In part one of this series we looked at the different editions of Vista available and discussed the various encryption and backup features which might be of interest to forensic examiners. In this article we will look at the user and system features of Vista which may (or may not) present new challenges for investigators and …
Vista and forensics, a whole chapter of law history
"Another interesting change is that Vista is configured by default to not update the last access time on files, a decision made to increase file system performance."
Ah, yes, no Windows version would ever be considered as
complete without the Moronic TM mark !
Why, after all, updating the "last access time",
each, er..., last accessed time, eh ?
How long before we hear in court from the so-called "experts":
"Your Honnor, the suspect has viewed/not viewed the file
just before the event, since the last access time
has/hasn't been updated" ?
"Vista ships with Windows Internet Explorer 7 for web browsing and, although forensic examiners will certainly encounter other browsers during Vista's lifetime, it seems reasonable to assume that IE7 and its Microsoft successors will represent the vast majority of browsers whose use comes under investigation."
Possibly the only one that comes under examination,
yes, giving the sometimes narrow mindset of "experts" :-)
But IE 7 seems so far, as per my IT experience and furiously "out of IT" neighboroud experience, a bloody
pain in the lower back, at best !
Again, "experts" might just rule out that "the user
has viewed/not viewed something" based on IE history only
while firefox history might be cleared on exit.
"For the time being though, the fight between those with something to hide and those tasked with uncovering electronic evidence continues."
Yes, indeed. And as with all fights, collateral damages is to
be expected. A lot due to Vista.
People with something to hide should switch to Firefox, while
others should shout loud and clear they're loyal to IE7.