• On BNET: Make cool hacks for Google Maps
December 11, 2008 6:00 AM PST

Investigators now crack crime computers on the spot

by Mark Rutherford
  • Font size
  • Print
  • 16 comments
(Credit: VOOM)

A new system allows investigators to boot, run, and install investigative tools to examine computers used in the commission of crimes or terrorism, without altering the contents or compromising the chain of evidence, according to the inventor.

It's common today for computers and their contents to be tagged as evidence. The problem has been how to boot and examine their contents, and still maintain "forensic soundness." Traditionally, this required painstaking hours of copying and transferring data. The result was a huge backlog in computer crime labs across the nation, while investigators waited months for forensic information to be processed, according to Voom Technologies Inc.(PDF)

The VOOM Shadow 2 is a hardware device designed break that logjam by providing "read write access from the host computer's perspective." It also includes a built-in hardware write blocker to maintain the original hard drive unchanged, according to VOOM.

"What a competent (computer forensics) examiner can do in a day with the Shadow, would surely take weeks or months using alternative forensic procedures," said investigator and former U.S. Customs Special Agent Will Docken in a testimonial.

The system allows seeing and operating the "native system," whether it's Mac, Linux, UNIX or Microsoft, according to the company. No more waiting for processing or forensic lab examination- you can start rummaging before the corpse has cooled.

Mark Rutherford is a West Coast-based freelance writer. He is a member of the CNET Blog Network, and is not an employee of CNET. Email him at markr@milapp.com. Disclosure.
Topics:

Thought Process

Tags:

VOOM,

computer forensics,

Shadow 2

Share:
Digg
Del.icio.us
Reddit
Recent posts from Military Tech
Italian troops to button up against IEDs
Remote-control gun turrets, made for Italy
Nation prepares for deadly bat virus
MIT MAV jockeys: We don't need no stinkin' GPS
Army shows more than one way to look under a car
Military looks for better touch with PacBots
Driverless car also parks itself
Race to develop long-range UAV enters second lap
Related
A child porn-planting virus: Threat or bad defense?
iMacs having problems booting and waking from sleep
Coders charged with helping Madoff falsify records
Eastern Europeans charged in payment processor hack
Sluggish Magic Mouse performance with Mac Pros--old bluetooth problem?
Intel to pay AMD $1.25 billion in antitrust settlement
Phishing, worms spike this year, say Microsoft and McAfee
New York antitrust suit accuses Intel of bribery
Add a Comment (Log in or register) (16 Comments)
  • prev
  • 1
  • next
by ewelch December 11, 2008 6:32 AM PST
I gotta get one of these things to rescue my Windows-using friends from their malware and virii! :-D
Reply to this comment
by patch991 December 11, 2008 8:55 AM PST
Another Apple Fanboy ... "The system allows seeing and operating the "native system," whether it's Mac, Linux, UNIX or Microsoft, according to the company."
by Remo_Williams December 11, 2008 6:34 AM PST
I call bs.
Reply to this comment
by tacit December 11, 2008 6:53 AM PST
Why? The basic idea is sound. The device blocks attempts to write to the hard drive. The computer can read from the hard drive, but when it goes to write to the hard drive, the write requests are intercepted and written to the device instead. It's clever, but there's nothing impossible or outrageous about it.
by man_w_balls December 11, 2008 7:06 AM PST
"The system allows seeing and operating the "native system," whether it's Mac, Linux, UNIX or Microsoft,"

Uh-oh, operating the native system? Including Mac? Wouldn't that be running Mac software on non-Apple hardware (Voom Shadow)? So will they get sued too?
Reply to this comment
by Pishkado December 11, 2008 7:17 AM PST
That doesn't seem to be how it works. The original software runs on the original computer, not on the VOOM. What VOOM does is to cache disk writes, so they don't go to the hard drive. Subsequent reads of the same sector presumably retrieve the copy on the VOOM, so as long as the VOOM isn't shut down you can't tell there's anything strange going on - but the original hard drive isn't touched. Very clever idea!
by protagonistic December 11, 2008 9:09 AM PST
So how is this really going to help? If you have to run off the native system and that is protected by a very strong PW and the volume is encrypted this would seem to provide nothing really groundbreaking.
Reply to this comment
by Michichael December 11, 2008 9:20 AM PST
I don't see how this is new. Booting Backtrack read only does the same thing, and that's free to download. I suppose if "Shadow" had a cryptography cracker, sure, but I highly doubt that it's anything not already available.

Any security professional that knows what he's doing doesn't need a name brand to do his job.
Reply to this comment
by alegr December 11, 2008 3:42 PM PST
Snake oil. Why not just make 1:1 copy of the original disk and boot with a copy.
Reply to this comment
by VOOMTECH December 17, 2008 5:55 PM PST
While I find the "Snake oil" comment a little naive, the question "Why not just make 1:1 copy of the original disk and boot with a copy." is a very good question.
1) Time. What if your child was abducted? Do you want to wait hours for a copy, followed by a lab examination of the computer (could be the abducter's or your child's computer)? Or would you rather have a trained computer forensic investigator be allowed to immediately access the computer, and operate it just as the suspect/victim did, without comprimising the evidence?
2) Forensic Investigation - a traditional forensic investigation requires the duplication (copy) of the drive followed by a lab examination with very good tools such as Encase or FTK. However, this is again time consuming, and the investigator still does not have the ability to operate the suspect computer as the suspect (or victim) sees it. The Shadow provides an adjunct and very fast analysis not previously available.
3) Forensic Investigation - software virtualization can attempt to operate the suspect computer - virtually. Still requires the copy process, then loading into the virtual environment. Sometimes it just does not work. Other times, it takes substantial time to tweak the software so that it works, Other times, it "sort of": works.
4) Make a copy? Run the disk on another computer (typical process). Now the eveidence is changed. You can get the information, but how do you get back to the pristine state? Answer - another copy. How much time do you have?
5) Court presentation. How much more powerful would it be to you to see the actual suspect computer operating in a court room, rather than explanations of chain of evidence, and explanations of printed computer lab reports. Time, confusion, opportunity for the defense to obfuscate, etc.
6) Confessions: THrough the use of the Shadow, investigators report much quicker plea agreements, as suspects are faced with their own computers run in real time - no opportunity for obfuscation, defense tactics, etc. Less court time, less trials, more convictions - saves time and tax payers dollars and frees up detectives, DA's, judges, court systems, and computer forensics labs for the cases that require the type of in depth analysis required to locate fragments of documents/pictures and other data in deleted files, slack space and hidden partitions, and/or to deal with cracking passwords


There are many other reasons. The best reason is real-life detectives and district attorneys who use the Shadow swear by it.
by MTGrizzly December 11, 2008 4:43 PM PST
This will last exactly as long as it takes the first case it is used in to get to court. The defense attorney will ask Voom for the source code and hardware specs. Voom will refuse, claiming their 'intellectual property" &/or "trade secrets" rights trump the due process rights of the defendant. The court will disagree. Voom will tie it up in litigation forever.

Law enforcement will stop using it. Voom will go out of business...
Reply to this comment
by VOOMTECH December 17, 2008 5:58 PM PST
20/20 aired a program in Feb 2008 on the Mark Jensen murder trial in WI. The Shadow was used (as it has been in other courts) and accepted (its use by the expert witness live in court with the suspect's computer was accepted as evidence) , and was critical to the conviction of wife murderer Mark Jensen
by dechah December 11, 2008 9:45 PM PST
This is interesting. I read a story in an Australian newspaper last week about a 70+ year old man in Queensland who posted a video he had found of a laughing child being swung about by his father. The man's house was subsequently raided by the Queensland police, and the man was arrested and charged with distributing child abuse videos onto the internet. When the man was interviewed by the press, he stated that the police made him step away from his computer, and then one of them attached a small black box to the computer ofr gathering evidence. I wonder if it was one of these. The pic in the story certainly makes it look like it is a small black box. If so, these things are already being used in Australia.
Reply to this comment
by c|net Reader December 12, 2008 10:04 AM PST
A father can't swing his child about without being accused of child abuse now? Apparently, the only thing we're permitted to do is hand them over to Government run or sanctioned day care, schools, after school programs, etc. We can't punish them for misbehavior; we have to medicate them instead. We can't play with them, talk about religion, teach them independent thought, or otherwise interfere with their lives. It seems parents are merely units for procreation and funding.

Caveat: Having ranted, I should note that the description above makes the video sound completely innocent and that may be misleading. It was still nice to vent.
by VOOMTECH December 17, 2008 6:12 PM PST
The little black box may have a VOOM HardCopy, which is a computer forensic hard drive duplicator. By the way, it was reported to me that there was a case in Alaska in which a U.S. armed forces serviceman was being charged with child pornography, until an expert with the Shadow was brought in and demonstrated that the serviceman never did access the porno, as attempting to display the pictures (as recovered by traditional forensic software) caused the entire system to crash. The case was a little more involved than this, but this is a real life example of an injustice avoided by use of the Shadow.
by Harrison912 December 12, 2008 9:36 AM PST
Thanks, Mark, for this article. As a web site owner for safety and security products, I always like to hear about new technology to help catch the bad guys.
Reply to this comment
(16 Comments)
  • prev
  • 1
  • next

A CNET Conversation with Eric Schmidt

CNET's Tom Krazit and Molly Wood sit down with Google CEO Eric Schmidt to discuss the future of Android, the Chrome OS, the problem of real-time search indexing, and more.

Verizon tests sending RIAA copyright notices

The No. 2 phone company, known for its reluctance to intervene in antipiracy cases, strikes an agreement to forward copyright notices on behalf of the music industry.

advertisement

About Military Tech

The military establishment's ever increasing reliance on technology and whiz-bang gadgetry impacts us as consumers, investors, taxpayers and ultimately as the "defended." Our mission here is to bring some of these products and concepts to your attention based on carefully selected criteria such as importance to national security, originality, collateral damage to the treasury and adaptability to yard maintenance-but not necessarily in that order.

Mark Rutherford is a member of the CNET Blog Network and is not an employee of CNET.

Disclosure.

Add this feed to your online news reader

Military Tech topics

advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET