Weekly Edition
Return to the Press page| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Linux tool speeds up police computer forensics (ZDNet)
ZDNet
reports on a Linux-based live CD that can analyze
computers used in criminal activities.
"Called Simple (Simple Image Preview Live Environment), the software allows investigators to view and acquire forensic data at the scene of the crime without compromising the integrity of data as it is collected.
"It's a Linux Live CD that we have built from the ground up. We customised the kernel and the underlying operating system so that, when it runs, it's incapable of writing to the hard disk or any other storage," Peter Hannay, the software developer behind the forensic acquisition tool, told ZDNet.com.au."
(Log in to post comments)
(Log in to post comments)
wrong
Posted Mar 6, 2008 22:17 UTC (Thu) by ncm (subscriber, #165) [Link]
This doesn't sound like a useful tool for forensics. It looks like it's just for determining whether a machine at the scene has anything on it that justifies taking it back to the lab. The promise to add software to check images it finds for (I expect caucasian/asian only) fleshtones makes the whole project seem kind of creepy.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 0:01 UTC (Fri) by MattPerry (guest, #46341) [Link]
I don't know how the law works in Australia, but in the US you're going to have to prove exactly how the software is incapable of writing to the hard drive, or else the defense is going to have a field day. I certainly wouldn't use this tool without a court-certified hardware write-blocker.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 0:41 UTC (Fri) by xorbe (guest, #3165) [Link]
Yeah I have a hard time believing that it's 100% impossible to get a write command to the HDD interface with just a modified kernel. Perhaps the CD also doesn't allow root access (and assuming there are no escalation holes in the kernel or SUID binaries).
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 1:30 UTC (Fri) by drag (subscriber, #31333) [Link]
I think that it's more likely that it's done on the kernel-level. That they actually made a patch that removed the ability of the kernel to write to drives. With a live cdrom you should be able to eliminate all ability to write to any media, period. The only thing you would have to have write access to is tmpfs. I bet it would be useful for making images. Say you use dd to read the drive then netcat to transmit the image over a network to another machine that has read-write ability. That way you could prove in court that under no circumstances any OS other then the one used by the defendant had any ability to write to that drive. It would be demonstratable that the investigator could not write to the drive even if they tried.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 3:33 UTC (Fri) by ncm (subscriber, #165) [Link]
Except it's also, mysteriously, unable to write to the network.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 3:51 UTC (Fri) by njs (subscriber, #40338) [Link]
>I think that it's more likely that it's done on the kernel-level. That they actually made a patch that removed the ability of the kernel to write to drives. That would be the cool way to do it, but I doubt that a few random admins in Australia really want to start maintaining their own modified ATA/USB/Firewire/etc. stacks. It also is incompatible with the quote in the article that says "if for some reason a disk is writeable, the system will halt automatically", which wouldn't make sense if their kernel had no writeable state in the first place. It sounds more like they just made a livecd that mounts filesystems readonly, and also as a crude defense against "mount -o rw,remount" they added a cronjob that does "mount | grep -q rw && halt" every few seconds. Which makes sense, in context -- it sounds like the goal was to create a tool that ordinary police officers could use to quickly check for the presence of contraband material, to reduce the amount of work that skilled technicians would need to do. Those who are clever enough to convince the CD to give them a shell, remount the drives, and start modifying things, are already working back in the lab anyway :-). > I bet it would be useful for making images. Say you use dd to read the drive then netcat to transmit the image over a network to another machine that has read-write ability. That way you could prove in court that under no circumstances any OS other then the one used by the defendant had any ability to write to that drive. *cough* ...and the OS running on the machine that's actually writing out the disk image? This sounds more like gee-whiz -- not that there's anything wrong with gee-whiz! -- than real security...
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 5:58 UTC (Fri) by drag (subscriber, #31333) [Link]
> *cough* ...and the OS running on the machine that's actually writing out the disk image? This sounds more like gee-whiz -- not that there's anything wrong with gee-whiz! -- than real security... The investigator can molest that all he wants. That's the entire point of making a image in the first place. Of course your going to have more then one copy. In order to investigate files he will have at some point access a copy of that file system and essentially every time you do that it makes changes. If there is any doubt to the validity of the investigater then you can get a third party to run their own investigation on his investigation by making their own image of the original, pristine drive. As far as network security goes you just do it on the physical level. ie don't connect it to any router or anything that can access any external network. The point is not so much security as audit-ability.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 3:03 UTC (Fri) by njs (subscriber, #40338) [Link]
This claim seems dubious to me. I don't know of any "court-certified hardware write-blockers" at all, yet people seem to get harddrive contents entered into evidence just fine. (Even, or especially, after the harddrives have disappeared for months into a black hole, where the police could have done just about anything to them.) This isn't really out of line with how the courts have traditionally worked, though; they just don't care that much about the sort of "proof" that mathematicians, cryptographers, etc. worry about. Note that witness testimony is admissable evidence too, and just try proving any bounds on its unreliability... somehow justice soldiers on, not perfectly, but okay.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 5:51 UTC (Fri) by MattPerry (guest, #46341) [Link]
> This claim seems dubious to me. I don't know of any "court-certified > hardware write-blockers" at all, Here you go: http://www.cftt.nist.gov/hardware_write_block.htm Using a write-blocker that the courts have not already recognized as tested and suitable for their purpose will only leave you to spend time and money to prove that your homemade write block worked and didn't introduce changes to the media. The defense will use that opportunity to get the evidence thrown out. I can understand using this tool if you have used an approved tool to create an image and then examine the image to find evidence. You can then use that knowledge to then use a certified tool, such as FTK, to gather the evidence for court. Again, Australia may have different rules than the US, which is the perspective that I'm speaking from. > Note that witness testimony is admissable evidence too, and just try > proving any bounds on its unreliability... somehow justice soldiers on, > not perfectly, but okay. Are you implying that computers can provide different data for each read much like a witness might not remember the exact same thing from one moment to the next? We give electronic records more weight since we assume computers to be exact. Something as small as a timestamp on a file could be important evidence for a case. If a timestamp is altered because of a faulty write-blocker then any evidence gained from said media could be suspect.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 16:06 UTC (Fri) by petegn (guest, #847) [Link]
And maybe just maybe it's the American system that is a bit of a joke and proved to be a bit
silly in reality , Court certified this that and tother whatever next ,The very act of READING
a hard drive will be suspect and open to challenge next ie (yet more pay for legal con men
to make them selfs rich on at double light speed ) and now we are having your crap ideas and
system forced on us over here by the labourite scumballs kept in power by the occupants of a
few small areas of the country yep I am hissed of .. :-) ..
EftE
Pete .
Lame rant
Posted Mar 7, 2008 17:58 UTC (Fri) by clugstj (subscriber, #4020) [Link]
It you're going to go on a rant, you should at least: 1) Have a clue what you're talking about 2) Be able to form clear thoughts 3) Have a command of the written language You appear to be 0 for 3.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 1:05 UTC (Fri) by jordanb (subscriber, #45668) [Link]
So it sounds like they made a Live CD that mounts the hard drive partition(s) with the 'ro' flag.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 7, 2008 13:44 UTC (Fri) by foo (guest, #1117) [Link]
That's unfair to their efforts; nothing is ever that easy, as the million and one holes in your scheme attest.
Linux tool speeds up police computer forensics (ZDNet)
Posted Mar 8, 2008 21:45 UTC (Sat) by branden (subscriber, #7029) [Link]
What evidence do we have that the vendor actually undertook non-trivial efforts? Until and unless their changes are reviewed, and until and unless those reviews are obtained, digested, and acted upon by the purchasing agents for the police departments, the profit margin will be higher if they didn't. If a defense lawyer actually invokes discovery to see what's really going on, the winning strategy might just be to fold up shop and leave prosecutors holding the bag. Boom--the engineering effort is practically nil in this scenario. The best way to know for sure is to have a look at the modifications they made in source form.