Need help on my assignment. INSTRUCTIONS For your second graded project, write a

ID: 3867153 • Letter: N

Question

Need help on my assignment. INSTRUCTIONS
For your second graded project, write a paper no longer than three pages on your research.

SCENARIO

Windows XP is no longer provided on new computers or sold commercially as Microsoft phases it out. Windows Vista is also being phased out in favor of Windows 7. What effect might these changes have on data acquisitions for new machines? Using the textbook and Internet search engines, research Windows 7 and its new technologies. Then, write a paper detailing additional steps and procedures forensics examiners may face in performing data acquisitions on new machines.
Need help on my assignment. INSTRUCTIONS
For your second graded project, write a paper no longer than three pages on your research.

SCENARIO

Windows XP is no longer provided on new computers or sold commercially as Microsoft phases it out. Windows Vista is also being phased out in favor of Windows 7. What effect might these changes have on data acquisitions for new machines? Using the textbook and Internet search engines, research Windows 7 and its new technologies. Then, write a paper detailing additional steps and procedures forensics examiners may face in performing data acquisitions on new machines.
INSTRUCTIONS
For your second graded project, write a paper no longer than three pages on your research.

SCENARIO

Windows XP is no longer provided on new computers or sold commercially as Microsoft phases it out. Windows Vista is also being phased out in favor of Windows 7. What effect might these changes have on data acquisitions for new machines? Using the textbook and Internet search engines, research Windows 7 and its new technologies. Then, write a paper detailing additional steps and procedures forensics examiners may face in performing data acquisitions on new machines.

Explanation / Answer

Eight months after launch, Windows 10 was running on 270m devices. Windows 7 is going away: Microsoft will stop supporting it in 2020. It has therefore encouraged early adoption by offering a free upgrade to Windows 10.

Features of Window 7:

Feature

Description

Active Directory Rights Management Services(RMS)

1. 4 KB cipher block chaining (CBC) support for encryption has been added.

2. A new API, DRMGetSignedIssuanceLicenseEx, allows you to control which rights account certificate (RAC)/client licensor certificate (CLC) pair is used for each call to retrieve a signed issuance license.

Biometric Service API

Use the Biometric Service API to create client applications that call into the Windows Biometric Framework (WBF) to capture, save, and compare end-user biometric information.

You can use the Windows Biometric Framework API to create client applications that securely capture, save, and compare end-user biometric information. Developers who use this API should be familiar with the C and C++ programming languages and the Windows-based programming environment. The Windows Biometric Framework API is supported beginning with Windows Server 2008 R2 and Windows 7

Distribution of File System Replication

Removal of DFSR Client Support: Beginning with Windows Server 2008 R2, DFSR is available only on Windows Server operating systems. The only client version that supports DFSR is Windows Vista.

Battery Saver

Battery saver: In this release, your application can be notified when battery saver is turned on or off.

Enhanced Storage

Purpose: Enhanced Storage provides an extensible platform for accessing additional functions made available by enhanced storage devices; above and beyond the primary function of data storage.

Developer audience: The Enhanced Storage API is designed for use with C/C++.

Run-time requirements: Enhanced Storage is supported natively in Windows Vista with Service Pack 2 and Windows 7

Enhanced Taskbar

The taskbar has been extended significantly under the guiding principle of getting users where they're going as quickly and efficiently as possible. To that end, the application windows, files, and commands that the user needs to accomplish that are now centralized into a single taskbar button that consolidates previously scattered information sources and controls. A user can now find common tasks, recent and frequent files, alerts, progress notifications, and thumbnails for individual documents or tabs all in one place.

Internet Explorer

Internet Explorer 8 is available for download and is also included in Windows 7.

Location API

The Location API helps to simplify location-aware programming by providing a standard way to retrieve data about user location and standardizing formats for location data reports. The Location API automatically handles transitions between location data providers and always chooses the most accurate provider for the current situation.

Mobile Broadband

The Mobile Broadband API is used to implement connectivity to cellular networks. Applications should not communicate with such mobile broadband devices directly. Instead, they must use the Mobile Broadband API.

Sensor API

Sensors are devices or mechanisms that can measure physical phenomena, provide descriptive data, or provide information about the state of a physical object or environment. Computers can make use of built-in sensors, sensors that are connected through wired or wireless connections, or sensors that provide data through a network or the Internet.

Virtual Hard Disk

The Virtual Hard Disk (VHD) format is a publicly-available image format specification that specifies a virtual hard disk encapsulated in a single file, capable of hosting native file systems while supporting standard disk and file operations.

Windows Connect NOw

Windows Connect Now (WCN) allows mobile and embedded devices, 802.11 access points (APs), and computers to securely connect, and exchange settings with each other. WCN is designed for the home or small business user, providing a reasonable compromise between ease-of-use and robust security.

Windows Ribbon Framework

The Windows Ribbon (Ribbon) framework is a rich command presentation system that provides a modern alternative to the layered menus, toolbars, and task panes of traditional Windows applications.

Windows Troubleshooting Platform

Windows Troubleshooting Platform (WTP) provides ISVs, OEMs, and administrators the ability to write troubleshooting packs that are used to discover and resolve issues found on the computer..

XPS documents

Application developers can use XPS documents to share and archive content as electronic paper in a high-fidelity, efficient, and trustworthy format. The XPS document APIs enable developers to create, access, and manipulate XPS documents easily.

Steps in performing data acquisitions:

1. Verification: Normally the computer forensics investigation will be done as part of an incident response scenario, as such the first step should be to verify that an incident has taken place. Determine the breadth and scope of the incident, assess the case. What is the situation, the nature of the case and its specifics. This preliminary step is important because will help determining the characteristics of the incident and defining the best approach to identify, preserve and collect evidence. It might also help justify to business owners to take a system offline.

2. System Description: Then it follows the step where you start gathering data about the specific incident. Starting by taking notes and describing the system you are going to analyze, where is the system being acquired, what is the system role in the organization and in the network. Outline the operating system and its general configuration such as disk format, amount of RAM and the location of the evidence.

3. Evidence Acquisition: Identify possible sources of data, acquire volatile and non-volatile data, verify the integrity of the data and ensure chain of custody. When in doubt of what to collect be on the safe side and is better to rather collect too much than not. During this step is also important that you prioritize your evidence collection and engage the business owners to determine the execution and business impact of chosen strategies. Because volatile data changes over time, the order in which data is collected is important. One suggested order in which volatile data should be acquired is network connections, ARP cache, login sessions, running processes, open files and the contents of RAM and other pertinent data – please note that all this data should be collected using trusted binaries and not the ones from the impacted system. After collecting this volatile data you go into the next step of collecting non-volatile data such as the hard drive. To gather data from the hard drive depending on the case there are normally three strategies to do a bit stream image: using a hardware device like a write blocker in case you can take the system offline and remove the hard drive ; using an incident response and forensic toolkit such as Helix that will be used to boot the system ; using live system acquisition (locally or remotely) that might be used when dealing with encrypted systems or systems that cannot be taken offline or only accessible remotely. After acquiring data, ensure and verify its integrity. You should also be able to clearly describe how the evidence was found, how it was handled and everything that happened to it i.e. chain of custody.

4. Timeline Analysis: After the evidence acquisition you will start doing your investigation and analysis in your forensics lab. Start by doing a timeline analysis. This is a crucial step and very useful because it includes information such as when files were modified, accessed, changed and created in a human readable format, known as MAC time evidence. The data is gathered using a variety of tools and is extracted from the metadata layer of the file system (inode on Linux or MFT records on Windows) and then parsed and sorted in order to be analyzed. Timelines of memory artifacts can also be very useful in reconstructing what happen. The end goal is to generate a snapshot of the activity done in the system including its date, the artifact involved, action and source. The creation is an easy process but the interpretation is hard. During the interpretation it helps to be meticulous and patience and it facilitates if you have comprehensive file systems and operating system artifacts knowledge. To accomplish this step several commercial or open source tools exists such as the SIFT Workstation that is freely available and frequently updated.

5. Media and Artifact Analysis: In this step that you will be overwhelmed with the amount of information that you could be looking at. You should be able to answer questions such as what programs were executed, which files were downloaded, which files were clicked on, witch directories were opened, which files were deleted, where did the user browsed to and many others. One technique used in order to reduce the data set is to identify files known to be good and the ones that are known to be bad. This is done using databases like the Nation Software Reference Library from NIST and hash comparisons using tools like hfind from the Sleuth Kit. In case you are analyzing a Windows system you can create a super timeline. The super timeline will incorporate multiple time sources into a single file. You must have knowledge of file systems, windows artifacts and registry artifacts to take advantage of this technique that will reduce the amount of data to be analyzed. Other things that you will be looking is evidence of account usage, browser usage, file downloads, file opening/creation, program execution, usb key usage. Memory analysis is another key analysis step in order to examine rogue processes, network connections, loaded DLLs, evidence of code injection, process paths, user handles, mutex and many others. Beware of anti-forensic techniques such as steganography or data alteration and destruction, that will impact your investigation analysis and conclusions

6. String or Byte search: This step will consist into using tools that will search the low level raw images. If you know what you are looking then you can use this method to find it. Is this step that you use tools and techniques that will look for byte signatures of know files known as the magic cookies. It is also in this step that you do string searches using regular expressions. The strings or byte signatures that you will be looking for are the ones that are relevant to the case you are dealing with.

7. Data Recovery: This is the step that you will be looking at recover data from the file system. Some of the tools that will help in this step are the ones available in the Sleuth Kit that can be used to analyze the file system, data layer and metadata layer. Analyzing the slack space, unallocated space and in-depth file system analysis is part of this step in order to find files of interest. Carving files from the raw images based on file headers using tools like foremost is another technique to further gather evidence.

8. Reporting Results: The final phase involves reporting the results of the analysis, which may include describing the actions performed, determining what other actions need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process. Reporting the results is a key part of any investigation. Consider writing in a way that reflects the usage of scientific methods and facts that you can prove. Adapt the reporting style depending on the audience and be prepared for the report to be used as evidence for legal or administrative purposes.