Forgot your password?
typodupeerror
Privacy Government Security Hardware News

UK Police Want Plug-In Computer Crime Detectors 382

Posted by timothy
from the type-I-errors-type-II-errors-and-bonus-privacy-invasion dept.
An anonymous reader writes "UK police are talking to private companies about using plug-in USB devices that can scour the hard drive of any device they are attached to, searching for evidence of illegal activity. The UK's Association of Chief Police Officers is considering using commercial devices that can perform targeted searches of text, pictures and computer code on hard drives, allowing untrained cops to detect anything from correspondence on stolen goods to child pornography. Police in the UK are desperate for a way of slashing the backlog of machines seized by the police in raids, with many forces having a backlog that will take a year to process." Maybe they shouldn't seize so many computers.
This discussion has been archived. No new comments can be posted.

UK Police Want Plug-In Computer Crime Detectors

Comments Filter:
  • by Anonymous Coward on Wednesday June 03, 2009 @04:23PM (#28200507)

    this is probably something everybody should have, just to make sure they're in compliance.

  • by BitterOak (537666) on Wednesday June 03, 2009 @04:24PM (#28200523)
    This should be easy to accomplish in the UK where citizens are required by law to turn over all their encryption keys or face jail time. It would be harder to make it work in the US, where people can use encryption. I suppose the Brits could employ TrueCrypt hidden volumes to keep their stuff private.
    • by siloko (1133863)
      Well the UK does indeed have this law which is one of many in the authoritys' arsenal to lock you up on suspicion rather than evidence. Whatever happened to "You have the right to remain silent . . .". We will wake up one day and find that keys to our doors only work from the outside.
    • by blueg3 (192743)

      It's easy in the U.S., too, just not as useful. If the TrueCrypt drive is mounted, just search it. If it's not, maybe you can say, "Hey, they have a TrueCrypt drive", but that's about it.

      • Re: (Score:3, Insightful)

        Considering that the product in question involves booting the system from a 'forensically sound' operating system on CD (I guess someone hasn't thought too much about the prospects for a virtualization-based rootkit hidden in the BIOS...), it's a safe bet TrueCrypt volumes won't be mounted.
      • Re: (Score:3, Insightful)

        by shadowknot (853491) *
        This is fine in theory but the policy of seizure is generally a yank the power, bag it up and send it to the sweaty geeks (us). So even if the TrueCrypt volume is mounted when seized it will be a big old pile of meaningless binary junk once the pro's get their hands on it! Most of the time I have seen TC installed on a suspect's machine (maybe twice to be honest) I have found the passphrase in a handy text file (normaly named passwords.txt or secrets.doc)!
    • by Joce640k (829181) on Wednesday June 03, 2009 @05:11PM (#28201337) Homepage

      The real problem is writing the OOXML parser.

  • Great... (Score:5, Insightful)

    by Chabo (880571) on Wednesday June 03, 2009 @04:24PM (#28200525) Homepage Journal

    Now instead of having trained forensic experts, we'll have common beat cops searching your computer.

    Attorney: How do you know he had illegal material on his computer?
    Officer: I pushed the button, and the computer told me to arrest him.

    • It's like a breathalyzer for computers. And we all know how well those work.
    • Re:Great... (Score:5, Funny)

      by Quiet_Desperation (858215) on Wednesday June 03, 2009 @04:38PM (#28200807)

      Officer: I pushed the button, and the computer told me to arrest him.

      Pffft! You think too small, and will never take over the world.

      Corrected version follows.

      Attorney: How do you know he had illegal material on his computer?
      Officer: The computer called us and informed on its owner.
      Attorney: It called you?
      Officer: Yeah. And so did yours. You still want to question me, Mr. 500Gig Chubby Porn Collection?

      • Re:Great... (Score:4, Insightful)

        by commodore64_love (1445365) on Wednesday June 03, 2009 @04:55PM (#28201063) Journal

        Attorney: Yeah I have chubby porn. It's not illegal or a crime. Are you in the habit of arresting citizens for violating non-existent laws?
        Officer: ...uh...
        Attorney: Your case history indicates you make many false arrests. Like this one: Arresting an elderly woman because she refused to let you enter her house. What have you to say to that?
        Officer: She refused to comply with our request to enter.
        Attorney: Ahhh you REQUEST to enter... so you didn't actually have a warrant..
        Officer: ...uh...
        Attorney: But you decides to arrest her anyway. Wasn't she later freed?
        Officer: Yes but...
        Attorney: And here's another case where you broke into the wrong house and damaged the door.
        Officer: It was an accident.
        Attorney: Yes but you never replaced the door, forcing the innocent person to spend $500 in repairs. You have a long, long history of abuse against the residents...
        Officer: Now see here!
        Attorney: ...and have been reprimanded multiple times by your superiors. Could it be you searched my client's computer without provocation?
        Officer: I had a warrant.
        Attorney: An *invalid* warrant. It's not signed by a judge, you never swore an oath, you just photocopied it and filled-in the details yourself. Isn't that true?
        Officer: No!
        Attorney: Remember you're under oath Officer Chiklas. This is clearly your handwriting, is it not?
        Officer: .......
        Attorney: Well?
        Officer: Yes.
        Attorney: Your eminence, I submit that this was an illegal search and seizure without a warrant and all evidence should be dismissed.

    • Re:Great... (Score:5, Informative)

      by ve3id (601924) <nw.johnson@noSPAM.ieee.org> on Wednesday June 03, 2009 @04:44PM (#28200901)
      This reminds me of another idiot device they gave to the British bobby: back in the 70's and 80's, there was a glut of illegal CB sets in England. They never legalised the use of 27MHz AM/SSB CBs and all the units sold were marked 'for export only' When they legalised CB, units that were approved could only transmit FM. Instead of overworking the radio inspectors, they gave bobbies on the beat a box that detected if a close transmitter was AM or FM, with two LEDs. The only problem was amateur radio operators can legally use AM and SSB (after all, they invented it!). One beat p.c. stopped a ham and asked him to talk in the mike, and, you guessed it, the illegal CB light lit up! Only when the amateur radio operator started cursing and swearing at the p.c. and getting red in the face did he consult another p.c. over the police radio who was a ham. This being the appropriate behaviour for a ham accused of being a CB'er, he let him go with an apology.
    • Re: (Score:2, Interesting)

      by linzeal (197905)
      And for those of us with 10's of thousands of documents on our computers? How well are these going to be able to differentiate between a PDF file that involves fiction and one that is real? Hell, some of my source material for a horror screenplay I tinker with now and then has made-up schematics and lists of where and how people are going to be killed in the scenes.
      • Re:Great... (Score:5, Insightful)

        by Chabo (880571) on Wednesday June 03, 2009 @05:05PM (#28201251) Homepage Journal

        Not to mention that if you've published copyrighted material, they might get a false positive, indicating that you're infringing against yourself! ;)

        • Re:Great... (Score:4, Interesting)

          by corychristison (951993) on Wednesday June 03, 2009 @07:37PM (#28203629)

          Something like this happened to a friend of mine.

          He owned a blog that he literally put up everything that happened in his life.

          He added pages of an essay he was writing for History to his blog as he finished and edited them.

          A few days after he turned in his paper he was asked to speak to the Dean where he was accused of plagiarism because Google turned up his blog (he uses a pseudo-name, and has google-analytics installed on his blog)

          Took him a few meetings with the education board to prove that it was his blog and his own writing.

          What a bitch, eh? The fact that the teacher merely typed it in Google and said "Good enough". He didn't bother to look for any pictures or any information that would hint that it was this particular persons blog.

    • Re:Great... (Score:5, Interesting)

      by ve3id (601924) <nw.johnson@noSPAM.ieee.org> on Wednesday June 03, 2009 @04:50PM (#28200985)
      One principle of computer forensics is that if a computer is manipulated in any way, the evidence may be corrupted by such operation, and this could be used by defence attornies. Real computer forensics involves getting the computer powered down, removing the disk, setting it up in a test jig with write protect enabled, and reading the complete image from the disk onto a sterile environment for analysis. I don't think Mr. Plod will meet the test of admissibility into evidence! How is he going to prove to the court that the suspected data were not on the USB key to start with? If he has interfered with the computer in any way by plugging in a USB key, then the evidence is contaminated.
    • Its not quite like that, but there have been USB forensic incident response sticks for a while, although the oldest ones I'm aware have primarily been used by parole officers to see if their parolees have been surfing porn [forensics-intl.com]. If the NTA scan turns up positive, they then sieze the computer and investigate further.

      There are also a few more sophisticated ones that I don't have bookmarked on this computer. I've used a few my self, like there's a rapid response stick that can be used for mass computer identifica
      • by Zerth (26112)

        To my knowledge, none of the USB based tools is forensically acceptable and all of them are trivial to screw up when attached to a running system.

        The only acceptable method is duplication of all storage with a read-only adapter.

    • by Bryansix (761547)
      Just remind me not to move to the UK.
    • Re: (Score:3, Informative)

      by shadowknot (853491) *

      Officer: I pushed the button, and the computer told me to arrest him.

      So they'll be just like cell phone analysts then, ha! (Sorry, that's a digital forensics joke). But seriously that is an accurate assessment. The handful of times I have been to court to give evidence involving an analysis I have performed they have asked me simple but semi-well researched questions. Most officers I speak to can barely spell let alone describe how a device they have no idea about discovered illegal material on a computer they don't know how to use. I do, however, suspect that this devic

  • by courteaudotbiz (1191083) on Wednesday June 03, 2009 @04:24PM (#28200527) Homepage
    TrueCrypt [truecrypt.org]
    • by Afforess (1310263) <afforess@gmail.com> on Wednesday June 03, 2009 @04:31PM (#28200673) Journal
      Yeah, with truecrypt create a hidden partition, and just have the machine boot into a clean XP install when someone (without the pass key) starts it up.
      • by Chabo (880571)

        Except that if you never use the "visible" OS, then it will be fairly apparent that you have a hidden OS that you use all the time.

        Personally, the next time I do a reinstall, I plan on using TrueCrypt, but I won't bother with a hidden partition or hidden OS. It'll give better plausible deniability to those of you who do. :)

        • by Bert64 (520050)

          Use a Linux partition for all your browsing and general use..
          Have a Windows partition that is used for nothing but games (bonus: windows will run the games faster because it gets used less), and let them find that... Just make sure you don't warez the games.

  • Urm? (Score:5, Interesting)

    by fuzzyfuzzyfungus (1223518) on Wednesday June 03, 2009 @04:26PM (#28200581) Journal
    So, are they saying that they want existing forensics software, with a drool-proof wizard attached, bootable from a flash drive(because hell, who needs forensic hardware write blocking when you can totally trust software to do the job under any circumstance?) or are they actually proposing that the program be able to detect evil?
  • Hmm (Score:5, Insightful)

    by Co0Ps (1539395) on Wednesday June 03, 2009 @04:28PM (#28200607)
    I think the UK Police got this idea while watching CSI.
  • I'm not much in the ways of encryption, but I assume if your computer's encrypted it'll be pretty difficult for this thing to work through the system, if not impossible.
    Sounds like the cops just want a usb key that has a light that comes on when the law's been broken.

    Mainstream computer illiteracy at work.

  • by SethJohnson (112166) on Wednesday June 03, 2009 @04:28PM (#28200623) Homepage Journal
    Anybody want to sponsor a contest to see who can write a USB driver that defeats this within the fewest lines of code?

    Seth
    • Re: (Score:3, Interesting)

      by dranga (520457)

      Just rewire your USB ports to run at 120v. And label it USB120 so you can point back at them for not reading when they try to charge you with damaging their equipment.

      • Bah. That's no fun. You need a USB driver that pushes a virus back onto the stick so there will be enough public outcry so that they stop using the devices...
    • by blueg3 (192743)

      Well, on my computer, none of the USB ports are actually connected. So, can anyone do it in less than zero?

  • by wjh31 (1372867) on Wednesday June 03, 2009 @04:29PM (#28200645) Homepage
    that'll probably work fine for the lay-man, but will having an encrypted hard drive count as evidence of illegal activity
  • Then there will be no problems with this technology!
  • OK. We can go over this topic again.
     

  • by erroneus (253617) on Wednesday June 03, 2009 @04:37PM (#28200775) Homepage

    If I understand the British government, they wouldn't have any problems with this approach either:

    Let's build a live USB Linux load that knows how to read and write all known file systems including encrypted systems. Then we will write a few handy scripts that will scan for a fairly long list of known files using MD5sum or some such. Then, if it doesn't turn anything up, copy some child porn from the USB drive over to the target system and print out the arrest warrant.

    • by robably (1044462) on Wednesday June 03, 2009 @05:12PM (#28201361) Journal
      That raises an interesting point, though - as soon as a police officer plugs a USB stick in to a suspect's computer, the computer surely stops being an untouched "forensic scene", and so anything on it becomes inadmissable in court? We've had speed detectors being chalenged in court, how long after these are used in the wild before they are challenged, too? The "USB stick" would have to be a read-only, use once item so that it could be used for one crime scene only to find probable cause, then bagged and stored to be presented as evidence later - if it was a standard USB stick then ANYTHING could have been on it when the police officer stuck it in to your computer.
  • by Anonymous Coward on Wednesday June 03, 2009 @04:37PM (#28200781)

    It's called COFEE [microsoft.com]

    Q.What is COFEE?

    A.COFEE (Computer Online Forensic Evidence Extractor) is a tool that helps simplify the very complex problem of gathering "live" computer evidence of cybercrime. It utilizes common forensics tools to aid officers at the scene in gathering important live evidence with a single USB device. It also provides reports in a simple format for later interpretation by computer experts, or as supportive evidence for computer investigations. This means that first-responder officers on the scene of a crime don't have to be computer forensic experts to capture live data for later analysis and that this critical information does not have to be lost once a computer is shut down to be taken for a traditional offline forensic analysis.

    Cops got even got their own web portal courtesy of Microsoft.

  • Inspired! (Score:5, Informative)

    by shadowknot (853491) * on Wednesday June 03, 2009 @04:38PM (#28200813) Journal

    Maybe they shouldn't seize so many computers.

    As someone working in Digital Forensics in the UK I can honestly say that this is the most inspired piece of wisdom I have seen in a long time. Our company has literally had computers that haven't been switched on in a decade that have been sitting in a garage or attic until the cops decide to seize them. This is good for business but bad for taxpayer expenditure and the expedient discovery of data of evidential worth. The process for seizure of computer equipment in police investigations is essentially "if it has an on-off switch then seize it". There needs to be some training given to officers seizing although I doubt they will as they are scared of the first case of non-seized items containing illicit material.

  • O RLY? (Score:4, Interesting)

    by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Wednesday June 03, 2009 @04:40PM (#28200845) Homepage Journal

    UK police are talking to private companies about using plug-in USB devices that can scour the hard drive of any device they are attached to

    I've got a rackmount OpenBSD box that claims otherwise.

    • I've got a rackmount OpenBSD box that claims otherwise.

      Does it have a USB port and a BIOS new enough to boot from said USB port? You're screwed.

  • Why has noone pointed out that these devices are using security holes to gain access and that these holes are being or should be blocked on most OS'es. It's probably just a matter of time before they will need a different ploy anyways.

    A simple web-search turns up a tonn of comercial solutions already.
    Many companys already require usb security suits to be installed on all company computers.

    In the meantime disabeling drivers and locking down the policys required to re-enable (in windows that is) might be one

    • Re: (Score:3, Informative)

      I'd imagine these would live thumb drives, specifically to sidestep any security measures like you described. A trained digital forensics expert will usually remove the hard drive, put it in a device that prevents any writes, make an image of the hard drive, and work from that. All of this is specifically to avoid running any code on the machine designed to hide any illegal information, and to prevent any corruption of evidence which would cause issues in court.
  • Why not.... (Score:4, Interesting)

    by Darkness404 (1287218) on Wednesday June 03, 2009 @04:42PM (#28200869)
    Why not have an EU-wide mandate of a computer bill of rights? In this include the right to encryption and the right to keep your key to yourself.
    • Re: (Score:2, Informative)

      by Helix666 (1148203)

      Because that would allow us to behave and speak freely... er, I mean... that would allow the evil, bad terrorist pædophiles to win. or something. .

    • Because that would explicitly be in contradiction of their policy of ISPs keeping information available for a minimum amount of time, aka: Your information isn't yours to delete.

  • by fluch (126140) on Wednesday June 03, 2009 @04:43PM (#28200885)

    "...allowing untrained cops to detect anything from correspondence on stolen goods to child pornography. Police in the UK are desperate for a way of slashing the backlog of machines seized by the police in raids..."

    How about investing more into proper trained cops? How about better education? That might help a bit... together with "Maybe they shouldn't seize so many computers".

    • Problem... (Score:4, Insightful)

      by denzacar (181829) on Wednesday June 03, 2009 @05:54PM (#28202111) Journal

      How about investing more into proper trained cops? How about better education?

      Cops receiving official training as computer forensics are no longer simple beat cops - they are computer forensics experts and they should be treated and paid as such.
      So, besides their police training they would probably require something equivalent to a BA/BS.

      And even if there was enough time and money to educate and pay them later - system needs its beat cops too. Not just highly trained computer forensics.

      What they would like to have is a "breathalyser-style tool for computers that could instantly flag up illegal activity on any PC it's attached to".
      Which is delusional, even when you limit it to "a simple tool to preview on site and identify there's that one email [they] are looking for [so they] can then use that and interview the person now, rather then waiting six to 12 months for the evidence to come back" in cases such as "credit card fraud or selling stolen goods online".

  • maybe more people should own PCs in the UK...it will be better in the long run for civil liberties.

    Especially those people who are more likely to get things seized in a police raid.
    The purpose, to increase the backlog so much that the police will rethink their policy of seizing computers.

    That, and it'll help local computer shop owners with a flood of business as by the time the people get their computers back, it will be obsolete that they would have to buy a new one...essentially paid for by the police dep

  • For the small fee of, say, £10000 I can get the UK what they need. I will provide them with an empty USB memory, and a letter explaining that what they are looking for can't be done. At least not if the suspected computer criminal is any good: the files can be encrypted, stored inside an encrypted ZIP-file, hidden inside a hidden encrypted partition on the hard drive. If that level of secrecy is not enough, the child porn pictures can be steganographically hidden inside other (completely innocen
  • USB? (Score:4, Interesting)

    by Bert64 (520050) <bert@@@slashdot...firenzee...com> on Wednesday June 03, 2009 @04:57PM (#28201101) Homepage

    How would a USB device get access to the host system's drives?
    Surely that would require drivers to be loaded on the host...
    Not only would this be very OS specific, but it could easily be defeated, you could configure the host to detect the insertion of this particular type of usb device and perform a secure overwrite of all your incriminating files when such a device is inserted.

  • by Chris Tucker (302549) on Wednesday June 03, 2009 @05:03PM (#28201197) Homepage

    You are all now living in The Village.

    You have a choice.

    You can be numbers, or you can be free men and women.

    The choice is yours.

    Choose wisely.

  • UK police are asking for a "breathalyser"-style tool for computers that could instantly flag up illegal activity on any PC it is attached to [today.com].

    Detective Superintendent Charlie McMurdie, who is what passes for a computer expert in the police force, said such a tool could run on suspects' machines, instantly read and analyse their email, web browsing and chat logs, identify credit card fraud or selling stolen goods online, reliably detect and assess images containing children on the five-level child porn scale and create a handy log of relevant evidence. And a pony.

    "It's surely just a simple matter of programming," said McMurdie. "We're seizing so many computers from people with a copy of Virgin Killer that frontline police need a digital forensic tool as easy to use as the breathalyser, to magically flash up 'HONEST UPSTANDING CITIZEN' or ''E'S A NONCE, GUV'. Do we need to seize five computers, all their mobile phones, their CD and DVD collection and basically everything that runs on electricity, or could we use a magical police gadget with impressive flashy lights and stuff? I thought computers were supposed to make life easier!"

    The eventual development of such a tool could help ease a backlog of digital forensic work that has officers waiting up to a year for evidence to be recovered from seized machines, though threatening to destroy people's livelihoods has proven very efficient in extracting confessions.

    EDS Capita Goatse have promised they can "absolutely, definitely, certainly, probably" produce such a tool with only an ironclad GBP100m five year contract, and also reliably determine whether a computer program halts or not. The Internet Watch Foundation also demanded to be involved, and were told their details would be kept on file.

    "It was so much simpler in the old days," sighed McMurdie. "People asking you what time it was, burglars with domino masks and striped jumpers and bags marked 'SWAG,' chirpy Cockney sparrow second-hand car dealers wiv a heart of gold ... you just can't get the wood, you know."

I judge a religion as being good or bad based on whether its adherents become better people as a result of practicing it. - Joe Mullally, computer salesman

Working...