Slashdot Mirror
UK Cops Want "Breathalyzers" For PCs
An anonymous reader writes "One of the UK's top cyber cops, detective superintendent Charlie McMurdie, says the top brass want to develop the equivalent of a breathalyzer for computers, a simple tool that could be plugged into a machine during a raid and retrieve evidence of illegal activity. McMurdie said the device was needed because of a record number of PCs were being seized by police and because the majority of cops don't have the skills to forensically analyse a computer."
Actually, that's not the problem they're trying to solve. I don't know about in the UK, but in the US, any kind of searching (including hash comparisons and automated tools like this) require a search warrant that covers the computer.
What they're really interested in is not conducting fishing expeditions, but trying to find some useful information -- even just narrowing down which machine they actually need to fully analyze -- within the machines covered by a search warrant. Generally the procedure is to box these things up, hand them over to computer forensic experts, and wait 6-12 months for them to perform a full analysis. Cutting down the amount of work they have to do by giving them only the one computer out of ten that is actually interesting, or being able to pull some small amount of useful information to use in the investigation immediately, is of great value.
This is at least a big concern in the US -- computer forensic investigations are slow and costly, and there's a huge backlog.
Not that I think they'll be able to make software that magically tells them if a computer was involved in illegal activity -- but the majority of computer criminals are dumb as bricks and could probably be caught by doing a full-disk grep for files containing more than a couple of strings that look like credit card numbers.
"Reasonable suspicion" is the key phrase here.
If the cop stops you for running a red light and sees something suspicious then he can go further.
But stopping you for one thing does NOT give them the authority to check for everything they can think.
http://en.wikipedia.org/wiki/Reasonable_suspicion
I used to do a bit of work at the local police department. In my time I set them up a forensics station for PC's.
The most important part of the entire project was ensuring the data was not tampered with (or deleted on accident!) in order to actually use what was found for anything useful.
Wasn't a very hard project what we did was setup a PC with two removable bays and a write protect jumper and showed the officers which part needs to come out of PC brought in as evidence and how to put it into the removable caddy and launch the script that made an image of the drive. At no time while in police custody would the hard drive have power unless it was write protected, and was in an sealed evidence bag if not being used. Once the image was completed they would remove the original and do all the forensics on the copy, which got the same evidence bag treatment as the original.
No, that's not what Mapp v. Ohio established. Mapp v. Ohio established that evidence found in searches *in violation of the 4th amendment* may not be used.
Mapp v. Ohio doesn't say anything about not being able to use evidence found during legal searches, such as those conducted with a warrant.
According to US law, at least (and not always followed by US cops, I might add), whether the evidence on the secondary offense is admissible or not depends on how it was found. If a cop pulls over a car for speeding and sees an open container of beer sitting on the seat next to the driver, the open container is typically admissible. If, on the other hand, the cops raid a house looking for a stolen 62" television and, as long as they're in the house, decide to check in the toilet tank and find a stash of cocaine, that typically is not, since searching the toilet wouldn't have been part of the search for the big TV. Likewise, the original warrant would probably not allow the cops to bring along drug-sniffing dogs on a search for a stolen TV. Of course, I'm generalizing here, and am not a lawyer, but you get the picture.
Thus far, the same principles apply to computer searches. If the warrant says that the cops are looking for evidence related to illegal gambling operations on the computer, the cops are typically not allowed to search for non-related keywords (i.e. "lolita", "cocaine", etc.) unless such terms show up in documents found by the warranted search. If, in reviewing a document named IllegalGamblingProfits.doc, they see a reference to cocaine sales, the cops may have just cause to perform another search looking for cocaine. Since they've already got the computer at that point, though, they'd be better off to go back to the judge and get a 2nd warrant that authorizes the cocaine search, but given the similarities between finding the information in an admissible piece of evidence and seeing the open container in plain sight, I can see how a judge would give the benefit of the doubt in court.
I can't quite tell what the cops in TFA are asking for, though. If, on the one side, they want to be able to bring along a device that's pre-configured with the search terms for the warrant (gambling terms, from the above example), such a device would theoretically be legal in the US, since it would simply be automating the search that would otherwise have been performed by the trained analyst. If, on the other side, they want a device that identifies any illegal activity, that should be unconstitutional for 4th Amendment reasons.
All of the legal discussion ignores the technical aspects. I am a professional forensic analyst, and with relatively good hardware (dual 64-bit CPUs, 10k RPM SATA drives, 4GB of RAM, etc.) it can take hours to perform even a simple search with a small list (i.e. fewer than 5) of static (i.e. non-regex) keywords. Adding complexity in, or adding keywords, can increase the search time to days. There's no way that untrained cops could simply plug a device into a suspect's 5 year old laptop and be able to get results back in less than an hour, and that's not counting the potential modifications to the evidence caused by booting without a write-blocker, doing deleted-file recovery, opening compound files (Outlook offline storage, ZIP files, etc.) or doing signature analysis to identify obfuscated data. Don't even think about it if the suspect thought enough to use encryption.
The cops may want something like this, but it will probably be the laws of physics that prevent it and not the Constitution.
No racism intended - I'm as white as they come. It's from an ancient joke. Basically, the Lone Ranger and Tonto have a horde of angry Indians bearing down on them. The Lone Ranger says, "It looks like we're in a lot of trouble this time, Tonto." Tonto replies, "What you mean 'we', white man?"
Basically, I was just trying to point out that b4upoo was making an assumption that we're all in the same camp here, when we're definitely not - I don't want to sacrifice my rights so that the cops can catch a few more pot smokers. That excludes me from his inclusive "we" in:
Except we want cops to catch people with illegal drugs etc.. Why restrain the cops from doing what we all need them to do?
The joke isn't remotely a perfect parallel, but I thought it would be amusing. Sorry if it came across racist (although feel free to nail me for calling Native Americans "Indians" when explaining the joke - At least I refrained from including the phrase "feathers, not dots".)
He's getting rather old, but he's a good mouse.