By Nick Heath, 11 December 2008 15:55
NEWS
UK police are hoping to one day develop a breathalyser-style tool for computers that could instantly flag up illegal activity on any PC it's attached to.
Detective superintendent Charlie McMurdie, architect of the UK's Police Central E-crime Unit (PCeU), said frontline police ideally need a digital forensic tool as easy to use as the breathalyser, to help them deal with growing numbers of computers being seized during raids on suspects' homes.
McMurdie said such a tool could run on suspects' machines, identify illegal activity - such as credit card fraud or selling stolen goods online - and retrieve relevant evidence.
She told silicon.com: "Do we need to seize five computers in a suspect's house or could we use a simple tool to preview on site and identify there's that one email we are looking for and we can then use that and interview the person now, rather then waiting six to 12 months for the evidence to come back to us?
"For example, look at breathalysers - I am not a scientist, I could not do a chemical test on somebody when they are arrested for drink driving but I have a tool that tells me when to bring somebody in."
Tech Hotspots: The list
1. Silicon Valley
2. Bangalore
3. London
4. Tokyo
5. Boston
6. Cambridge
7. Shanghai
8. Tel Aviv
9. Seoul
10.Beijing
11.Chennai
12.Pune
13.Singapore
14.Helsinki
15.Moscow
16.Hong Kong
17.Hyderabad
18.New York
19.Sydney
20.Shenzhen
The eventual development of such a tool could help ease a backlog of digital forensic work that has officers waiting up to a year for evidence to be recovered from seized machines.
The tool is part of a package of measures envisaged by McMurdie as one day coming out of the £7m PCeU, which from spring next year will co-ordinate law enforcement of all online offences and lead national investigations into the most serious e-crime cases.
McMurdie also discussed the possibility of setting up a "central forensic server", where digital forensic experts from across the UK could log in and analyse whatever systems were plugged into it.
She described how it could help tackle corporate e-crime, saying: "Say one of the banks is attacked and we need to have a look at one of their hard drives: that bank would have something that they can plug their system in to and that connects to this central forensic server.
"Say there is a copper who is a forensic expert in Devon and Cornwall, he could hook into the central server and deal with it from Devon and Cornwall, rather than travelling up to London."
McMurdie said UK police have also been talking to the FBI and US Computer Emergency Readiness Team units about their use of remote searches of hard drives over the net.
PCeU leaders are also in talks with the Association of Chief Police Officers about setting up regional centres for e-crime training.
Comments
There are 17 comments. Join the discussion
1. Dan Aris
I'm sorry; you want to *what*?
What they want is completely impossible. There is a very good reason why it takes a trained lab of computer forensics experts to extract evidence of illegal activities from a computer. There is no one "signature" that illegal activity leaves behind in a computer's hard drive.
Furthermore, any criminal worth the expense of developing such a tool to catch would almost certainly have the intelligence to either encrypt the data of his wrongdoing, or do it on a separate computer or a USB flash drive.
2. Nic Gendarme
Perfect solutions for this very problem have been spec'd by the Internet Engineering Task Force years ago.
For example, RFC 3514 specifes a mean by which malicious data can be safely distinguished from "merely unusual" data.
Currently, IPv4 only supports 1 bit of security information ("flag" in computer parlance); but tomorrow, IPv6 will support a full 128 bit dynamic range of maliciousness level, as well as another 128 bit field of vulnerability class assessment.
3. Justin K. Reeve
They already have this. It's called spyware.
4. T. Williams
The idea of making an on-site "plug-and-play" forensic tool capable of quickly and magically detecting illegal activity is as impossible as a magic wand for traffic cops to wave at an empty road that give them the license plate and driver name for every traffic infraction since the road's creation.
There's a reason why computers have to be sent to a specialist. Even if the perp is a careless idiot, an investigator has to know exactly what to look for and where. If a perp is even remotely good at covering tracks, it can literally take MONTHS for a forensic investigator to get a shred of evidence.
An arresting cop certainly will not be able to collect evidence within 5 minutes simply with some magic little tool.
On the other hand, the idea of confiscating a computer and plugging it into an automated forensic system equipped with a frequently updating database to compare by has promise. Such a system can be good at detecting the careless criminals. However, the really clever ones will still need the skilled eye of a forensic professional.
5. Neil Townsend
Good luck with that!
6. anonymous
"For example, look at breathalysers - I am not a scientist, I could not do a chemical test on somebody when they are arrested for drink driving but I have a tool that tells me when to bring somebody in."
Yea -- the tool is called "education"
7. anonymous
Simply plugging a device into a computer to discover illegal activity is not at all like having someone breathe into a tube to determine whether or not they are drunk.
It is more like having someone breathe into a tube to determine whether or not they like ska music.
8. anonymous
It is idiot ideas that cost the taxpayers billions of pounds so that the police can keep tabs on the innocent majority whilst the real Crims get away.
9. Jeremy Wickins
She surely has this wrong - why plug the suspect computer into anything. We are getting to the point where having a computer is enough to imply guilt of *something*. If it can be found easily, then fine - if it can't then there is some sort of protection on the illegal data, and so the person is trying to hide it! QED. Extending the analogy - not having a computer presumably means that the person is too clever to use one, and therefore clearly guilty of something really serious. Whatever, you'd better behave, citizen - you don't want to be "investigated" for anything ...
The trouble is, I'm now worried - have I just uncovered the Home Office's secret plans, or have I just given them a new idea??
10. Karen Challinor
"UK police are hoping to one day develop a breathalyser-style tool for computers that could instantly flag up illegal activity on any PC it's attached to"
they are also hoping one day to have a kind of hat that a suspect can put on and it will tell them immediately if the suspect is guilty, of what crime and which cell to put the suspect in
apparently they got the idea from Harry Potter
they'd prefer it not to sing though
11. Drew Stephenson
Sadly i think that Jeremy and Karen are right on the nail on this one.
Best make sure you're good now, otherwise it won't be Santa who comes round; remember, they know where you live (and what e-mails you sent, and what phone calls you make, and what websites you look at, and have your dna from the time you were broken into a couple of years ago, and they know which route you take on the underground form your oystercard, and what you buy at the supermarket... Why with all that info, there must be something you've been guilty of at some point. And if there isn't there'll be someone on a database somewhere with the same name who is and that's probably close enough isn't it?)
12. Ask Jacky
Somehow I have a nasty suspicion that in this PO.'s ideal world, all computers will be networked & constantly under police surveillance. Whoops, I'd better get as much information as I can now, while it's still legal to do so, on encryption. Not because I'm a crim, but because I disagree 100% with this attitude of 'guilty until proven innocent' & constant surveillance & will do everything possible to subvert it. Has anyone told the police recently that they are MEANT to be public servants- not public masters?
13. David Mamanakis
I have software that will do "most" of what they are asking for.
Another year, and we could add the other parts they want.
I find it funny, however...here in the USA we have a shortage of this kind of job available (by shortage, I mean that the Government agencies cannot afford to hire us) and in the UK they just cannot seem to get enough...
SO, I suggest that the UK people get hold of "us" (meaning my organization and those that are like me) and we can work out something...
Training, software development and licensing, computer forensics expertise, etc...
14. Radical Meldrew
A clever crook will mask access behind a proxy server and wipe all traces on shutdown. The deep forensic process mentioned here will only be used on a suspect's PC and that suspect will already have been identified by other means already. So - who is this aimed at? I suspect this will be a cursory scan, like spyware, and another tool in the growing police arsenal to identify potential criminals amongst the general public.
15. anonymous
The saying "a little knowledge is a dangerous thing" could never be better matched than to this.
A computer is no more criminal than a 'toolbox'. So do you arrest everyone that has a screwdriver in their toolbox 'because it could be used to do harm'!?!?!?!?
16. Joe Whitehead
There is a sort of device that helps in this regard. Hint: It comes with clips and syncs to the line voltage. Another one has a universal laptop adapter.
Combined with a tool that saves a copy of RAM and the hard drives to a USB drive or such... This is likely their next product model. ;)
(I'm not linking to the site because it's considered soliciting - Google it)
The point of keeping the system powered, is that in a lab setup for pulling RAMs live, you can pull passwords in memory. The adapter buys the officers more time to get it to the technicians. With a RAM dump, it's a LOT faster and more reliable to find evidence.
If you unlock a drive that is passworded and not encrypted, simply hot plugging it will work if the technician determines that the equipment isn't encrypted. They can even get the drive back to the suspect within a few days, assuming they didn't take months because of some strange reason that it always seems to. heh
17. Karen Challinor
David & Joe
You have missed the point, yes there are forensic tools that will do pretty much what the police want but they require two things
time to work measured in days and a forensics expert to open the crate, install probes, interpret the results and then remove the probes and close the crate
what they seem to want from the article is a device that an ordinary beat policeman can carry, that they can enter a suspects premises with and, with minimal training, simply plug into the external ports on a suspect computer and instantly, or within a minute or two at most, tell if the machine has been used for criminal activity with a simple indicator
in short they don't want an automatic forensics "tool", they want an automatic forensics "expert" with full knowledge of the law, encryption techniques, understanding of various languages and so on
they want Gil Grissom from CSI in a box that fits into a pocket
they seem to think that years of experience and training can simply be dumped into a small container so it can be used by someone who doesn't have the years of experience and training
incidentally saving lots of money paying for a forensics expert in the process
sadly this is a viewpoint which seems to be shared by most senior management when looking at IT personnel