Ken,
Very interesting post. I myself just try to start to do some research on this particular subject. I just downloaded and installed Vista Ultimate Beta2 on my laptop and try to find out. However, as you pointed out as long as PC is on and the suspect machine is up and running, I don't see any significant impact by BitBlocker. Let's say, C drive is unencrypted and accessed by some user, say Admin in the local machine. On the other hand, E drive partition is completely encrypted with BitLocker AES-256. There is no way to access the E drive area. This is the same story as we encrypt the volume using the third party drive encryption tools, such as TrueEncrypt. Now C drive is open, it should be, otherwise the system doesn't even run. It means there is no difference when conducting live forensics, whether it is Vista or Windows NT. We can still dump physical memory data. Still retrieve login user, opened file, netstat info, running process, etc. The only thing I can think of is when Swap area is encrypted, which other third party encryption tool still can. In that case, it is a different story. However, it is not limited to Vista. As this moment, my assumption is there is not security advantage when conducting live forensics. Pleae let me know what you think. Yoshi --------------------------------------------------------------------------- ---------------------------------------------------------------------------
