August 17,
2015
Keep Windows 10 off Your Forensic Machine (for now)
With the much
anticipated recent release of Windows 10 comes a number of concerns for digital
forensic examiners. Full disclosure, I’m
an Apple guy. I like Apple products very
much and wish I could do all of my forensic work on OSx, but that’s not
realistic, so I do the next best thing and run Boot Camp on my Macs and use
Windows 7 as my primary operating system when performing digital forensic
examinations (except when using tools such as Lantern and Recon).
But now I have the ever-present “you should upgrade” notification on the
bottom-right of my screen every time I boot up.
No, Microsoft, I will not upgrade, not for a long, long time. Here’s why…
As a bit of
a history lesson, when I attended the SCERS course, Windows 7 was still
new. Because of that, we installed a
full version of Windows XP on the forensic systems we built in the course. Why?
First, Windows Vista was an abhorrent operating system. Second, Windows XP was the most stable
operating system available for running forensic tools and conducting forensic
analysis with those tools. We had little
or no compatibility problems with EnCase, FTK and the other freeware we
installed on the systems. This taught me
a valuable lesson about building forensic computer systems – go with what
works!
I think it’s
safe to say most digital forensic professionals are also (at least partially)
tech geeks and gadget folks. We like new
tech stuff. We like to play with it and
test it and put it through its paces. To
some degree, most software development companies (Apple and Microsoft included)
use this quality in users of their newer products to conduct de-facto beta
testing. Yes, you can get beta and/or
developer versions of software early, but the feedback provided by that small percentage
of users is not as universal as rolling out an operating system on the open
market. By doing that, the software companies
get millions of tests in thousands of different environments, making it the
best beta test on the market. They then
use these “tests” to update and re-vamp the software. But there are some truisms about stability
and best practices with regard to constructing digital forensic systems that
should not be overlooked when seeking to upgrade to the newest operating
system.
First, you will have compatibility problems. By virtue of the fact that Windows 10 is a new operating system with nuances that are not fully realized yet by the forensic community, you will have some compatibility problems. Add into the mix that digital forensics is a relatively small community and users of digital forensic software on a Windows platform aren’t exactly the target demographic for Microsoft research and development, along with the law of averages dictate that digital forensics won’t be much of a consideration for Microsoft when constructing their operating system(s). Sorry friends, we’re not that important to the tech giants.
The second
issue is stability. Like I said before,
Windows XP was the most stable operating system at the time I attended SCERS at
FLETC in 2010, so that’s what we installed on the forensic systems. It wasn’t until 2 years later when I attended
BCERT at the National Computer Forensic Institute that Windows 7 was deemed
stable enough to run most digital forensic software we were provided. Think about the first-run of any product on
the consumer market. From iPhones to
Android phones to computers to cars, the first-run of any product is subject to
instability, tweaks, modifications and updates.
It can often take years to work the bugs out of any system and even
after all that time, it can still be deemed garbage (i.e., Windows Vista). The stability of any system is vital to the
successful operation of digital forensic tools on that system.
Some other
considerations include functionality, system requirements and validation of the
software platform on which you’re using your forensic tools. At the very least, if you are looking to
install Windows 10 on a forensic machine, consider taking the following steps:
- Make a full backup image of your forensic machine before you upgrade
- Consider installing the new operating system on a secondary or alternative machine
- Research compatibility problems with your most often-used software on the Windows 10 platform and try to find additional updates and/or work-arounds
o
(Note: Cellebrite UFED for PC has already encountered and
fixed some compatibility issues)
- Test, validate, repeat
As you can
see many of these suggestions take a lot of time and effort. If you don’t have
the time or effort to invest in putting Windows 10 through its paces with your
digital forensic tools, consider sticking with an earlier, more stable and
validated version of the operating system. Most of these issues will likely be resolved
in time. But until then and by following
these tips, you’ll save yourself a lot of heartache in the short term and avoid
questions should they arise in formal legal proceedings.
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS and BCERT (among others), Siewert continues to hone his
digital forensic expertise in the private sector while growing his consulting
business marketed toward litigators, professional investigators and
corporations.
Twitter: @ProDigital4n6
