March 6, 2008 8:19 AM PST

Linux tool speeds up computer forensics for cops

Australian university students have developed a Linux-based data forensics tool to help police churn through a growing backlog of computer-related criminal investigations.

The tool was developed by students from Edith Cowan University's School of Computing and Information Sciences and will help the Western Australian Police Computer Crime Squad process their forensic investigations.

Called Simple (for Simple Image Preview Live Environment), the software allows investigators to view and acquire forensic data at the scene of the crime without compromising the integrity of data as it is collected.

"It's a Linux Live CD that we have built from the ground up. We customized the kernel and the underlying operating system so that when it runs it's incapable of writing to the hard disk or any other storage," Peter Hannay, the software developer behind the forensic acquisition tool told ZDNet Australia.

The operating system has had some features removed so that investigators can view data without affecting the host machine.

"We stripped out a large amount of functionality because we want to maintain the integrity of data collected, so we removed all network support and the ability to write to disk. Also, if for some reason a disk is writeable, the system will halt automatically," he added.

"Our software will launch on top of the operating system and will interrogate the hard disk, locate all the images on system and then present those to the operator."

The Simple tool searches the system for specific file types like MPEG or JPEG files, saving time on the often lengthy search process.

Hoping to achieve even greater automation during the collection of evidence, Simple will soon be equipped with skin-tone analysis capabilities to help detect relevant files.

The idea for the tool first came when the Western Australian Police approached the university in 2006, since its investigators could not handle the amount of computer forensic data requests, which relate mostly to child pornography and bestiality.

Normally police need to take the PCs back to the station to begin acquiring forensic data, but with this tool, according to Hannay, police will be able to collect the data on the spot.

Liam Tung of ZDNet Australia reported from Sydney.

See more CNET content tagged:
integrity, police, Linux, operating system, hard drive

7 comments

Join the conversation!
Add your comment
This is not new
Bootable Linux CD's designed for law enforcement computer forensic use have been around for several years.

Check out:
<a class="jive-link-external" href="http://www.spada-cd.info/about.htm" target="_newWindow">http://www.spada-cd.info/about.htm</a>
<a class="jive-link-external" href="http://www.e-fense.com/helix/" target="_newWindow">http://www.e-fense.com/helix/</a>
Posted by af_waterwalker (2 comments )
Reply Link Flag
A little behind the times
This type of disk has existed for years. The International Association of Computer Investigative Specialists has SPADA, Forward Discovery has RAPTOR, and there is Helix just to name a few. We can always use more tools but this is nothing new.
Posted by macsrock (1 comment )
Reply Link Flag
Collection?
How can a system incapable of saving the evidence to a storage system that can be produced in court be descibed as "collecting" evidence?

"Previewing", maybe. But not "collecting"
Posted by Bob Harvey (1 comment )
Reply Link Flag
Did you guys actually read the article?
Just wondering if you actually read the article or not. It's made to get the pictures specifically. Not made as an "all in one" tool like the others.
Posted by farmeunit (1 comment )
Reply Link Flag
Where is it
Let's put it to the test. Where is it?
Posted by rbyers4 (1 comment )
Link Flag
An obvious flaw in this system - which boasts of keeping the integrity of the evidence - is that they are saving everything as a JPG file, the worst possible kind of file because it compresses every time the file is saved, throwing out more and more information to reduce file size. This is pretty basic stuff to be aware of.
Posted by strategynode (7 comments )
Reply Link Flag
@farmeunit - It's made to see if there is anything there in the way of movies (mpeg) or images (jpeg). There have been tools out for years like this. This is not news to anyone but people like yourself.

How about: http://www.linux-forensics.com/
Based on Knoppix as well and it's free.
Posted by JohnSmithiack (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.