few 1s and 0s to a hard drive. During the 1970s and 1980s certain parts of the police (in the UK)  had a bad reputation when the law was bent and broken, to get convictions of “the bad guys”, inevitably innocent people where caught up in this and innocent people were wrongly convicted.  In fact it was such a problem new laws and procedures were brought into to try and combat this.

But could it really happen now?

But now, in the modern world could the police really fake evidence? Sadly yes, it could still happen. The most obvious example of this is the fingerprint case involving the Scottish police. In this case numerous fingerprint officers in Scotland went to court and testified that the fingerprints they had obtained from a case proved that two people were guilty, one of murder the other of perjury: the latter was a fellow police officer.  But, on appeal the worlds fingerprint officers stated that clearly both fingerprints did not belong to the two people in jail – in short the Scottish police were accused of framing people by lying about fingerprints.

Fingerprints are the closest analogy in the physical world there is to a hash value, and here were criminal investigators lying about fingerprints.  Is it impossible to believe that a person would lie about a hash value, or plant data on a person?

Put it another way, given the nature of human beings – which is more likely:

(a)    A hash collision or

(b)   A forensic investigator doctors evidence to get the result they require, given that the latter has happened throughout human history and the former has never happened  in anything other than a maths paper.

I believe the answer is in the question!


How can forensic investigators combat this? Firstly the concern about hash value security needs to be replaced with concern about procedures and processes that show that a person is being honest. Possibly the best way forward is to follow the example of the traffic police.

The traffic police have their gadgets, lots of gadgets:  Radar, lasers, speedometer, etc, all of which can be used to catch us (me) going slightly (a lot) faster than we should do. But, what do they say when they pull you over?

They say that “We observed you travelling at excess speed because [description of the car and movement], and we can provide additional evidence of this through this device [laser, radar,etc].”

They could have pointed the radar gun at a motorbike doing 110mph and said it was you ; but it is their word in court.

The primary evidence is their word, supported by technology.

Therefore, when in court, the primary evidence that the data has not changed should be the word of the person presenting the evidence, supported hash values, and not the other way around.

It is the word of the investigator that we are all counting on, from the data collection through to the final analysis; investigators should not shy away from this.

What is computer forensics?

What is computer forensics?

What is computer forensics? How much does it pay? What roles are there? What technology is used? Lots of questions and even more answers. If these questions, if answered briefly, will be wrong to some people.

For example, to the question “How much can you earn in computer forensics?” it could be said, with confidence, that it’s “£30,000 to £50,000 per year”. While this will be true for many people, but it’s not true for everyone, in fact it’s probably often as wrong as it is right. The directors and leaders in KrollOntrack, the world’s biggest legal technology company will earn far more than that (you can probably add a one or two zeros on to that salary); graduates earn a lot less than that. Forensic consultants in London and New York can also get a good deal more than that, especially if all the benefits are accounted for.

Equally, to the question, “Do forensics staff process backup tapes?” the answer would almost certainly be “No” for the vast majority of computer forensics staff: Processing backup tapes is something they would never get involved in, and they would not know an EDB file from an STM file –it’s simply not their area, so they would not be expected to. On the flip side of that there are people in “forensics” who work in this area, there are even people who only do this, and never image a hard drive or use EnCase; they just work with tapes.

The Expansion of Computer Forensics

Over the years the term “Computer Forensics” has grown to mean more and more.

It now includes, depending on your experience of computer forensics, the collection of data from anything from CDs and USB sticks, through desktops and laptops to servers, SANS, and backup systems.

In addition to that it normally includes the investigation of much of this data; emails, files, deleted data, fragmented data etc.

Currently, the investigation of structured data, i.e. data bases, the analysis of frauds, etc lies mainly with forensic accountants and “data analytics” professionals. With that said some data analytic teams belong to computer forensics departments; for other companies it’s the other way around.

Then, there is the analysis and investigation of emails. This, some may think, is squarely in the computer forensics area, but others would put the issue definitively in electronic discovery arena.

Electronic discovery tools are, in short, far more powerful and capable than any of the “computer forensics” tools.  Review platforms, concept searching, near de-duplication, building and displaying social networks, etc; this all completely dwarfs anything that EnCase, iLook, or FTK can do to assist with the investigation of emails and email communications.

EnCase, despite its huge reputation, cannot do much more with emails than view them in text or hex, or recover deleted files. This functionality has not changed much over the past 10 years. Meanwhile electronic discovery has pushed forward with fantastic technology, from Attenex to ContentAnalyst, from RingTail to Relativity.

Currently the most useful definition of computer forensics is probably this:

  • It involves the collection and analysis of data,

Sadly this is vague, and doesn’t really say much, and does a disservice to those who are conducting some highly technical work.

The separation and specialization of computer forensics

Computer forensics now encompasses so much it is really breaking into different areas, much like IT in general has.

Computer forensics areas now include: Civil investigations (data theft, employment issues, fraud investigations, etc), criminal investigations, data analytics, electronic discovery, data collections, data extraction, data recovery, data filtering and processing, data reviews, data hosting, the list goes on.

Much like IT, there are people who specialise in the individual areas. There are people who just collect data, that’s all they do, and they are very good at it. There are those who maintain review platforms, and those who only filter data ready for processing.

There are some people who get involved in a variety of different areas, but there is unlikely to be many (if any) people who get involved in all areas. Depending on the size and nature of the company will depend on what people do, and how specialist they are.

Overall its a great time to be in the industry as it moves in new directions, new specialities are created, and people hone their skills in older areas.

During the past decade computer forensics  has evolved dramatically, and the next decade is looking pretty good to.