“UK police are hoping to one day develop a breathalyser-style tool for computers that could instantly flag up illegal activity on any PC it's attached to.
Detective superintendent Charlie McMurdie, architect of the UK's Police Central E-crime Unit (PCeU), said front line police ideally need a digital forensic tool as easy to use as the breathalyser, to help them deal with growing numbers of computers being seized during raids on suspects' homes.
She told silicon.com: “Do we need to seize five computers in a suspect's house or could we use a simple tool to preview on site and identify there's that one email we are looking for and we can then use that and interview the person now, rather then waiting six to 12 months for the evidence to come back to us?” Source: www.silicon.com/public sector.
If you think about it, it doesn't seem like such a crazy idea. Years ago I fooled around with Prolog, a programming language specifically for such programs.
What she is talking about is an expert system using fuzzy logic. Very similar to programs already in existence or in development in other fields like medical diagnostics and mechanical troubleshooting.
It is fun to theorize about how such a system could actually work:
First of all, each of the areas of investigation would need to be identified and analyzed for the type of expert knowledge required to perform that specific investigative task.
By the way, this should not be confused with some of the operations that some first responder software already perform, such as automatically collecting certain types of data from a suspect computer like Internet history or suspected child porn.
Data collection, while the primary driver for beginning the analysis, is only the start. Where the expert system software comes in is in duplicating to some degree what a computer forensics expert would do with that data. The analysis part of it.
Once a specific area of investigation is identified, several things would need to happen to begin to build such a system:
1.What data must be collected for that area?
2.What type of analysis must be done?
3.What type of information (expert knowledge) is needed to properly analyze that data?
4.How can the expert system analyze the data using fuzzy logic?
5.What would trigger a “hit”?
As a computer forensics examiner and long time software designer and programmer, I find the idea very interesting and worth pursuing.
Now, who wants to give me some grant money to make this happen?