Thursday, January 8, 2009

Linux tool speeds up computer forensics for cops.

This post is more technical than I normally like to put on this blog, but since someone asked the question, I am going to respond.

Dave Allen asked: “Did you ever make any comments with regards to the Linux tool speeds up computer forensics for cops?”

Linux tool speeds up computer forensics for cops

I read the article when it was published back in March of 2008. I did not comment then as I did not consider it to be of much consequence.

What they are talking about is basically a “live” preview tool for use by law enforcement officers. These types of tools have been around for quite a while.

The other reason I did not comment on it at the time is that I could not find a way to preview the tool or even a white paper on it. The best option would be to download and test it as I do with any interesting forensics tool I can find.

Here is a link to the school project page where you can see what little is actually listed about this software.

Click on the Image Preview System (SIMPLE) link in the table on the left side of the page.

The issue with the news article is in the title, “Linux tool speeds up computer forensics for cops.” That is simply a mis-statement. What the tool is designed to do is to allow police to preview a system on site to see if there is any evidence that would require the computer to be seized and analyzed at the computer forensics lab. In the sense that they can exclude computers from forensic analysis, it can help to reduce the backlog of computers sitting in the forensics lab to be analyzed, but it does not speed up the analysis process.

The tool does not address acquiring evidence or saving evidence for use in court at a later time. That is not its purpose.

On the practical side, even having such a tool offers only situational benefits when you consider that the process of previewing images on a computer can take hours. And having police spend hours at a site previewing images may not be the most efficient use of their time. Of course, they are only looking for a “first hit” scenario that shows the presence of contraband on the computer and not a full analysis.

Be aware that in order for the officer to use live preview software, he or she must be trained to properly boot the computer using the forensic environment boot CD. What you don't want to happen is for the officer on the scene to inadvertently contaminate the evidence by improperly handling the computer during the live preview process, leaving an opening for those pesky defense experts like me.

I am not sure of the laws down under so I cannot speak to the issue of warrantless searches there, but in the USA, considerable care must be taken by police not to illegally obtain evidence by fishing around on a suspect's computer even if they are using a forensically sound method.

Issues and benefits of “live preview” boot CDs

I might as well address this as it seems to be the next logical question.

There are a number of bootable live Linux CDs available. Probably the most widely used is the Helix CD by E-fense. With the release of Helix 2008 R3, it is a lot more useful now. The older release was having significant trouble booting newer systems.

And that is the number one issue with live CDs. They will not boot every system due to the large variety of hardware configurations in computers.

The advantage of live CDs from a forensic standpoint is that you can perform anything from a simple image preview to a full analysis depending on the CD you are using. The Penguin Sleuth Kit contains the Autopsy open source forensics software that is designed to do forensic analysis.

What I normally use live CDs for is to acquire a forensically sound copy of a computer in the field. This is especially useful for laptop computers where it is very difficult to remove the hard drive from the machine. The downside is that depending on the age of the computer, acquiring a forensic copy of the hard drive can be very slow since you are using the hardware of the subject computer to do the processing.

Also, I always prefer to use a hardware based write blocking system to copy computer hard drives and only resort to live CDs in special circumstances.

The purpose of live preview CDs is to make it easier for law enforcement officers in the field to preview a system. To do this, the live preview CD must be easy to use. The current live CDs out there are not particularly user friendly with many of them requiring you to use the Linux command line to perform operations rather than a nice friendly graphical interface.

Another downside to live CDs is that they are notoriously slow performing some operations. Especially previewing images. And many of them crash when attempting to deal with large numbers of images on a computer. That is probably more a function of the hardware than the software, since you don't get to choose the hardware configuration of the computer you are previewing.

No comments:

Post a Comment

I have moderated my comments due to spam.