Daniel J. Cotton, Univ of Nebraska, Omaha
- Vista Firewall
- filter incoming & outgoing traffic
- IPSec
- Address space layout randomization (ASLR)
- Moves vista around in memory
- BitLocker
- hard drive encryption
- uses TPM @ bootup
- can be used in one of three modes
- 128-bit AES, can use 256-bit
- User access control
- red/yellow/blue/gray backgrounds have meanings
- user accounts
- programs run at the level of the default user
- must elevate to run as admin
- filesystem
- volume boot record has moved
- journaling
- directory structure changes
- symbolic links
- junction points
- virtual folders
- registry structure changes
- virtual registry
- recycle bin moved & contents changed
- event logs
- xml format
- 30 different event logs
- forensic testing preparation and execution
- downloaded text virtual machines from NIST
- set up w/ default settings
- set of no-cost comm and line tools
- executed all from batch script
- run each tools separately to find differences
- focused on command line tools
- tool list not meant to be complete
- in Vista run as regular user and as admin
- impact of Vista on the tools
- 3 out of 46 failed completely
- one failed to resolve installation date
- some ran with gray UAC window
- some ran on xp as user but wouldn’t run witout admin on Vista
- Impact of Vista on *.mui files
- majority failed
- .mui file must be copied to the trusted media
- this behavior is not well documented
- Impact of FDCC
- only two tools failed
- impact minimal
- conclusion
- impact of vista on incident response is significant
- changes need to be made to the toolset
- impact of FDCC is less than anticipated
