A Linux-Based "Breath Test" For Porn On PCs

Gwaihir the Windlord writes "A university in Western Australia has started beta testing a tool that's described as 'a random breath test' to scan computers for illicit images. According to this article it's a clean bootable Linux environment. Since it doesn't write to the hard drive, the evidence is acceptable in court, at least in Australia. They're also working on versions to search for financial documents in fraud squad cases, or to search for terrorist keywords. Other than skimming off the dumb ones, does anyone really expect this to make a difference?" The article offers no details on what means the software uses to identify suspicious files.

Helix

[davrodg]

Helix can do most of the "breath test" functionality referred to, and is a great forensic Linux distro. Helix is also considered a viable method in which to capture data that is consistent with the chain of custody that is required for evidence to be presented to a Judge. Check it out... http://www.e-fense.com/helix/Download.html [e-fense.com]

Re:About the only way it COULD work...

[click2005]

There was a slashdot story a few weeks back about a company claiming to be able to detect images inside encrypted drives.. http://yro.slashdot.org/article.pl?sid=08/07/17/2043248/ [slashdot.org]

If they're just checking hashes you could change the R,G, or B of a random pixel by 1 and change the has.. or even just add random text to the EXIF data.

Re:Can't be challenged forensically?

[LrdDimwit]

The minute you change the contents of that hard drive, you open the door to claims of tampering with evidence. "Your honor, the kiddy porn only showed up after the police 'inspected' it. They planted all of it." That's what 'chain of custody' means. Police have procedures to follow to ensure that evidence can't be tampered with.

Good meatspace analogies would be OJ Simpson's DNA showing up on evidence only after he gave a blood sample. More hypothetically, say the cops take your backpack as evidence. What happens to it? Well, it sits in a police warehouse storage facility somewhere, possibly for months. If any cop has access to that backpack on demand for this whole time, then there is effectively have no way to prevent someone from stuffing the bag full of drugs. No accountability. So for meatspace evidence, there are very strict rules that say you have to keep track of every person who has access to that piece of evidence. There can be no exceptions.

The equivalent in the computer forensics world is that you have to guarantee you didn't alter the original equipment's hard disk. Proper forensic analysis involves making a *copy* bit-for-bit and then analyzing this copy. The new thing here is a bootable CD that presumably has been rigorously tested and certified (by who, I couldn't say) that it literally cannot modify the hard disk.

Re:Illicit?

[Paul Slocum]

The FA's title actually mentions that it's specifically for child porn. But some employers might also be interested in the tool since it's against many company policies to have porn on work computers.

Re:Randoms searches, Yay.

[scientus]

We've got our debtors colony too: Georgia. But yeah what you guys are missing is that the crime was being debtors, something that today you would declare bankruptcy to. Although new US banking laws could push America back in the direction of those days in general they were not really criminals in todays since, they just were poor and didn't kiss the rich peoples ass.

Re:About the only way I it COULD work...

[LeafOnTheWind]

Actually, no. This method does not work - which is what I said at the time. Because this misinformation is apparently still around, I decided to run a test.

I took a large file (1600x1200 px) and then applied a basic red-eye reducing algorithm to various spots on the image. The result: visually, exactly the same image.

Then I turned to my trusty Apple Preview. I resized each photo to 9% of its original size (144x108 pixels), and the proceeded to turn the color saturation down to 0 (black and white). I then saved each file in a compressionless TIFF format. Lastly, I computed the md5 hash for each file.

Result?
MD5 (smlimg3.tiff) = d300d23ce0ca2d6dcc7188665b1e2ada
MD5 (smlimg4.tiff) = a1cf7d59f9bf4ccceb6651c5f08750dd

Let me say this once more, in case anyone else who blindly accepts anything they read on the internet has heard this: THIS TECHNIQUE DOES NOT WORK. To compare two SIMILAR images, one needs to use an image comparison algorithm - of which there are many. Hashing ONLY works on two images which are EXACTLY the same.

If you doubt the test or the results, I would be glad to email you all of my test pictures so you can see them and calculate their md5s for yourself.

Re:About the only way I it COULD work...

[thepotoo]

OK, so I actually did something similar for myself just now, and yeah, you're right.

It seemed like the sort of thing that would work in theory, but I can see why it doesn't. Even changing a few pixels in the corner (I made a 10x10 white square) gave drastically different MD5s.

I'm a moron for blindly accepting a +5 post as fact, please mod down my original post.

Re:Can't be challenged forensically?

[Tekfactory]

At my job we use one of these, it does IDE and SATA. $350 isn't a lot of money to pay if you have to do forensics work.

http://www.digitalintelligence.com/products/ultrablock_ide-sata_ro/ [digitalintelligence.com]

It has switches for changing it into Read/Write mode, but you have to break off a piece of the case to get to them. On the Read/Write model there is no cover over the switches.

As another poster wrote, the Helix Tools are very good as well.

Re:Fixed that for you.

[LordAlced]

I think the word you're thinking of is penile not penal.