CSI: handle with care

Opinion by nikb

Various news sources (for example, http://www.theregister.co.uk/2009/07/08/acpo_digital_triage/)are reporting  that the UK Association of Chief Police Officers (ACPO) are proposing a "computer forensics...

Various news sources (for example, http://www.theregister.co.uk/2009/07/08/acpo_digital_triage/)are reporting  that the UK Association of Chief Police Officers (ACPO) are proposing a "computer forensics breathalyzer", a sort of bobby-on-the-beat friendly computer forensics kit to allow relatively untrained officers to capture and analyse computer evidence. Apparently none of the current commercial offerings meet ACPO's requirements.

This seems at first glance a good move, as there is a huge backlog of seized computer evidence to plough through, and anything that speeds up the justice process would be welcome, as long as the appropriate evidentiary standards are maintained.

However, assuming these reports are correct (there appears to be no official announcement on the ACPO site), I think this would be a worrying development.

The problem is, forensic evidence gathering (indeed any evidence processing) is not an unskilled task. Even worse is the fact that if it's done badly, vital evidence of guilt or innocence can be irrecovably damaged. In the case of computer evidence, it's even easier to do this than with traditional physical evidence. Even apparently simple decisions such as whether a laptop should be switched off or not need careful consideration (for example if full disk encryption is present, leaving it powered up is often a safe option).

Coincidentally I have recently been looking into digital forensics myself; I have a shelf full (literally) of technical books and have spent many hours playing with test systems and forensic tools. I've just about got to the stage where I know what I don't know; I like to think I'm a relatively well educated security person but I wouldn't touch any proper evidence with a bargepole for fear of damaging it.

Of course it's possible that ACPO's new tool will be cleverer than the current market offerings (and me ;), but in reality I suspect not. After all, the companies in the forensics business are not beginners, and most of the products are on their third or fourth generation.

It may be possible to make evidence gathering a point and click affair, but I doubt it. It certainly isn't practical to completely deskill the analysis of captured evidence. It seems strange that ACPO would suggest something like this, particularly as their previous guidance on evidence collection is actually very good (http://www.acpo.police.uk/asp/policies/Data/ACPO%20Guidelines%20v18.pdf)

Perhaps a better solution might be to properly fund the forenics service, whose traditional processing facilities are already heavily stretched, never mind the computer evidence side. With the current economic climate I'm sure there's plenty of security practitioners who would jump at the change of Government funded training, a decent pension and an interesting career.
Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events