UK Cops Want "Breathalyzers" For PCs

An anonymous reader writes "One of the UK's top cyber cops, detective superintendent Charlie McMurdie, says the top brass want to develop the equivalent of a breathalyzer for computers, a simple tool that could be plugged into a machine during a raid and retrieve evidence of illegal activity. McMurdie said the device was needed because of a record number of PCs were being seized by police and because the majority of cops don't have the skills to forensically analyse a computer."

Right

[Endo13]

That's pretty much like building a mind-reader to figure out if a person has ever committed a crime. Good luck with that.

Re:Right

Well, it's easy enough to build up a database of SHA1 hashes for kiddie porn and such. But what they describe is simply ludicrous:

McMurdie said such a tool could run on suspects' machines, identify illegal activity - such as credit card fraud or selling stolen goods online - and retrieve relevant evidence.

Hey asshole, aren't search warrants supposed to explicitly specify what you're looking for? You seized the computer, it should've been for a specific reason, not to conduct a fishing expedition.

Re:Right

[blueg3]

Actually, that's not the problem they're trying to solve. I don't know about in the UK, but in the US, any kind of searching (including hash comparisons and automated tools like this) require a search warrant that covers the computer.

What they're really interested in is not conducting fishing expeditions, but trying to find some useful information -- even just narrowing down which machine they actually need to fully analyze -- within the machines covered by a search warrant. Generally the procedure is to box these things up, hand them over to computer forensic experts, and wait 6-12 months for them to perform a full analysis. Cutting down the amount of work they have to do by giving them only the one computer out of ten that is actually interesting, or being able to pull some small amount of useful information to use in the investigation immediately, is of great value.

This is at least a big concern in the US -- computer forensic investigations are slow and costly, and there's a huge backlog.

Not that I think they'll be able to make software that magically tells them if a computer was involved in illegal activity -- but the majority of computer criminals are dumb as bricks and could probably be caught by doing a full-disk grep for files containing more than a couple of strings that look like credit card numbers.

Re:Right

[JLennox]

As an employer, I use to run background checks on people. One man in his early 50s had a "drug possession" charge from decades before. He got busted with a joint. As much as I agree with keeping a lot of drugs off the streets, it's hard to agree when the legal punishment for some drugs is far more damaging than the drug it self.

Re:Right

[causality]

Except we want cops to catch people with illegal drugs etc.. Why restrain the cops from doing what we all need them to do? Whether its illegal aliens or a bundle of dope I prefer that 100% be detected and punished.

They cannot even keep illegal drugs out of prison (don't take my word for it -- do the research yourself). How do you propose that we do this in a relatively free society? The way it has worked is that some amount of crime is tolerated in exchange for having a free society with things like legally recognized civil rights. With drugs and lately with terrorism the (dangerous) mentality has been that we need to stop $EVIL_THING no matter how high the cost is to the rest of society. This is tunnel vision at best, a step towards a totalitarian government at worst.

But I am curious. Once you see for yourself with your own research that they cannot even keep drugs out of prisons, I would like to know this: what environment even more restrictive than prison would you propose for the entire population in order to better meet your 100% detection/punishment rate? I'd also like to know whom you would entrust with the management of this environment.

Re:Right

[gnick]

Except we want cops to catch people with illegal drugs etc..

What do you mean "we", white man?

Why restrain the cops from doing what we all need them to do?

So that they don't trample all over innocent people in their race to jail stoners? So that we can maintain some sort of privacy instead of throwing our doors open to anyone with a badge so that they can rifle through our homes in case we may have been doing something wrong? So that we can keep some kind of checks on the cops so that they might work to protect us while respecting our rights instead of just busting people and feeling like tough-guys on a power trip?

Pick which ever one speaks to you best.

Re:Right

[Firehed]

At least in the US, evidence found against you found in an illegal search* cannot be used against you. If the search was legal (warrant attained or reasonable suspicion of wrongdoing), then it's your fault for having done whatever other stuff you get hit with, regardless of why you/your home/vehicle was searched. Don't confuse this with secondary offenses, like not having your seat belt on in many states (they can't pull you over specifically for that, but can add it to the ticket).

* if they can see the bag of weed (or whatever) on your back seat through the window, not only is it legal for them to arrest you for it, but it also gives them reasonable suspicion to search the rest of the vehicle without attaining a warrant, even if you protest.

IANAL, YMMV, laws vary by state, etc. And all bets tend to be off at border stops, especially internationally. As far as I'm aware, they have the legal (USA PATRIOT act legal, anyways) right to search your vehicle entirely at any international border.

But back to the topic at hand, if your computer is legitimately siezed, I think you should at least be able to know what processes were used to search for X when Y was found. If they want to arrest you for possession of goat porn, and then they find CP, you should be able to find out that the latter came up when they did a general search for porn, rather than when they explicitly searched for it. Or if they find pirated media when searching for CP, which would be a lot harder to accidentally find by the same 'legit' search. It'll never happen, and good luck auditing the police's methods even if you had the right to do so. Just encrypt all of your crap, and don't have illegal stuff.

My 2c

Re:Right

[timepilot]

No, that's not what Mapp v. Ohio established. Mapp v. Ohio established that evidence found in searches *in violation of the 4th amendment* may not be used.

Mapp v. Ohio doesn't say anything about not being able to use evidence found during legal searches, such as those conducted with a warrant.

Re:Right

[bitslinger_42]

According to US law, at least (and not always followed by US cops, I might add), whether the evidence on the secondary offense is admissible or not depends on how it was found. If a cop pulls over a car for speeding and sees an open container of beer sitting on the seat next to the driver, the open container is typically admissible. If, on the other hand, the cops raid a house looking for a stolen 62" television and, as long as they're in the house, decide to check in the toilet tank and find a stash of cocaine, that typically is not, since searching the toilet wouldn't have been part of the search for the big TV. Likewise, the original warrant would probably not allow the cops to bring along drug-sniffing dogs on a search for a stolen TV. Of course, I'm generalizing here, and am not a lawyer, but you get the picture.

Thus far, the same principles apply to computer searches. If the warrant says that the cops are looking for evidence related to illegal gambling operations on the computer, the cops are typically not allowed to search for non-related keywords (i.e. "lolita", "cocaine", etc.) unless such terms show up in documents found by the warranted search. If, in reviewing a document named IllegalGamblingProfits.doc, they see a reference to cocaine sales, the cops may have just cause to perform another search looking for cocaine. Since they've already got the computer at that point, though, they'd be better off to go back to the judge and get a 2nd warrant that authorizes the cocaine search, but given the similarities between finding the information in an admissible piece of evidence and seeing the open container in plain sight, I can see how a judge would give the benefit of the doubt in court.

I can't quite tell what the cops in TFA are asking for, though. If, on the one side, they want to be able to bring along a device that's pre-configured with the search terms for the warrant (gambling terms, from the above example), such a device would theoretically be legal in the US, since it would simply be automating the search that would otherwise have been performed by the trained analyst. If, on the other side, they want a device that identifies any illegal activity, that should be unconstitutional for 4th Amendment reasons.

All of the legal discussion ignores the technical aspects. I am a professional forensic analyst, and with relatively good hardware (dual 64-bit CPUs, 10k RPM SATA drives, 4GB of RAM, etc.) it can take hours to perform even a simple search with a small list (i.e. fewer than 5) of static (i.e. non-regex) keywords. Adding complexity in, or adding keywords, can increase the search time to days. There's no way that untrained cops could simply plug a device into a suspect's 5 year old laptop and be able to get results back in less than an hour, and that's not counting the potential modifications to the evidence caused by booting without a write-blocker, doing deleted-file recovery, opening compound files (Outlook offline storage, ZIP files, etc.) or doing signature analysis to identify obfuscated data. Don't even think about it if the suspect thought enough to use encryption.

The cops may want something like this, but it will probably be the laws of physics that prevent it and not the Constitution.

Re:Right

[gnick]

No racism intended - I'm as white as they come. It's from an ancient joke. Basically, the Lone Ranger and Tonto have a horde of angry Indians bearing down on them. The Lone Ranger says, "It looks like we're in a lot of trouble this time, Tonto." Tonto replies, "What you mean 'we', white man?"

Basically, I was just trying to point out that b4upoo was making an assumption that we're all in the same camp here, when we're definitely not - I don't want to sacrifice my rights so that the cops can catch a few more pot smokers. That excludes me from his inclusive "we" in:

Except we want cops to catch people with illegal drugs etc.. Why restrain the cops from doing what we all need them to do?

The joke isn't remotely a perfect parallel, but I thought it would be amusing. Sorry if it came across racist (although feel free to nail me for calling Native Americans "Indians" when explaining the joke - At least I refrained from including the phrase "feathers, not dots".)

Don't quit your day job, detective superintendent

[konigstein]

Because it's painfully clear your don't understand computer forensics either.

Re:Outlaw encryption

[rlp]

Too late - in Britain, it is a crime to refuse to turn-over your encryption key to the police when requested (no 5th amendment rights).

they also want

[Mr.+Slippery]

Charlie McMurdie, says the top brass want to develop the equivalent of a breathalyzer for computers

Top brass also wants a date with Scarlett Johansson. And a pony for each officer on the force.

I figure the odds are about the same for each.

Re:But...

[Chris+Burke]

Won't that only work with alcohol cooled systems?

Yeah, but unless the alcohol cooled computer is driving a car, I don't see how that's illegal.

But seriously, people, don't let your PC drive under the influence. Yeah, yeah, it says that it's "overclocked' and much more efficient than when it's just running on water, but then it'll kill a little old C64 crossing the street and wind up in "Pound Me In the USB Port" Prison.

Re:Outlaw encryption

[orzetto]

What happens if you "forget" the key? Like this: "Your honour, I once experimented with encryption, but could not understand how it worked. The files must be leftovers of that installation. I never used them and they must be empty." How can they prove you are lying, short of breaking the encryption and finding the evidence?

Why do cops always want an easy job?

[causality]

I really think this is the same mentality that eventually comes to see individual rights and due process as pesky "inefficiencies" that only interfere with "real police work". They seriously need to tell new police recruits that their job is not easy and is not supposed to be easy. If any of them don't like that they should also be told where the exits are.

I think this is another example of relatively well-meaning people who fail to comprehend how dangerous their intentions are because they don't think them through. Let's say there is a device that can be plugged into a PC (maybe the USB port?) and almost instantly tell you whether it has illegal content with no need for expert analysis. Yeah I know that I should also posit the existence of the tooth fairy but bear with me. Who makes this device? How trustworthy are they? Do competitors or other rivals oddly happen to have a higher percentage of "illegal" PCs? Is the device a black box or can the average person examine and scrutinize it? If the cops already don't have the staff or the expertise to perform forensic analysis on PCs, what's our guarantee that they will correctly use this device or that they can offer any sort of assurance that the way it is used won't violate anyone's civil rights? What's to prevent criminals from obtaining one (by whatever means) and making sure that their illegal data isn't where this thing is looking? If I can think of this in a few minutes, WTF are these people smoking that they consider this a serious proposal? Or do they simply not care about these concerns?

You know what you'll probably never see? The police "top brass" asking for a device to help make sure that their officers don't violate anyone's civil rights and that they follow all the laws concerning due process.

Doesn't go far enough

[blophyus]

Forget a tool for computers. We need a tool like this for physical crime scenes. You know: something that would, like, scan crime scenes and find, like, relevant DNA evidence and shit. It could even have an option where it would print out an arrest warrant with the name of the murderer on it.

"Reasonable suspicion"

[khasim]

"Reasonable suspicion" is the key phrase here.

If the cop stops you for running a red light and sees something suspicious then he can go further.

But stopping you for one thing does NOT give them the authority to check for everything they can think.

http://en.wikipedia.org/wiki/Reasonable_suspicion

Re:Good luck with that

[windex82]

I used to do a bit of work at the local police department. In my time I set them up a forensics station for PC's.

The most important part of the entire project was ensuring the data was not tampered with (or deleted on accident!) in order to actually use what was found for anything useful.

Wasn't a very hard project what we did was setup a PC with two removable bays and a write protect jumper and showed the officers which part needs to come out of PC brought in as evidence and how to put it into the removable caddy and launch the script that made an image of the drive. At no time while in police custody would the hard drive have power unless it was write protected, and was in an sealed evidence bag if not being used. Once the image was completed they would remove the original and do all the forensics on the copy, which got the same evidence bag treatment as the original.

Re:So they want GOV spyware?

[sexconker]

What?
It's an apt post.
Spyware snoops around and grabs whatever it finds and deems to be unbecoming of a law abiding computer user.

They then hand that off (and the pc itself, likely) to a group of people who will do the analysis.

The post above you implies that this tool will not be of much actual help, and I agree. A "clean" report from the tool means nothing, and for any actual raids the computers will still be combed over by a forensic team. Any "dirty" report from the tool will result in the same outcome.

What this is really about is passing the buck and keeping face - the cops don't want to look incompetent, so they create this tool and publicize it.
Any failure of the cops will be blamed on the tool still being a work in progress, hackers actively working against the tool, etc.
Any responsibility on the part of the cops will be passed off immediately to the forensics teams. When the tool gives out a "dirty" report, the cops will fill out the green "Suspicion of Illegal Digital Bits on Electrical Personal Computing Device" form and hand over the report and the pc to the forensics team.

Once the tool is accepted as good and trustworthy, departments will find any excuse at all to use them to harass and extort money from the public.

Noise complaint?

Let's bang on the doors, give them shit, and check their computers for illegal activity. You just KNOW that music isn't paid for.

No, sir, since we heard music from the street, and we clearly can see you have a computer, and sound system, and a lack of physical CDs/tapes/records, in plain sight. We have reason to believe a crime has been committed. We don't need a warrant to perform a cursory search. If the search turns up anything, your equipment will be confiscated as evidence.

Re:So they want GOV spyware?

[Yetihehe]

Actually, if you can hear music from the street, it can be called "unlicensed public performing/playing".