Implications of Microsoft Vista operating system for computer forensics investigations

摘要

With the growing importance of computer-related evidence today, it is important for law enforcement, prosecutors and computer forensics investigators to understand changes in their technical environment that are impacting the discovery and nature of evidence. Microsoft's Vista (ldquoVistardquo) is one change that has brought new challenges for digital investigations, particularly relating to new mechanisms of encryption and general security. This paper will identify those challenges and prescribe possible solutions. More specifically this research proposes practical ways in which the digital investigator can retrieve critical file metadata, explore file systems and record log files. The focus of this paper will be on the changes to Microsoft's new technology file system (NTFS). In general, Vista has placed a greater emphasis on file sharing across the Internet so XML file formats are more pervasive. Security, and more specifically encryption, is more prevalent in Vista and so this paper will focus on changes to Windows Mail. Although there is no empirical evidence, it appears as though prosecutors heavily rely on electronic mail evidence. With the continuous expansion in size of flash memory, it was imperative to note changes to the digital footprint left by USB thumbdrives as well as the impact of Microsoft's new volatile memory expansion tool - readyboost. Log files are also a crucial source of evidence in computer forensics investigations and these are discussed in great detail as changes in Vista have changed the nature of this evidence. This research paper will discuss the relevance of changes to evidence in Vista by highlighting the use of certain evidentiary files in court cases. Finally, the implications of changes brought about by Vista will be made apparent through experiments conducted with bit-stream imaging tools utilized by law enforcement and other computer forensics examiners. Vista has notable implications for computer forensics investigations. H-nowever, this research will prepare the digital investigator for the transition to the Vista operating system and the transformation of digital evidence associated with this new platform.