Hi all,
I am not in the field of Forensics so please be gentle. I have an end user knowledge of the processes but not the ins and outs. I manage a team of Detectives who monitor sex offenders in the community and wish to give them more teeth in dealing with RSOs.
I got told of SPADA by a colleague in another Force, who claims it is a fantastic tool for his officers. I have recently emailed the owner of SPADA so that I may look into it.
My question is can you guys advise me what the best in the field software for my officers, simply to check for indecent images. It will need to be very basic as not all my officers are computer savvy.
This tool will enable them to be more intrusive with the offenders, act as a better deterent and also take some of the load off you guys by not bringing in workstations on a "just to see" scenario.
It will also assist in bail conditions if images are found. Whilst the workstation is being fully interogated by you guys, we can stick them on 37(7) bail with more backing (our CPS are weak at present!)
regards
SPADA is good, as is the Helix live CD. I use those, plus I also attended training and received a copy of the FBI's Imagescan live cd. All of those would work for you. I'm pretty happy with Imagescan, which I believe is only available to law enforcement type agencies. I'm not sure if they would provide it to agencies outside the US, but it couldn't hurt to ask.
I have used it a number of times in the field and have been happy with the results. You could contact them to see about the training, etc.
KP
Have you spoken to you own Force's hight tech crime unit or digital forensics unit? They really should be the 1st point of call as they will be supporting the outcome of any use of such systems.
Sadly the manager in the dept is very insular and wont assist in us moving forward in this field. I wont let this deter me as I put the children first, therefore I need a strong business case and be able to present it in a way that would be difficult not to see the benefits.
I would suggest you contact Bill Crane at NPIA (formerly NSLEC at Wyboston) re SPADA training. They were running a one day course on it last year which was attended by many PPO's and HTCU officers.
Stu
Hi PulpFiction
we are currently working on such a tool that will look for images and even further can look in the metadata for .pdf .doc etc
however its not got a nice gui front end, but is very easy for "non techies" to use.
we are working with our local uni to produce this to compliment our other forensics offerings
if you want more info then PM me
Keanaz
Pulpfixtion,
I've been looking at this issue recently myself after enquiries from Officers in our force.
I have finally managed to obtain a copy from another force after all my attempts to send emails to the authors were bounced.
I have to say in the first five minutes of testing on a 2 year old computer I found a number of things that gravely concerned me, especially as this is supposed to be a tool usable by non-technical people
1) It was unable to view the content of a 1Tb RAID. This is a simple one built into my motherboard, similar to the type we are increasingly seeing in seized computers.
2) When running the media finder it did not inform me there was a problem mounting the 1Tb RAID, it simple showed me an empty folder which would indicate no images found (it's the drive I export files to from suspects computers and has 10s of 1000s of images on it).
3) It was unable to play any MPEG videos (a very common format), displaying what appeared to be near-random primary coloured dots in place of the content (again, no-error).
4) The AVIs I tried wouldn't play either. SPADA was a little more helpful this time and told me there was an error, missing codecs.
5) I am a little perturbed that the option to wipe a drive is so prominent on the menu.
6) On the first occasion it was unable to mount approximately half of the registry files it located (after making me navigate to the Windows folder), it did display an error, just not one that helped in working out what the problem was and certainly nothing that would assist a non-technical user. Oddly when I next booted the SPADA disk in the same hardware it could open all of them.
7) It didn't strike as remotely user-friendly for a non-technical user.
Although my testing continues I am concerned that this disk is giving non-technical people a false sense of security when used to examine the content of convicted sex-offender's computers. I appreciate that in some case nothing other than a full forensic examination will discover the evidence but my first impression is not an encouraging one.
If you struggle to obtain a copy, get in touch and I'll see if I can get a copy to you.
Regards,
Chris
I am concerned that this disk is giving non-technical people a false sense of security
Exactly.
I too have been looking at this, and I feel there are just too many variables with the way people use their machines for any examination with a boot disk to be regarded as accurate.
I think some forces are almost using the threat of examination as a big stick to try and deter sex offenders from using their computers, but I also feel that if too many become aware that the police are going to come looking, they will make the extra effort to hide their little stashes. SPADA/Helix/any other boot disk is not going to find the CD on the bookshelf/the thumbdrive in the cupboard etc etc.
I applaud Pulpfixtion for wanting to do more to protect children/catch sex offenders, and I have eerily similar conversations with my DI about this (whereabouts are you Pulpfixtion??), but like Chris, I am concerned as to who does the looking with this sort of product, and how much time they intend to spend looking, given the size of storage media available in modern machines.
If they're using helix or some other boot CD I suspect your offices are quite computer savy.
If you wanted you could add to the helix CD/Pen Drive a tool called
Once you load the CD/Thumbdrive you can boot helix and then kick off photorec to recover images from the HD to an external Pen Drive. I believe this is only possible when booted into the *nix version of Helix and I doubt it would be available in the Windows boot menu of helix i.e. when you insert the helix CD into Windows whilst Windows is running to get the WFT - Windows Forensic Toolkit (but I havent tested this).
You could then use the thumbnail view if Windows (on a separate laptop) to view the images recovered to the HD.
Photo rec might take a small bit of getting used to, but once you do it once you'll be able to replicate the steps for any machine.
Ronan
P.S. This paper discusses the changes a helix CD makes to the system whilst running WFT … but the sites found
If they're using helix or some other boot CD I suspect your offices are quite computer savy.
The SPADA CD is being used by officers with little or no computer knowledge. In the UK there is a 1 or 2 day course that is supposed to equip someone with zero experience with sufficient knowledge to use this disk in the field.