A Linux-Based "Breath Test" For Porn On PCs 345
Gwaihir the Windlord writes "A university in Western Australia has started beta testing a tool that's described as 'a random breath test' to scan computers for illicit images. According to this article it's a clean bootable Linux environment. Since it doesn't write to the hard drive, the evidence is acceptable in court, at least in Australia. They're also working on versions to search for financial documents in fraud squad cases, or to search for terrorist keywords. Other than skimming off the dumb ones, does anyone really expect this to make a difference?" The article offers no details on what means the software uses to identify suspicious files.
Helix (Score:5, Informative)
Re:About the only way it COULD work... (Score:3, Informative)
There was a slashdot story a few weeks back about a company claiming to be able to detect images inside encrypted drives.. http://yro.slashdot.org/article.pl?sid=08/07/17/2043248/ [slashdot.org]
If they're just checking hashes you could change the R,G, or B of a random pixel by 1 and change the has.. or even just add random text to the EXIF data.
Re:Can't be challenged forensically? (Score:5, Informative)
Good meatspace analogies would be OJ Simpson's DNA showing up on evidence only after he gave a blood sample. More hypothetically, say the cops take your backpack as evidence. What happens to it? Well, it sits in a police warehouse storage facility somewhere, possibly for months. If any cop has access to that backpack on demand for this whole time, then there is effectively have no way to prevent someone from stuffing the bag full of drugs. No accountability. So for meatspace evidence, there are very strict rules that say you have to keep track of every person who has access to that piece of evidence. There can be no exceptions.
The equivalent in the computer forensics world is that you have to guarantee you didn't alter the original equipment's hard disk. Proper forensic analysis involves making a *copy* bit-for-bit and then analyzing this copy. The new thing here is a bootable CD that presumably has been rigorously tested and certified (by who, I couldn't say) that it literally cannot modify the hard disk.
Re:Illicit? (Score:3, Informative)
Re:Randoms searches, Yay. (Score:2, Informative)
Re:About the only way I it COULD work... (Score:5, Informative)
Actually, no. This method does not work - which is what I said at the time. Because this misinformation is apparently still around, I decided to run a test.
I took a large file (1600x1200 px) and then applied a basic red-eye reducing algorithm to various spots on the image. The result: visually, exactly the same image.
Then I turned to my trusty Apple Preview. I resized each photo to 9% of its original size (144x108 pixels), and the proceeded to turn the color saturation down to 0 (black and white). I then saved each file in a compressionless TIFF format. Lastly, I computed the md5 hash for each file.
Result?
MD5 (smlimg3.tiff) = d300d23ce0ca2d6dcc7188665b1e2ada
MD5 (smlimg4.tiff) = a1cf7d59f9bf4ccceb6651c5f08750dd
Let me say this once more, in case anyone else who blindly accepts anything they read on the internet has heard this: THIS TECHNIQUE DOES NOT WORK. To compare two SIMILAR images, one needs to use an image comparison algorithm - of which there are many. Hashing ONLY works on two images which are EXACTLY the same.
If you doubt the test or the results, I would be glad to email you all of my test pictures so you can see them and calculate their md5s for yourself.
Re:About the only way I it COULD work... (Score:5, Informative)
It seemed like the sort of thing that would work in theory, but I can see why it doesn't. Even changing a few pixels in the corner (I made a 10x10 white square) gave drastically different MD5s.
I'm a moron for blindly accepting a +5 post as fact, please mod down my original post.
Re:Can't be challenged forensically? (Score:2, Informative)
At my job we use one of these, it does IDE and SATA. $350 isn't a lot of money to pay if you have to do forensics work.
http://www.digitalintelligence.com/products/ultrablock_ide-sata_ro/ [digitalintelligence.com]
It has switches for changing it into Read/Write mode, but you have to break off a piece of the case to get to them. On the Read/Write model there is no cover over the switches.
As another poster wrote, the Helix Tools are very good as well.
Re:Fixed that for you. (Score:2, Informative)