Windows Vista ReadyBoost: A Privacy Problem?

Windows Vista has a ReadyBoost/ReadyDrive/ReadyBoot capability in which frequently used files are cached to flash memory to speed performance.

Question: Do these features of Windows Vista only cache executable application files – or, might they also store frequently used personal data files (e.g., a Microsoft Word document)? If the latter, there may exist a privacy/security issue in so far as an unencrypted copy of an encrypted disk data file could be stored in the flash memory.

 

Q: Isn't user data on a removable device a security risk?
A: This was one of our first concerns and to mitigate this risk, we use AES-128 to encrypt everything that we write to the device.

From http://blogs.msdn.com/tomarcher/archive/2006/06/02/615199.aspx

 

Thanks, Mitch, for the very helpful link.

[1] Concerning the AES-128 encryption, how is the passphrase itself created and managed?

[2] I still wonder, however: are only executable files stored on the ReadyBoost cache – or, can user files (e.g., a Microsoft Word document) also be copied onto the cache, too?

 

Good questions but sorry I do not know about how the encryption names and p/w's are generated and what is actually processed inside the USB key. I guess whatever is processed in a paging file is also processed there from my understanding. I use a 2GB Sandisk Titanium dedicated to ReadyBoost. I have never thought to look in there to see what was put on it. I might look at it tonight when I get home from work.

I can assume the name/pw is based on the product ID number. That way another machine cannot decipher what is on the key.

 

I just found this:

"The driver encrypts each block it writes using Advanced Encryption Standard (AES) encryption with a randomly generated per-boot session key in order to guarantee the privacy of the data in the cache if the device is removed from the system."

Source: http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/

 

Again, Mitch – appreciate the excellent information you have been providing.

I am, however, a bit confused. If the encryption session key is “per boot,” then how are the contents of the cache used from one boot (start-up) of the PC to the next? Shouldn’t the encryption key be static across boots? Am I misinterpreting something here?

Thank you.

 

Whew, I am no expert on ReadyBoost, lol. I answered your original question because I remember reading it on Tom Archer's blog (that blog has shown up alot on forums where ReadyBoost is questioned). So I have been researching this as I go along learning some new things myself. I was planning to do this anyway once I got the bugs out of my system (I only have one "bug" left but Nvidia has to fix that).

After an extensive search, even on MS's Technet, I cannot find out what exactly happens with ReadyBoost when the computer is rebooted. But a Q&A on Tom's blog may provide a clue:

Q: What happens when you remove the drive?
A: When a surprise remove event occurs and we can't find the drive, we fall back to disk. Again, all pages on the device are backed by a page on disk. No exceptions. This isn't a separate page file store, but rather a cache to speed up access to frequently used data.

The part that I highlighted leaves me to the conclusion that that upon shutdown the pagefile state is saved (thus whatever is also stored on the device) and upon reboot the data is reloaded into the device with a new encryption key. When it is being accessed, my Sandisk flashes a bright blue glow that even though it is installed in a port in the back of my computer I can see the flashes on the dark wall behind it. On boot I have noticed it flashing so I assume that what I described above may be happening. I know this is mostly conjecture but the best I can come up with right now, lol.

BTW, I tried to access the .sfcache file on the device but even under Admin privileges I get an "access denied" message.

 

Mitch, I have sent Tom Archer at Microsoft an email to pursue these questions. I will post whatever I may learn.

Thanks again.

 

Sorry I haven't gotten back sooner but have been laid up with some kind of flu.

Let me know what you find out