Investigators now crack crime computers on the spot

(Credit: VOOM)

A new system allows investigators to boot, run, and install investigative tools to examine computers used in the commission of crimes or terrorism, without altering the contents or compromising the chain of evidence, according to the inventor.

It's common today for computers and their contents to be tagged as evidence. The problem has been how to boot and examine their contents, and still maintain "forensic soundness." Traditionally, this required painstaking hours of copying and transferring data. The result was a huge backlog in computer crime labs across the nation, while investigators waited months for forensic information to be processed, according to Voom Technologies Inc.(PDF)

The VOOM Shadow 2 is a hardware device designed break that logjam by providing "read write access from the host computer's perspective." It also includes a built-in hardware write blocker to maintain the original hard drive unchanged, according to VOOM.

"What a competent (computer forensics) examiner can do in a day with the Shadow, would surely take weeks or months using alternative forensic procedures," said investigator and former U.S. Customs Special Agent Will Docken in a testimonial.

The system allows seeing and operating the "native system," whether it's Mac, Linux, UNIX or Microsoft, according to the company. No more waiting for processing or forensic lab examination- you can start rummaging before the corpse has cooled.

[ewelch]

I gotta get one of these things to rescue my Windows-using friends from their malware and virii! :-D

[patch991]

Another Apple Fanboy ... "The system allows seeing and operating the "native system," whether it's Mac, Linux, UNIX or Microsoft, according to the company."

[Remo_Williams]

I call bs.

[tacit]

Why? The basic idea is sound. The device blocks attempts to write to the hard drive. The computer can read from the hard drive, but when it goes to write to the hard drive, the write requests are intercepted and written to the device instead. It's clever, but there's nothing impossible or outrageous about it.

[man_w_balls]

"The system allows seeing and operating the "native system," whether it's Mac, Linux, UNIX or Microsoft,"

Uh-oh, operating the native system? Including Mac? Wouldn't that be running Mac software on non-Apple hardware (Voom Shadow)? So will they get sued too?

[Pishkado]

That doesn't seem to be how it works. The original software runs on the original computer, not on the VOOM. What VOOM does is to cache disk writes, so they don't go to the hard drive. Subsequent reads of the same sector presumably retrieve the copy on the VOOM, so as long as the VOOM isn't shut down you can't tell there's anything strange going on - but the original hard drive isn't touched. Very clever idea!

[protagonistic]

So how is this really going to help? If you have to run off the native system and that is protected by a very strong PW and the volume is encrypted this would seem to provide nothing really groundbreaking.

[Michichael]

I don't see how this is new. Booting Backtrack read only does the same thing, and that's free to download. I suppose if "Shadow" had a cryptography cracker, sure, but I highly doubt that it's anything not already available.

Any security professional that knows what he's doing doesn't need a name brand to do his job.

[alegr]

Snake oil. Why not just make 1:1 copy of the original disk and boot with a copy.

[VOOMTECH]

While I find the "Snake oil" comment a little naive, the question "Why not just make 1:1 copy of the original disk and boot with a copy." is a very good question.
1) Time. What if your child was abducted? Do you want to wait hours for a copy, followed by a lab examination of the computer (could be the abducter's or your child's computer)? Or would you rather have a trained computer forensic investigator be allowed to immediately access the computer, and operate it just as the suspect/victim did, without comprimising the evidence?
2) Forensic Investigation - a traditional forensic investigation requires the duplication (copy) of the drive followed by a lab examination with very good tools such as Encase or FTK. However, this is again time consuming, and the investigator still does not have the ability to operate the suspect computer as the suspect (or victim) sees it. The Shadow provides an adjunct and very fast analysis not previously available.
3) Forensic Investigation - software virtualization can attempt to operate the suspect computer - virtually. Still requires the copy process, then loading into the virtual environment. Sometimes it just does not work. Other times, it takes substantial time to tweak the software so that it works, Other times, it "sort of": works.
4) Make a copy? Run the disk on another computer (typical process). Now the eveidence is changed. You can get the information, but how do you get back to the pristine state? Answer - another copy. How much time do you have?
5) Court presentation. How much more powerful would it be to you to see the actual suspect computer operating in a court room, rather than explanations of chain of evidence, and explanations of printed computer lab reports. Time, confusion, opportunity for the defense to obfuscate, etc.
6) Confessions: THrough the use of the Shadow, investigators report much quicker plea agreements, as suspects are faced with their own computers run in real time - no opportunity for obfuscation, defense tactics, etc. Less court time, less trials, more convictions - saves time and tax payers dollars and frees up detectives, DA's, judges, court systems, and computer forensics labs for the cases that require the type of in depth analysis required to locate fragments of documents/pictures and other data in deleted files, slack space and hidden partitions, and/or to deal with cracking passwords


There are many other reasons. The best reason is real-life detectives and district attorneys who use the Shadow swear by it.

[MTGrizzly]

This will last exactly as long as it takes the first case it is used in to get to court. The defense attorney will ask Voom for the source code and hardware specs. Voom will refuse, claiming their 'intellectual property" &/or "trade secrets" rights trump the due process rights of the defendant. The court will disagree. Voom will tie it up in litigation forever.

Law enforcement will stop using it. Voom will go out of business...

[VOOMTECH]

20/20 aired a program in Feb 2008 on the Mark Jensen murder trial in WI. The Shadow was used (as it has been in other courts) and accepted (its use by the expert witness live in court with the suspect's computer was accepted as evidence) , and was critical to the conviction of wife murderer Mark Jensen

[dechah]

This is interesting. I read a story in an Australian newspaper last week about a 70+ year old man in Queensland who posted a video he had found of a laughing child being swung about by his father. The man's house was subsequently raided by the Queensland police, and the man was arrested and charged with distributing child abuse videos onto the internet. When the man was interviewed by the press, he stated that the police made him step away from his computer, and then one of them attached a small black box to the computer ofr gathering evidence. I wonder if it was one of these. The pic in the story certainly makes it look like it is a small black box. If so, these things are already being used in Australia.

[c|net Reader]

A father can't swing his child about without being accused of child abuse now? Apparently, the only thing we're permitted to do is hand them over to Government run or sanctioned day care, schools, after school programs, etc. We can't punish them for misbehavior; we have to medicate them instead. We can't play with them, talk about religion, teach them independent thought, or otherwise interfere with their lives. It seems parents are merely units for procreation and funding.

Caveat: Having ranted, I should note that the description above makes the video sound completely innocent and that may be misleading. It was still nice to vent.

[VOOMTECH]

The little black box may have a VOOM HardCopy, which is a computer forensic hard drive duplicator. By the way, it was reported to me that there was a case in Alaska in which a U.S. armed forces serviceman was being charged with child pornography, until an expert with the Shadow was brought in and demonstrated that the serviceman never did access the porno, as attempting to display the pictures (as recovered by traditional forensic software) caused the entire system to crash. The case was a little more involved than this, but this is a real life example of an injustice avoided by use of the Shadow.

[Harrison912]

Thanks, Mark, for this article. As a web site owner for safety and security products, I always like to hear about new technology to help catch the bad guys.