Linux tool speeds up police computer forensics

University students have devised a Linux-based data-forensics tool that allows police to analyse computers at the scene of a crime

Australian university students have developed a Linux-based data-forensics tool to help police churn through a growing backlog of computer-related criminal investigations.

The tool, developed by students at the School of Computing and Information Sciences at Edith Cowan University (ECU), will help the Western Australian Police Computer Crime Squad process their forensic investigations.

Called Simple (Simple Image Preview Live Environment), the software allows investigators to view and acquire forensic data at the scene of the crime without compromising the integrity of data as it is collected.

"It's a Linux Live CD that we have built from the ground up. We customised the kernel and the underlying operating system so that, when it runs, it's incapable of writing to the hard disk or any other storage," Peter Hannay, the software developer behind the forensic acquisition tool, told ZDNet.com.au.

The operating system has had some features removed so that investigators can view data without affecting the host machine.

"We stripped out a large amount of functionality because we want to maintain the integrity of data collected, so we removed all network support and the ability to write to disk. Also, if for some reason a disk is writeable, the system will halt automatically," Hannay said.

"Our software will launch on top of the operating system, and will interrogate the hard disk, locate all the images on system and then present those to the operator," Hannay added.

Simple searches the system for specific file types, such as MPEG or JPEG files, saving time on the often lengthy search process.

Hoping to achieve even greater automation during the collection of evidence, Simple will soon be equipped with skin-tone analysis capabilities to help detect relevant files.

The idea for the tool first originated when the Western Australia Police approached the university in 2006 because its investigators could not handle the amount of computer forensic data requests, which relate mostly to child pornography and bestiality.

Normally police need to take PCs back to the station to begin acquiring forensic data but, with this tool, according to Hannay, police will be able to collect the data on the spot.