UK Police Want Plug-In Computer Crime Detectors

An anonymous reader writes "UK police are talking to private companies about using plug-in USB devices that can scour the hard drive of any device they are attached to, searching for evidence of illegal activity. The UK's Association of Chief Police Officers is considering using commercial devices that can perform targeted searches of text, pictures and computer code on hard drives, allowing untrained cops to detect anything from correspondence on stolen goods to child pornography. Police in the UK are desperate for a way of slashing the backlog of machines seized by the police in raids, with many forces having a backlog that will take a year to process." Maybe they shouldn't seize so many computers.

First among other things...

[Anonymous Coward]

this is probably something everybody should have, just to make sure they're in compliance.

Re:What about "extreeeeme" pr0n?

[rtb61]

Now if you are going to get down to the nitty gritty, how about reading the warranty 'er' end used licence agreement on the windows operating system. You know the bit, where it says that they do not warrant the operating system is free of viruses (illegal content) when they sell it to you. Now the law wants to make every person 100% legally responsible for all the content on a computer when the operating system supplier will emphatically not take any responsibility for the security, stability or reliability for that software when thy initially supply it to the consumer.

As it stands now, just the contents of a hard disk drive should never ever be considered the sole defining evidence of a persons innocence or guilt for any crime because only the most competent computer security experts are capable of keeping a computer secure and safe when connected to the internet and they must make continued efforts to keep it that way. So the law and the courts are turning a blind eye to the reality of the situation.

How many computer geeks out there actually believe that the typical computer using noob should be held legally liable for the activity of their computer, so when it is used in a botnet to commit credit card fraud should that family spend the next five years in jail for the crime they have committed for which they must now prove innocence. You can't even claim that there was no evidence of a virus, as the operating system warranty itself states that they may exist (benefit of the doubt) and of course a smart criminal will clean up any evidence that leads to them after using someone else's device in a major crime.

So the police hook up a device based upon using a operating system that does not warrant that it is free of viruses, to a suspects PC, and claim that the device is now free of viruses when the manufacturer directly refutes that claim, so the police will try to claim they did not infect the suspects machine and put the illegal content on that computer. A a very minimum I would hope they use publicly audited software, open source and not closed source proprietary software that the manufacturer believes already contains viruses as per their warranty and that includes the whole and complete evidence chain.

Should be easy in the UK.

[BitterOak]

This should be easy to accomplish in the UK where citizens are required by law to turn over all their encryption keys or face jail time. It would be harder to make it work in the US, where people can use encryption. I suppose the Brits could employ TrueCrypt hidden volumes to keep their stuff private.

Re:

[siloko]

Well the UK does indeed have this law which is one of many in the authoritys' arsenal to lock you up on suspicion rather than evidence. Whatever happened to "You have the right to remain silent . . .". We will wake up one day and find that keys to our doors only work from the outside.

Re:Should be easy in the UK.

[twidarkling]

We will wake up one day and find that keys to our doors only work from the outside.

I dunno about you, but my locks already only take keys on the outside. See, on the inside, I have this nice little knob I can use to lock the door without the key.

Re:

[siloko]

I think I was in danger of taking myself too seriously. Thankyou!

Re:

[smellsofbikes]

As a serious reply to your post -- I have a conflict over what sort of lock to use on doors.
If I use the sort of lock you're talking about, house-breakers just bash out a window, reach in, and turn the knob.
If I use the sort that requires a key from both sides, there's a possibility that someone will be stuck inside that door if there's a fire, and that'd really suck.
But as it is, the question has mostly been answered, because I had the lock-on-both-sides installed and someone bashed out the window, found t

Re:Should be easy in the UK.

[bitt3n]

We will wake up one day and find that keys to our doors only work from the outside.

I dunno about you, but my locks already only take keys on the outside. See, on the inside, I have this nice little knob I can use to lock the door without the key.

mine has the knob on the outside, and the keyhole on the inside. it's like a hardware version of DRM.

Re:

[twidarkling]

It's a joke.

You really didn't see it?

Re:Should be easy in the UK.

[Mister Whirly]

No. Must be an inside joke, and I am outside trying to open the door with my damn key, but it isn't working.

Re:Should be easy in the UK.

[commodore64_love]

Any citizen who believes in human rights & the sovereignty of the individual should be willing to spend a little time in jail, rather than give the encryption key. A few days in jail is a small inconvenience compared to the return of tyranny that existed in the UK prior to 1800. You have the right to not be tortured into giving false confessions - this isn't the Medieval Ages or the Catholic Inquisition.

Remain strong; remain silent.

Re:Should be easy in the UK.

[Anonymous Coward]

How much time have you spent in jail?

Re:Should be easy in the UK.

[Allicorn]

A little time eh? Failure to surrender your encryption keys to the UK authorities will net you two years.

http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act [wikipedia.org]

And that's assuming that the act of trying to defend your individual sovreignty doesn't just make them trump up a whole bunch more charges to keep you out of the way for much longer since you're obviously in league with the terrorists/pedos/catholics.

Re:Should be easy in the UK.

[computational super]

Failure to surrender your encryption keys to the UK authorities will net you two years.

Well, that's what they'll sentence you to. You won't do nearly that much time. Once they tell the other inmates you're a pedo, they'll kill you after a week, tops, with the guards looking on approvingly. You'll be out in no time!

Re:

[pjabardo]

Warning people that you will go on a killing spree is not exactly silent...

Re:Should be easy in the UK.

[wowbagger]

"Whatever happened to "You have the right to remain silent . . ." "

I wasn't aware the Miranda decision [wikipedia.org] and the Bill of Rights [wikipedia.org] applied to the UK.

Re:

[twidarkling]

They have something similar, which I can't remember the name of. What I do remember is that the warning doesn't mention a right to remain silent, but something about statements made will be presented in court.

Re:

[siloko]

UK Police routinely say: "You do not have to say anything unless you wish to do so, but what you say may be given in evidence." More details here [google.com]

Re:

[Hognoxious]

They modified it a few years back. I forget the exact wording and I can't be arsed to look it up, but it amounts to "anything you don't say (right now, before consulting a lawyer) is inadmissible as a defence".

Re:Should be easy in the UK.

[commodore64_love]

When I see a cop, I suddenly become a deaf-mute. Anything you say, even something as simple as, "I don't own a gun and know nothing about a robbery," can be used against you.

Attorney: "When you arrested Mr. Smith did you notice anything odd?"
Cop: "Yes when I told him about the robbery he said he doesn't own a gun."
Attorney: "What's odd about that?"
Cop: "I never said the robber used a gun, and yet somehow Mr. Smith knew that intimate detail. That's why we decided to detain him and press charges as the most-likely suspect."
Attorney: "Any other incriminating evidence?"
Cop: "The store-owner identified Mr. Smith as visiting the store that evening, and acting in a suspicious manner. He was at the scene of the crime."
Attorney: "So Mr. Smith was at the scene of the crime, was aware of how the robbery was committed...with a gun... and acted in a suspicious manner."
Cop: "Yes."

Ooops. You might be completely innocent, and yet because you stupidly opened your mouth, now you're headed towards a probable conviction. Yay.

Re:Should be easy in the UK.

[lattyware]

http://en.wikipedia.org/wiki/Miranda_rights#England_and_Wales [wikipedia.org]

Re:Should be easy in the UK.

[Ash Vince]

What happened was that out current Labour government jumped on board with the war on terror then got this bill through parliament without any real public debate about the contents under the guise of fighting terror. The vast majority of the British public have no idea this shite is on the books as the press all agreed not to cover the law in any depth before it was passed.

Maybe the bill was D-noticed but we will never know since the press are not allowed to mention what is D-noticed and what is not.

http://en.wikipedia.org/wiki/D-Notice [wikipedia.org]

Re:

[blueg3]

It's easy in the U.S., too, just not as useful. If the TrueCrypt drive is mounted, just search it. If it's not, maybe you can say, "Hey, they have a TrueCrypt drive", but that's about it.

Re:

[geekgirlandrea]

Considering that the product in question involves booting the system from a 'forensically sound' operating system on CD (I guess someone hasn't thought too much about the prospects for a virtualization-based rootkit hidden in the BIOS...), it's a safe bet TrueCrypt volumes won't be mounted.

Re:

[Joce640k]

Being realistic, most criminals aren't that sophisticated...

Re:

[shadowknot]

This is fine in theory but the policy of seizure is generally a yank the power, bag it up and send it to the sweaty geeks (us). So even if the TrueCrypt volume is mounted when seized it will be a big old pile of meaningless binary junk once the pro's get their hands on it! Most of the time I have seen TC installed on a suspect's machine (maybe twice to be honest) I have found the passphrase in a handy text file (normaly named passwords.txt or secrets.doc)!

Cracking the 256-bit encryption is the easy part

[Joce640k]

The real problem is writing the OOXML parser.

Great...

[Chabo]

Now instead of having trained forensic experts, we'll have common beat cops searching your computer.

Attorney: How do you know he had illegal material on his computer?
Officer: I pushed the button, and the computer told me to arrest him.

Re:

[Digestromath]

It's like a breathalyzer for computers. And we all know how well those work.

Re:Great...

[DanTheStone]

Funny you should mention that. [slashdot.org]

Re:Great...

[Quiet_Desperation]

Officer: I pushed the button, and the computer told me to arrest him.

Pffft! You think too small, and will never take over the world.

Corrected version follows.

Attorney: How do you know he had illegal material on his computer?
Officer: The computer called us and informed on its owner.
Attorney: It called you?
Officer: Yeah. And so did yours. You still want to question me, Mr. 500Gig Chubby Porn Collection?

Re:Great...

[commodore64_love]

Attorney: Yeah I have chubby porn. It's not illegal or a crime. Are you in the habit of arresting citizens for violating non-existent laws?
Officer: ...uh...
Attorney: Your case history indicates you make many false arrests. Like this one: Arresting an elderly woman because she refused to let you enter her house. What have you to say to that?
Officer: She refused to comply with our request to enter.
Attorney: Ahhh you REQUEST to enter... so you didn't actually have a warrant..
Officer: ...uh...
Attorney: But you decides to arrest her anyway. Wasn't she later freed?
Officer: Yes but...
Attorney: And here's another case where you broke into the wrong house and damaged the door.
Officer: It was an accident.
Attorney: Yes but you never replaced the door, forcing the innocent person to spend $500 in repairs. You have a long, long history of abuse against the residents...
Officer: Now see here!
Attorney: ...and have been reprimanded multiple times by your superiors. Could it be you searched my client's computer without provocation?
Officer: I had a warrant.
Attorney: An *invalid* warrant. It's not signed by a judge, you never swore an oath, you just photocopied it and filled-in the details yourself. Isn't that true?
Officer: No!
Attorney: Remember you're under oath Officer Chiklas. This is clearly your handwriting, is it not?
Officer: .......
Attorney: Well?
Officer: Yes.
Attorney: Your eminence, I submit that this was an illegal search and seizure without a warrant and all evidence should be dismissed.

Re:Great...

[ve3id]

This reminds me of another idiot device they gave to the British bobby: back in the 70's and 80's, there was a glut of illegal CB sets in England. They never legalised the use of 27MHz AM/SSB CBs and all the units sold were marked 'for export only' When they legalised CB, units that were approved could only transmit FM. Instead of overworking the radio inspectors, they gave bobbies on the beat a box that detected if a close transmitter was AM or FM, with two LEDs. The only problem was amateur radio operators can legally use AM and SSB (after all, they invented it!). One beat p.c. stopped a ham and asked him to talk in the mike, and, you guessed it, the illegal CB light lit up! Only when the amateur radio operator started cursing and swearing at the p.c. and getting red in the face did he consult another p.c. over the police radio who was a ham. This being the appropriate behaviour for a ham accused of being a CB'er, he let him go with an apology.

Re:

[linzeal]

And for those of us with 10's of thousands of documents on our computers? How well are these going to be able to differentiate between a PDF file that involves fiction and one that is real? Hell, some of my source material for a horror screenplay I tinker with now and then has made-up schematics and lists of where and how people are going to be killed in the scenes.

Re:Great...

[Chabo]

Not to mention that if you've published copyrighted material, they might get a false positive, indicating that you're infringing against yourself! ;)

Re:Great...

[corychristison]

Something like this happened to a friend of mine.

He owned a blog that he literally put up everything that happened in his life.

He added pages of an essay he was writing for History to his blog as he finished and edited them.

A few days after he turned in his paper he was asked to speak to the Dean where he was accused of plagiarism because Google turned up his blog (he uses a pseudo-name, and has google-analytics installed on his blog)

Took him a few meetings with the education board to prove that it was his blog and his own writing.

What a bitch, eh? The fact that the teacher merely typed it in Google and said "Good enough". He didn't bother to look for any pictures or any information that would hint that it was this particular persons blog.

Re:Great...

[ve3id]

One principle of computer forensics is that if a computer is manipulated in any way, the evidence may be corrupted by such operation, and this could be used by defence attornies. Real computer forensics involves getting the computer powered down, removing the disk, setting it up in a test jig with write protect enabled, and reading the complete image from the disk onto a sterile environment for analysis. I don't think Mr. Plod will meet the test of admissibility into evidence! How is he going to prove to the court that the suspected data were not on the USB key to start with? If he has interfered with the computer in any way by plugging in a USB key, then the evidence is contaminated.

Re:

[TinBromide]

Its not quite like that, but there have been USB forensic incident response sticks for a while, although the oldest ones I'm aware have primarily been used by parole officers to see if their parolees have been surfing porn [forensics-intl.com]. If the NTA scan turns up positive, they then sieze the computer and investigate further.

There are also a few more sophisticated ones that I don't have bookmarked on this computer. I've used a few my self, like there's a rapid response stick that can be used for mass computer identifica

Re:

[Zerth]

To my knowledge, none of the USB based tools is forensically acceptable and all of them are trivial to screw up when attached to a running system.

The only acceptable method is duplication of all storage with a read-only adapter.

Re:

[Bryansix]

Just remind me not to move to the UK.

Re:

[shadowknot]

Officer: I pushed the button, and the computer told me to arrest him.

So they'll be just like cell phone analysts then, ha! (Sorry, that's a digital forensics joke). But seriously that is an accurate assessment. The handful of times I have been to court to give evidence involving an analysis I have performed they have asked me simple but semi-well researched questions. Most officers I speak to can barely spell let alone describe how a device they have no idea about discovered illegal material on a computer they don't know how to use. I do, however, suspect that this devic

Just one thing to say:

[courteaudotbiz]

TrueCrypt [truecrypt.org]

Re:Just one thing to say:

[Afforess]

Yeah, with truecrypt create a hidden partition, and just have the machine boot into a clean XP install when someone (without the pass key) starts it up.

Re:

[Chabo]

Except that if you never use the "visible" OS, then it will be fairly apparent that you have a hidden OS that you use all the time.

Personally, the next time I do a reinstall, I plan on using TrueCrypt, but I won't bother with a hidden partition or hidden OS. It'll give better plausible deniability to those of you who do. :)

Re:

[Bert64]

Use a Linux partition for all your browsing and general use..
Have a Windows partition that is used for nothing but games (bonus: windows will run the games faster because it gets used less), and let them find that... Just make sure you don't warez the games.

Re:

[ion.simon.c]

The point is, if an adversary knows that you have a TrueCrypt Hidden OS, then it's no more secure than a plain old TrueCrypt-encrypted partition.

Aye. But if your adversary *really* *strongly* *believes* that you have a TrueCrypt Hidden OS where one does not actually exist, they're gonna wander off on a very expensive and time consuming snipe hunt.

Urm?

[fuzzyfuzzyfungus]

So, are they saying that they want existing forensics software, with a drool-proof wizard attached, bootable from a flash drive(because hell, who needs forensic hardware write blocking when you can totally trust software to do the job under any circumstance?) or are they actually proposing that the program be able to detect evil?

Re:

[twidarkling]

It's the UK police. It's probably the "evil" one.

Hmm

[Co0Ps]

I think the UK Police got this idea while watching CSI.

Sounds like crazy talk.

[Garbad Ropedink]

I'm not much in the ways of encryption, but I assume if your computer's encrypted it'll be pretty difficult for this thing to work through the system, if not impossible.
Sounds like the cops just want a usb key that has a light that comes on when the law's been broken.

Mainstream computer illiteracy at work.

and the companion product....

[SethJohnson]

Anybody want to sponsor a contest to see who can write a USB driver that defeats this within the fewest lines of code?

Seth

Re:

[dranga]

Just rewire your USB ports to run at 120v. And label it USB120 so you can point back at them for not reading when they try to charge you with damaging their equipment.

Re:

[internerdj]

Bah. That's no fun. You need a USB driver that pushes a virus back onto the stick so there will be enough public outcry so that they stop using the devices...

Re:

[blueg3]

Well, on my computer, none of the USB ports are actually connected. So, can anyone do it in less than zero?

Re:

[twidarkling]

RTFS, says specifically "USB." And you know why? Simple. Netbooks. No CD drive. If they only used CDs, then any netbook would be immune, unless an external CD drive was hooked up, and since the point is to make it easy for untrained cops, that's not gonna work.

Either way, it's a massively stupid project on their part, and anyone with 20 minutes and a drive to not go to prison can find a way around it.

Encryption=suspicious?

[wjh31]

that'll probably work fine for the lay-man, but will having an encrypted hard drive count as evidence of illegal activity

Re:

[Idiot with a gun]

In the UK, yes. You'll be required to hand over [zdnet.co.uk] your encryption keys to the government. If you refuse, it's 2-5 years, depending whether or not you're a "terrorist suspect." I wouldn't surprised if refusing makes you a terrorist suspect mighty quickly.

Re:

[interkin3tic]

You'll be required to hand over your encryption keys to the government.

I've got to think that if there were locks on your property that the government or police couldn't break with brute force, it would be the same for search warrants of your house.

...not that that changes anything, just that it's typical.

Re:Encryption=suspicious?

[Anonymous Cowpat]

they don't - you have to prove that you've forgotten it O.o.
Yes, this is a bad law.

Re:Encryption=suspicious?

[SatanicPuppy]

That whole "innocent until proven guilty" thing is something that the Founding Fathers felt strongly about...having lived in England.

Re:

[twidarkling]

It already does, there. If you don't turn over your encryption code, you get a nice trip to jail.

Re:

[dnaumov]

that'll probably work fine for the lay-man, but will having an encrypted hard drive count as evidence of illegal activity

If you don't supply the password when asked by the court, then sure.

If voting machines are anything to go by....

[MasseKid]

Then there will be no problems with this technology!

Look Out! It's a Trap^H^HDupe!

[AgentSmith]

OK. We can go over this topic again.
 

Oh geez! This is too easy!

[erroneus]

If I understand the British government, they wouldn't have any problems with this approach either:

Let's build a live USB Linux load that knows how to read and write all known file systems including encrypted systems. Then we will write a few handy scripts that will scan for a fairly long list of known files using MD5sum or some such. Then, if it doesn't turn anything up, copy some child porn from the USB drive over to the target system and print out the arrest warrant.

Re:Oh geez! This is too easy!

[robably]

That raises an interesting point, though - as soon as a police officer plugs a USB stick in to a suspect's computer, the computer surely stops being an untouched "forensic scene", and so anything on it becomes inadmissable in court? We've had speed detectors being chalenged in court, how long after these are used in the wild before they are challenged, too? The "USB stick" would have to be a read-only, use once item so that it could be used for one crime scene only to find probable cause, then bagged and stored to be presented as evidence later - if it was a standard USB stick then ANYTHING could have been on it when the police officer stuck it in to your computer.

Microsoft already provides this

[Anonymous Coward]

It's called COFEE [microsoft.com]

Q.What is COFEE?

A.COFEE (Computer Online Forensic Evidence Extractor) is a tool that helps simplify the very complex problem of gathering "live" computer evidence of cybercrime. It utilizes common forensics tools to aid officers at the scene in gathering important live evidence with a single USB device. It also provides reports in a simple format for later interpretation by computer experts, or as supportive evidence for computer investigations. This means that first-responder officers on the scene of a crime don't have to be computer forensic experts to capture live data for later analysis and that this critical information does not have to be lost once a computer is shut down to be taken for a traditional offline forensic analysis.

Cops got even got their own web portal courtesy of Microsoft.

Inspired!

[shadowknot]

Maybe they shouldn't seize so many computers.

As someone working in Digital Forensics in the UK I can honestly say that this is the most inspired piece of wisdom I have seen in a long time. Our company has literally had computers that haven't been switched on in a decade that have been sitting in a garage or attic until the cops decide to seize them. This is good for business but bad for taxpayer expenditure and the expedient discovery of data of evidential worth. The process for seizure of computer equipment in police investigations is essentially "if it has an on-off switch then seize it". There needs to be some training given to officers seizing although I doubt they will as they are scared of the first case of non-seized items containing illicit material.

Re:Inspired!

[Idiot with a gun]

Its an unfortunate situation when cops are more afraid of not seizing a machine carrying illicit material, than they are afraid of seizing hundreds or thousands of machines containing nothing illegal, and taking forever to return them.

Re:

[Dunbal]

and taking forever to return them.

      Who said anything about returning them?

O RLY?

[Just Some Guy]

UK police are talking to private companies about using plug-in USB devices that can scour the hard drive of any device they are attached to

I've got a rackmount OpenBSD box that claims otherwise.

Re:

[computersareevil]

I've got a rackmount OpenBSD box that claims otherwise.

Does it have a USB port and a BIOS new enough to boot from said USB port? You're screwed.

Umm, these devices are security risks people...

[KreAture]

Why has noone pointed out that these devices are using security holes to gain access and that these holes are being or should be blocked on most OS'es. It's probably just a matter of time before they will need a different ploy anyways.

A simple web-search turns up a tonn of comercial solutions already.
Many companys already require usb security suits to be installed on all company computers.

In the meantime disabeling drivers and locking down the policys required to re-enable (in windows that is) might be one

Re:

[Idiot with a gun]

I'd imagine these would live thumb drives, specifically to sidestep any security measures like you described. A trained digital forensics expert will usually remove the hard drive, put it in a device that prevents any writes, make an image of the hard drive, and work from that. All of this is specifically to avoid running any code on the machine designed to hide any illegal information, and to prevent any corruption of evidence which would cause issues in court.

Why not....

[Darkness404]

Why not have an EU-wide mandate of a computer bill of rights? In this include the right to encryption and the right to keep your key to yourself.

Re:

[Helix666]

Because that would allow us to behave and speak freely... er, I mean... that would allow the evil, bad terrorist pædophiles to win. or something. .

Re:

[twidarkling]

Because that would explicitly be in contradiction of their policy of ISPs keeping information available for a minimum amount of time, aka: Your information isn't yours to delete.

How desperate are they?

[fluch]

"...allowing untrained cops to detect anything from correspondence on stolen goods to child pornography. Police in the UK are desperate for a way of slashing the backlog of machines seized by the police in raids..."

How about investing more into proper trained cops? How about better education? That might help a bit... together with "Maybe they shouldn't seize so many computers".

Problem...

[denzacar]

How about investing more into proper trained cops? How about better education?

Cops receiving official training as computer forensics are no longer simple beat cops - they are computer forensics experts and they should be treated and paid as such.
So, besides their police training they would probably require something equivalent to a BA/BS.

And even if there was enough time and money to educate and pay them later - system needs its beat cops too. Not just highly trained computer forensics.

What they would like to have is a "breathalyser-style tool for computers that could instantly flag up illegal activity on any PC it's attached to".
Which is delusional, even when you limit it to "a simple tool to preview on site and identify there's that one email [they] are looking for [so they] can then use that and interview the person now, rather then waiting six to 12 months for the evidence to come back" in cases such as "credit card fraud or selling stolen goods online".

maybe more people should own PCs

[MoFoQ]

maybe more people should own PCs in the UK...it will be better in the long run for civil liberties.

Especially those people who are more likely to get things seized in a police raid.
The purpose, to increase the backlog so much that the police will rethink their policy of seizing computers.

That, and it'll help local computer shop owners with a flood of business as by the time the people get their computers back, it will be obsolete that they would have to buy a new one...essentially paid for by the police dep

I can provide what they need!

[uffe_nordholm]

For the small fee of, say, £10000 I can get the UK what they need. I will provide them with an empty USB memory, and a letter explaining that what they are looking for can't be done. At least not if the suspected computer criminal is any good: the files can be encrypted, stored inside an encrypted ZIP-file, hidden inside a hidden encrypted partition on the hard drive. If that level of secrecy is not enough, the child porn pictures can be steganographically hidden inside other (completely innocen

USB?

[Bert64]

How would a USB device get access to the host system's drives?
Surely that would require drivers to be loaded on the host...
Not only would this be very OS specific, but it could easily be defeated, you could configure the host to detect the insertion of this particular type of usb device and perform a secure overwrite of all your incriminating files when such a device is inserted.

Hello, United Kingdom?

[Chris Tucker]

You are all now living in The Village.

You have a choice.

You can be numbers, or you can be free men and women.

The choice is yours.

Choose wisely.

UK cybercops demand magical digital snake-oil

[David Gerard]

UK police are asking for a "breathalyser"-style tool for computers that could instantly flag up illegal activity on any PC it is attached to [today.com].

Detective Superintendent Charlie McMurdie, who is what passes for a computer expert in the police force, said such a tool could run on suspects' machines, instantly read and analyse their email, web browsing and chat logs, identify credit card fraud or selling stolen goods online, reliably detect and assess images containing children on the five-level child porn scale and create a handy log of relevant evidence. And a pony.

"It's surely just a simple matter of programming," said McMurdie. "We're seizing so many computers from people with a copy of Virgin Killer that frontline police need a digital forensic tool as easy to use as the breathalyser, to magically flash up 'HONEST UPSTANDING CITIZEN' or ''E'S A NONCE, GUV'. Do we need to seize five computers, all their mobile phones, their CD and DVD collection and basically everything that runs on electricity, or could we use a magical police gadget with impressive flashy lights and stuff? I thought computers were supposed to make life easier!"

The eventual development of such a tool could help ease a backlog of digital forensic work that has officers waiting up to a year for evidence to be recovered from seized machines, though threatening to destroy people's livelihoods has proven very efficient in extracting confessions.

EDS Capita Goatse have promised they can "absolutely, definitely, certainly, probably" produce such a tool with only an ironclad GBP100m five year contract, and also reliably determine whether a computer program halts or not. The Internet Watch Foundation also demanded to be involved, and were told their details would be kept on file.

"It was so much simpler in the old days," sighed McMurdie. "People asking you what time it was, burglars with domino masks and striped jumpers and bags marked 'SWAG,' chirpy Cockney sparrow second-hand car dealers wiv a heart of gold ... you just can't get the wood, you know."

Re:

[Idiot with a gun]

Perhaps there is nothing morally wrong with it. But it is stupid. No automatic tool will completely replace a trained professional (for now). And that's even ignoring the likelihood that the UK police are confiscating way too many computers. The fact that they have way too many computers to investigate is very likely a symptom of an overzealous police force/government declaring many things illegal, as seems to be the trend in the West as of late. So really all they're doing is attacking the symptom, not the

Re:

[MozeeToby]

Who ever said that this technology was going to replace the officers doing the work right now? I could definately imagine a system where low profile cases are automatically checked with this software and if anything is found it is flagged for review by an expert. High profile cases would, obviously, always be investigated by someone who knew what they were doing.

Re:

[commodore64_love]

You hit the nail on the head.

Too many laws, and even if you've done nothing technically wrong you can still get arrested for "resisting arrest" or "disturbing the peace" which are nonsense laws that have no real meaning. This just happened in a New Hampshire government building because he was carrying cameras and the police arrested him. The supreme law of the land protects the right to free speech & the right to record anywhere you wish, so long as you are outside of the actual courtroom. But the p

Open Source?

[CheddarHead]

I would agree with you as long as the workings of these devices are totally transparent to the public. That would have to include open source for all of the S/W and algorithms used to determine what material is evidence of illegal activity. If it's not transparent, then they could claim that anyone's computer shows evidence of illegal activity and there would be no way to defend against it.

Re:

[blueg3]

The likelihood of that actually working in court is very low. Generally if they're presenting evidence of illegal activity, a forensic examiner has to give testimony in court. The explanation, "this tool told me there was evidence" is far too insufficient. At least among the investigators I've worked with, none of them would use such a tool to find court-ready evidence if it didn't lay out low-level details of the findings, because they need to have those low-level details available at trial. (Plus, the dir

Re:Perfectly Legitimate

[fuzzyfuzzyfungus]

While this move is legitimate in a structural sense(i.e. if the search would otherwise be legitimate, doing it with this would be ok, and if it is otherwise illegitimate, doing it with this wouldn't become ok); but there are practical considerations that make me nervous.

One is write blocking. To prevent corruption, tampering, and similar issues, it is good practice to use a hardware write blocker and, where possible, work from a disk image made from the original disk through a write blocker. A USB bootable system is not going to have that level of assurance. In a lot of cases, cops will have to monkey with the BIOS to get it to boot the USB drive and, with the vast number of BIOSes, chipsets, hardware RAID boards, softRAID crap, etc, etc. out there, trusting software to prevent tampering or corruption seems potentially troublesome.

More generally, the demand for a "PC breathalyzer" is a demand that a difficult problem be made trivial so it can be done by unskilled or ignorant people. That sort of demand is rarely a harbinger of future quality, which is disquieting when people's freedoms are potentially at stake.

Re:

[evil_aar0n]

Well, that would simply require "One OS to rule them all."

Re:

[John Hasler]

Most people would hand over the laptop because they believe they must obey the police. Handing over the computer would be construed as giving permission for the search so no warrant would be required.

Re:

[Idiot with a gun]

I wonder how many thumb drives you must go through.....

Re:A year?

[Idiot with a gun]

Then the cops wouldn't pick up any computers at all, which would be silly. I'd rather see compensation come out of the police budget if computers aren't turned over in a reasonable amount of time, similar to how US citizens technically have the right to a "a speedy and public trial, by an impartial jury."

Re:A year?

[Sporkinum]

Interesting little side story to this.. A co-worker's daughter had her purse stolen at college. The perp used her bank card to buy gasoline and make online purchases. They were traced and the person was caught. The local sheriff seized the perp's computer as evidence.

Where it gets interesting is that we had a MAJOR flood last year that flooded the sheriff's office. All of the evidence on hand was destroyed in the flood, and the cases the relied on the evidence had to be thrown out. To add insult to injury, they had to replace all the evidence that was destroyed. The perp ended up getting charged with nothing, and got a brand new computer out of the deal.

Needless to say, my co-worker was not happy!

Re:

[Bert64]

That's the fault of the police for not keeping the evidence secure. You can't expect the suspects to be punished because they could well be innocent, after all there is no proof to the contrary.

Re:

[twidarkling]

And Canada becomes the harbinger of freedom for the Western World! Quick! Everyone move up here now! Free poutine for the first 1,000 US-ians to move!

Re:

[Chabo]

certain "inalienable" rights

Don't you know anything? It's unalienable. ;)

Re:

[interkin3tic]

The aim of any modern Western legal system is to make sure that every last citizen is likely to be guilty of something non-trivial.

This is, by the way, direct from the "Cynical, paranoid /.ers guide to government." Which is unquestionably true. If you question it, you're one of them, so you should know already.

Re:

[RobertLTux]

or better yet a desktop/ server system with a fake drive rigged to go POP if it gets powered up

drive gets powered up and boom no more drive (bonus gitmo points if you manage to take out the work station)