at first i was like, "erm, helix" but after i RTFA i realized that this is a different class of product.
they reportedly have remove hdd write capability from the kernel, and come up with some scripts which dig through the file-system looking for image and movie files. it mentions that there are skin tone algorithms as well, which sounds kinda nifty (speaking as one who hasn't done any img analysis programing)...
so anyway, you can prolly see where this is going: helping cops find child pr0n...
the jist of it is that police forensics units were overwhelmed, and many cases involved cp. i know from talking to people who used to be that type of LEO that there are definately staffing and workload constraints.
so on the surface this seems like a cool tool. basically the beat cops get a cd and drop it on the suspects laptop and take a gander at the imgs and vids the tool produces.
i guess it is dual edged because if you aren't doing a drive image and then doing helix/ftk/encase analysis, you're prolly gonna miss a lot of stuff. are there crypted containers? are there deleted files? slack space files? is there other evidence in the file-system which might lead you to find evidence elsewhere?
i dug around a bit for the tool, but couldn't find it, so mb it isn't open. i found another project the uni is doin called LIARS (Laptop Inspector and Recovery System), where it digs through registry keys to help determine information about the original owner of a lost/stolen laptop... w00t @ that!
so i guess overall it is a win, and we just get back to the old equation of balancing cost versus value. use the tool to reduce the load, but if you feel strongly that the person is a sophisticated predatory type, hire a real forensics investigator to do the job right.
we actually do a similar thing at work. we can do general investigations to help you figure out what happened, and we can also do very detailed analysis which can be used in legal proceedings and the like. we just leave it up to the client to tell us which level of detail they want....
we also use a linux derived tool (amongst others) for part of our analysis, but it's just to grab the image. this box has a ton of different ports, and is a write-blocker. you hook up the two drives and hit go, and it rips off a bit for bit image. then it is ready for loading into your fav tool...
and on a completely unrelated kick... i saw this at a client site the other day. it was just sitting in a hallway area... i couldn't help but laugh... i didn't want to know what was in the container... ;)
if you can't read it, it says "DO NOT TURN THIS VALVE"... lol...
