2 - What happens if the preview is negative ? And what would have happened if no preview had been available ? The risk here is that computers that would otherwise have been analyzed in depth could be "dismissed" since preview was negative.
I agree. I think that this is the biggest concern about this method. Given an imaginary scenario that an officer visits an offender every month and on each of these visits views the offender’s computer using the SPADA disc. On every visit the SPADA disc preview is negative. It would therefore appear the offender has turned over a new leaf and is rehabilitated - after all nothing has been found. Perhaps all the offender did was save his indecent images of children into a password protected ZIP archive? The SPADA preview, however effectively says that this person hasn’t offended. The offender is deemed to no longer be a threat and so receives no further visits.
Forensic computer analysts are skilled and highly trained with access to a wide range of software tools; these are the people that should be examining computers. Substituting them for a software tool that has technical limitations operated by an untrained (within the realms of computer forensics) person is ludicrous and sets a dangerous precedent.
Obviously saving a child from abuse can not be argued with. However, just because a method produces results does not necessarily make it a good method when there may be a better alternative. If offenders are to be monitored then it should be done properly using skilled people with comprehensive software.
Forensic computer analysts are skilled and highly trained with access to a wide range of software tools; these are the people that should be examining computers. Substituting them for a software tool that has technical limitations operated by an untrained (within the realms of computer forensics) person is ludicrous and sets a dangerous precedent.
Obviously saving a child from abuse can not be argued with. However, just because a method produces results does not necessarily make it a good method when there may be a better alternative. If offenders are to be monitored then it should be done properly using skilled people with comprehensive software.
Could not agree more.
is this just to look at ex offenders are they behaving themselves, I would gladly offer my services with encase to preview a pc at a very low cost.
1. If a offender has been prosecuted for CP then if he wanted to re offend im sure he would look at ways to hide his activites more aggresive than before. so is SPADA really the way forward ??
on the face of it great idea, but could open some real issues.
A good preview tool (though not quite forensically sound) would be a Encase V.3 running from a thumb drive. Easy tu use (a lot more than V4-6), quick preview of erased files and pictures, Word search on the disk. With a couple of enscripts, it's more than enough to allow a fairly deep examination of the drive.
The tool is fairly simple to use and a few days' training is enough to master the basic functionalities of the tool. I did write to Guidance software about this idea because I believe that such a product, moderately priced, would be a great tool to be deployed in local police stations …
I guess that a little training and experience gained from preview would allow the officer in charge to achive an efficient use of the tool fairly quickly.
Then, the last problem is time. I've always been very wary when CF-unaware collegues asked me to come to a house search to do a quick preview of the computers.
I generally got myself playing with three computers at the same time, with restless people around me waiting a full 15 minutes before starting to ask if I had found anything and if I was about to finish. I also discovered that if I hadn't been available for the preview, chances are that the computers would have been seized and examined more in depth, whereas a very quick preview sometimes served as an excuse to those who didn't believe in digital evidence to discard that part of the investigation by reporting to theperson in charge of the investigation "the computer specialist didn't find anything so there isn't anything on the computers there's no need to seize them …".
Don't forget that a "normal" computer now means several hundred thousand files, probably around 40 000 pictures to look at, several hours for a simple keyword search and probably more than a million results if you run a data carving tool for erased jpegs. Extracting internet history (netanalysis) will be another few hours, and is likely to bring another 20-30 000 lines to look at …
What I call a quick preview of a seized computer is generally around 6-8 hours of full work, spanning over a couple of days (to allow searching and data recovering during the night). And I do believe it's only a preview …