UK Cops Want "Breathalyzers" For PCs 545
An anonymous reader writes "One of the UK's top cyber cops, detective superintendent Charlie McMurdie, says the top brass want to develop the equivalent of a breathalyzer for computers, a simple tool that could be plugged into a machine during a raid and retrieve evidence of illegal activity. McMurdie said the device was needed because of a record number of PCs were being seized by police and because the majority of cops don't have the skills to forensically analyse a computer."
Re:Right (Score:5, Informative)
Actually, that's not the problem they're trying to solve. I don't know about in the UK, but in the US, any kind of searching (including hash comparisons and automated tools like this) require a search warrant that covers the computer.
What they're really interested in is not conducting fishing expeditions, but trying to find some useful information -- even just narrowing down which machine they actually need to fully analyze -- within the machines covered by a search warrant. Generally the procedure is to box these things up, hand them over to computer forensic experts, and wait 6-12 months for them to perform a full analysis. Cutting down the amount of work they have to do by giving them only the one computer out of ten that is actually interesting, or being able to pull some small amount of useful information to use in the investigation immediately, is of great value.
This is at least a big concern in the US -- computer forensic investigations are slow and costly, and there's a huge backlog.
Not that I think they'll be able to make software that magically tells them if a computer was involved in illegal activity -- but the majority of computer criminals are dumb as bricks and could probably be caught by doing a full-disk grep for files containing more than a couple of strings that look like credit card numbers.
Re:Outlaw encryption (Score:3, Informative)
That's when the "rubber-hose" encryption-breaking procedures start.
(England prevails.)
"Reasonable suspicion" (Score:5, Informative)
"Reasonable suspicion" is the key phrase here.
If the cop stops you for running a red light and sees something suspicious then he can go further.
But stopping you for one thing does NOT give them the authority to check for everything they can think.
http://en.wikipedia.org/wiki/Reasonable_suspicion [wikipedia.org]
Re:Good luck with that (Score:5, Informative)
I used to do a bit of work at the local police department. In my time I set them up a forensics station for PC's.
The most important part of the entire project was ensuring the data was not tampered with (or deleted on accident!) in order to actually use what was found for anything useful.
Wasn't a very hard project what we did was setup a PC with two removable bays and a write protect jumper and showed the officers which part needs to come out of PC brought in as evidence and how to put it into the removable caddy and launch the script that made an image of the drive. At no time while in police custody would the hard drive have power unless it was write protected, and was in an sealed evidence bag if not being used. Once the image was completed they would remove the original and do all the forensics on the copy, which got the same evidence bag treatment as the original.
Re:Confiscate? (Score:2, Informative)
It was really enlightening for me when my camera was stolen, then recovered. The police, after receiving my permission to do so, thoroughly analyzed the pictures the (really stupid) thieves took of them committing other crimes, and the one I had direct contact with explained how they adjusted the incorrect timestamps from the pictures according to the incorrect time of the camera's clock (not rocket science, I know, but pretty decent deductive reasoning for a cop :-)
They correlated the corrected timestamps of the pictures with burglary reports, and they also went to the places in the pictures to inform victims who didn't yet know they had been robbed.
But what really impressed me about this was that they requested permission before searching my camera (especially since I was the victim and not a suspect.)
Re:Right (Score:5, Informative)
No, that's not what Mapp v. Ohio established. Mapp v. Ohio established that evidence found in searches *in violation of the 4th amendment* may not be used.
Mapp v. Ohio doesn't say anything about not being able to use evidence found during legal searches, such as those conducted with a warrant.
Re:Right (Score:4, Informative)
If you go into a house looking for marijuana and you find people being tortured, do you have to go back to the station, get a warrant for looking into that, and then come back?
People being tortured? No, they stop it right then and there.
Evidence of people being tortured? Yeah, you have to get another warrant.
Re:Right (Score:5, Informative)
According to US law, at least (and not always followed by US cops, I might add), whether the evidence on the secondary offense is admissible or not depends on how it was found. If a cop pulls over a car for speeding and sees an open container of beer sitting on the seat next to the driver, the open container is typically admissible. If, on the other hand, the cops raid a house looking for a stolen 62" television and, as long as they're in the house, decide to check in the toilet tank and find a stash of cocaine, that typically is not, since searching the toilet wouldn't have been part of the search for the big TV. Likewise, the original warrant would probably not allow the cops to bring along drug-sniffing dogs on a search for a stolen TV. Of course, I'm generalizing here, and am not a lawyer, but you get the picture.
Thus far, the same principles apply to computer searches. If the warrant says that the cops are looking for evidence related to illegal gambling operations on the computer, the cops are typically not allowed to search for non-related keywords (i.e. "lolita", "cocaine", etc.) unless such terms show up in documents found by the warranted search. If, in reviewing a document named IllegalGamblingProfits.doc, they see a reference to cocaine sales, the cops may have just cause to perform another search looking for cocaine. Since they've already got the computer at that point, though, they'd be better off to go back to the judge and get a 2nd warrant that authorizes the cocaine search, but given the similarities between finding the information in an admissible piece of evidence and seeing the open container in plain sight, I can see how a judge would give the benefit of the doubt in court.
I can't quite tell what the cops in TFA are asking for, though. If, on the one side, they want to be able to bring along a device that's pre-configured with the search terms for the warrant (gambling terms, from the above example), such a device would theoretically be legal in the US, since it would simply be automating the search that would otherwise have been performed by the trained analyst. If, on the other side, they want a device that identifies any illegal activity, that should be unconstitutional for 4th Amendment reasons.
All of the legal discussion ignores the technical aspects. I am a professional forensic analyst, and with relatively good hardware (dual 64-bit CPUs, 10k RPM SATA drives, 4GB of RAM, etc.) it can take hours to perform even a simple search with a small list (i.e. fewer than 5) of static (i.e. non-regex) keywords. Adding complexity in, or adding keywords, can increase the search time to days. There's no way that untrained cops could simply plug a device into a suspect's 5 year old laptop and be able to get results back in less than an hour, and that's not counting the potential modifications to the evidence caused by booting without a write-blocker, doing deleted-file recovery, opening compound files (Outlook offline storage, ZIP files, etc.) or doing signature analysis to identify obfuscated data. Don't even think about it if the suspect thought enough to use encryption [truecrypt.org].
The cops may want something like this, but it will probably be the laws of physics that prevent it and not the Constitution.
Re:Outlaw encryption (Score:2, Informative)
Assuming you are in the UK, then yes, you would go to jail for doing that. Even forgetting the key is illegal, so deliberately destroying it would probably get you an increased sentence.
No, genuinely forgetting a key is legal, but you have to convince the court that you really forgot it and aren't just saying so. (Could be tricky...)
Be careful though. (Score:1, Informative)
The reason US cops can search and find anything on people is that a lot of people give them consent to search. Once someone does that, they can search for anything in a vehicle or house, and create new charges.
Don't give consent, they might harass you, slap the cuffs on and make you stand on the road looking like a schlock, but they can't just dig in the vehicle willy nilly.
UK people are barely a notch above prisoners, so this probably doesn't apply there.
Re:Right (Score:3, Informative)
"What do you mean "we", white man?"
Explanation for the yung'uns out there...
Lone Ranger: "Tonto! We have a problem! We're surrounded by Indians!" //Stupid, old, joke... //Not racist... //Well, maybe a little //Stole slashies from fark ;)
Tonto: "What do you mean "we" white man?"
Re:Right (Score:5, Informative)
No racism intended - I'm as white as they come. It's from an ancient joke. Basically, the Lone Ranger and Tonto have a horde of angry Indians bearing down on them. The Lone Ranger says, "It looks like we're in a lot of trouble this time, Tonto." Tonto replies, "What you mean 'we', white man?"
Basically, I was just trying to point out that b4upoo was making an assumption that we're all in the same camp here, when we're definitely not - I don't want to sacrifice my rights so that the cops can catch a few more pot smokers. That excludes me from his inclusive "we" in:
Except we want cops to catch people with illegal drugs etc.. Why restrain the cops from doing what we all need them to do?
The joke isn't remotely a perfect parallel, but I thought it would be amusing. Sorry if it came across racist (although feel free to nail me for calling Native Americans "Indians" when explaining the joke - At least I refrained from including the phrase "feathers, not dots".)
Re:Outlaw encryption (Score:1, Informative)
Go directly to jail - 2 years if it is a normal case, 5 years if they suspect terrorism, oh and if they suspect child porn, then you are registered as a sex offender.
I wish this was a joke.
Great system isn't it.
Re:Right (Score:3, Informative)
That's for things laying around in your car when you get pulled over (or maybe on your front lawn). No warrant is required for something like that, period.
As to searches, any evidence obtained during a legal search can be used as evidence, or as the basis for additional and/or alternative charges. Just because they were looking for drugs doesn't mean they have to ignore the bodies they find under your floorboards, or vice versa.
Re:Right (Score:3, Informative)
As far as I'm aware, they have the legal (USA PATRIOT act legal, anyways) right to search your vehicle entirely at any international border.
No. The US Border agencies have had the authority to search you and your accompanying articles long long before the Patriot Act. You with mere suspicion, your articles with no suspicion. (They must still have probable cause to enact an arrest of you or seizure of your merchandise but may detain with reasonable suspicion.)
Re:Right (Score:3, Informative)
http://en.wikipedia.org/wiki/Plain_view_doctrine [wikipedia.org]
Basically, anything found that isn't on the warrant needs to be in plain view and they can't move items looking for it unless moving items might yield what is specified in the warrant.
Having said that, those are some vague rules and I'm sure a cop could justify looking anywhere he damn well pleases.
I guess if they are looking for a dead body but they look inside the books on your bookshelf and find some drugs, it might not hold up.
Umm, not quite (Score:4, Informative)
Yes, generally anything that is encountered during the course of a lawful search (even if for something else) is admissable. Sure, cops can't go paw the drawer next to your bed looking for a stolen TV but the problem is how this is understood by the courts.
In particular this rule is understood to mean that if the police open your safe looking for a stolen laptop the papers inside would be admissible in court. In other words once the police have cause to look inside a container you own they can examine the contents at their leisure, they need not immediately cease looking the second it's apparent the subject of their warrant isn't present. Now if you had a locked jewelery box inside that safe they likely wouldn't be able to examine the contents if it was outside the scope of the original warrant but the problem is when you try to map this notion onto that of a computer.
In particular it turns out that case law so far has endorsed the idea that the computer is just one big container. Maybe things would be different if you had an encrypted volume on the computer but in general once they have reason to examine your computer for one thing they can examine everything.
In fact the standard practice in the US is to seize your computer and have their experts perform a low level clone of the disk the second they have any reason to search your computer. Moreover, since the 4th ammendment and past case law is grounded in the notions of physical searches and seizures there is no framework for restricting what they can use the HD clone for once it's been made (well privacy laws might prevent them from disclosing your cybersex logs but that's about it)
Re:Outlaw encryption (Score:2, Informative)
In the UK under the RIPA legislation the government have the right to demand an encryption key and under the RIPA you have to hand it over, or prove that you never had the key in the first place.
Failure to prove your innocence can result in an immediate jail term. Additionally once you have been instructed to hand over a key, you are placed under a gag order that prohibits you from telling anyone except your lawyer. the RIPA is an absolute travesty of justice that reverses burden of proof doctrine.
Re:Outlaw encryption (Score:3, Informative)
Re:So they want GOV spyware? (Score:3, Informative)
Spying is often done in secret, not always.
And investigations aren't done openly, idiot, especially when you're in the gathering evidence phase, which is what the tool is wanted for. This is why we have stake outs and undercover cops.
TFA and TFS state that they want to use the tool to speed up the analysis of computers.
People will still have to look at any data found, so this will not speed things up any, if at all since they're going to be using the tool on machines seized in raids.
Re:So they want GOV spyware? (Score:3, Informative)
They're not trying to make spyware.
What they're suggesting is an extension of ECU's [ecu.edu.au] Image Preview System (SiMPLE) and Laptop Inspector And Recovery System (LIARS) live CDs.
They want a simple, forensically valid tool for quickly checking computers in situ. Presumably it'd be something like a version of SiMPLE which had an interface for choosing what to inspect on the target machine (ie, Kiddie porn, chat logs, financial docs, etc). The cops on site would use the tool to quickly screen any computers they find/suspect, then take any positives back to a better-equipped lab for proper analysis.
Re:"Reasonable suspicion" (Score:4, Informative)
I don't know why you're marked informative. I suspect you're telling us about what you think is the case for US law, completely oblivious to the fact that this article is about the UK. (You know, different country, different laws?).
Police in the UK have *far* broader powers to stop and search people on the streets and public roads. IANAL, so I won't go further.
Re:So they want GOV spyware? (Score:3, Informative)
In our state, most of them are police investigators that were interested in forensics and are fairly technically inclined. The main hiring problem here is that non-police people who would make good forensic specialists can earn better money in almost any job -- including computer forensics for companies.
Re:Outlaw encryption (Score:3, Informative)
Unfortunately, the burden of proof in this instance falls on the defendant. You have to convince them that you genuinely do not know the encryption keys, otherwise you can still find yourself doing 2 years in prison for failing to hand them over.