SHPO - devices that can connect to the internet

theForum is run by the charity Unlock. We do not actively moderate, monitor or edit contributions but we may intervene and take any action as we think necessary. Further details can be found in our terms of use. If you have any concerns over the contents on our site, please either register those concerns using the report-a-post button or email us at forum@unlock.org.uk.

Home
»
The Criminal Justice System
»
Police
»
SHPO - devices that can connect to the internet

SHPO - devices that can connect to the internet

View Options

Author	Message
J J	J J Posted 4 Years Ago #28783
Supreme Being Group: Forum Members Posts: 141, Visits: 541	+x lotsofquer - 28 Aug 20 4:11 PM +x jcdmcr - 28 Aug 20 3:40 PM +x jcdmcr - 28 Aug 20 3:16 PM Hi I've just had a visit from my public protection office, I have file auditing turned on filled my c drive event log store in under an hour!! I've had a look through and their tool appears to be proprietory and access a number of areas. I'm still going through the log but it appears to do the following Scan for all executables on your hard drive on all partitions Scan for all images Checks for any proxy usage Scans for all images - to what end i'm not sure. I mean does it copy them or just write the names into a text file? The program is called: osTriage2.0.0.3.exe and the event log entry is below There is also a helperapp that runs. My concern is that if the app does the following 1 - Copies personally identifiable informaiton to an unencrypted drive 2 - is designed to allow someone with little or no experience to run and potentially arrest someone for just ticking a box. ========================================================== An attempt was made to access an object. Subject: Security ID:J*********\* Account Name:james Account Domain:*********** Logon ID:0x2A7F0696 Object: Object Server:Security Object Type:File Object Name:\onedrive\OneDrive - ******\private\salvage\recovered\DSC02402.jpg Handle ID:0x840 Resource Attributes:S:AI Process Information: Process ID:0x40e0 Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe Access Request Information: Accesses:ReadData (or ListDirectory) Access Mask:0x1 ================================================ It also accesses the recycle bin too A handle to an object was requested. Subject: Security ID:J*** Account Name:**** Account ************************** Logon ID:0x2A7F0696 Object: Object Server:Security Object Type:File Object Name:\$RECYCLE.BIN\S-1-5-21-81388288-117615736-41980065-1001\$R5TN288.JPG Handle ID:0x2b4 Resource Attributes:- Process Information: Process ID:0x40e0 Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe Access Request Information: Transaction ID:{00000000-0000-0000-0000-000000000000} Accesses:SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons:SYNCHRONIZE:Granted byDA;ID;FA;;;BA) ReadData (or ListDirectory):Granted byDA;ID;FA;;;BA) ReadAttributes:Granted byDA;ID;FA;;;BA) Access Mask:0x100081 Privileges Used for Access Check:- Restricted SID Count:0 ========================================== This is the process starting A new process has been created. Creator Subject: Security ID:*********** Account *********** Account Domain:************* Logon ID:0x2A7F0696 Target Subject: Security ID:NULL SID Account Name:- Account Domain:- Logon ID:0x0 Process Information: New Process ID:0x29a0 New Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\Plugins\__tmp\c5865ccc-74af-498f-bba3-6157e3a3b34b\osTriageHelperApp.exe Token Elevation Type:%%1937 Mandatory Label:Mandatory Label\High Mandatory Level Creator Process ID:0x40e0 Creator Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe Process Command Line: oh as a side note - it appeared to monitor my arp cache and dns servers!! Monitored or took a copy? The software isn't proprietary but seems to have been removed from public view (so I guess making it pseudo proprietary). Looks like you have to have law enforcement training to get a copy now. One thing I've just discovered (although not all that surprised) while looking up the software is that Windows logs everything you access and keeps it forever even if you delete a file. If you want to take a look check out Shellbag Analyzer & Cleaner by Goversoft. Given one of the tools on the developer of ostriage website (not goversoft btw - that was another one I found) pulls this information I'd imagine they're taking a copy of it. I guess if you have nothing to hide the only issue is the privacy intrusion and potentially some explaining to do if you happen to download something with a name that looks dodgy. I'm not sure - i'm guessing tho they took a copy. Its the latter that bothers me on names of files. Whos to say you access (for example) a news site or any site for that matter where they have given a dodgy name to a file... Windows only keeps the thumb cache and the search indexer. I have file auditing set up, so I log every file accessed and keep the logs..... BUT i have nothing that audits USB drives. Besides, the only way i can do it is to switch auditing on the USB drive and thats not easily done. 75
	Reply
lotsofquer	lotsofquer Posted 4 Years Ago #28784
Supreme Being Group: Forum Members Posts: 119, Visits: 3.4K	+x jcdmcr - 28 Aug 20 4:38 PM +x lotsofquer - 28 Aug 20 4:11 PM +x jcdmcr - 28 Aug 20 3:40 PM +x jcdmcr - 28 Aug 20 3:16 PM Hi I've just had a visit from my public protection office, I have file auditing turned on filled my c drive event log store in under an hour!! I've had a look through and their tool appears to be proprietory and access a number of areas. I'm still going through the log but it appears to do the following Scan for all executables on your hard drive on all partitions Scan for all images Checks for any proxy usage Scans for all images - to what end i'm not sure. I mean does it copy them or just write the names into a text file? The program is called: osTriage2.0.0.3.exe and the event log entry is below There is also a helperapp that runs. My concern is that if the app does the following 1 - Copies personally identifiable informaiton to an unencrypted drive 2 - is designed to allow someone with little or no experience to run and potentially arrest someone for just ticking a box. ========================================================== An attempt was made to access an object. Subject: Security ID:J*********\* Account Name:james Account Domain:*********** Logon ID:0x2A7F0696 Object: Object Server:Security Object Type:File Object Name:\onedrive\OneDrive - ******\private\salvage\recovered\DSC02402.jpg Handle ID:0x840 Resource Attributes:S:AI Process Information: Process ID:0x40e0 Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe Access Request Information: Accesses:ReadData (or ListDirectory) Access Mask:0x1 ================================================ It also accesses the recycle bin too A handle to an object was requested. Subject: Security ID:J*** Account Name:**** Account ************************** Logon ID:0x2A7F0696 Object: Object Server:Security Object Type:File Object Name:\$RECYCLE.BIN\S-1-5-21-81388288-117615736-41980065-1001\$R5TN288.JPG Handle ID:0x2b4 Resource Attributes:- Process Information: Process ID:0x40e0 Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe Access Request Information: Transaction ID:{00000000-0000-0000-0000-000000000000} Accesses:SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons:SYNCHRONIZE:Granted byDA;ID;FA;;;BA) ReadData (or ListDirectory):Granted byDA;ID;FA;;;BA) ReadAttributes:Granted byDA;ID;FA;;;BA) Access Mask:0x100081 Privileges Used for Access Check:- Restricted SID Count:0 ========================================== This is the process starting A new process has been created. Creator Subject: Security ID:*********** Account *********** Account Domain:************* Logon ID:0x2A7F0696 Target Subject: Security ID:NULL SID Account Name:- Account Domain:- Logon ID:0x0 Process Information: New Process ID:0x29a0 New Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\Plugins\__tmp\c5865ccc-74af-498f-bba3-6157e3a3b34b\osTriageHelperApp.exe Token Elevation Type:%%1937 Mandatory Label:Mandatory Label\High Mandatory Level Creator Process ID:0x40e0 Creator Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe Process Command Line: oh as a side note - it appeared to monitor my arp cache and dns servers!! Monitored or took a copy? The software isn't proprietary but seems to have been removed from public view (so I guess making it pseudo proprietary). Looks like you have to have law enforcement training to get a copy now. One thing I've just discovered (although not all that surprised) while looking up the software is that Windows logs everything you access and keeps it forever even if you delete a file. If you want to take a look check out Shellbag Analyzer & Cleaner by Goversoft. Given one of the tools on the developer of ostriage website (not goversoft btw - that was another one I found) pulls this information I'd imagine they're taking a copy of it. I guess if you have nothing to hide the only issue is the privacy intrusion and potentially some explaining to do if you happen to download something with a name that looks dodgy. I'm not sure - i'm guessing tho they took a copy. Its the latter that bothers me on names of files. Whos to say you access (for example) a news site or any site for that matter where they have given a dodgy name to a file... Windows only keeps the thumb cache and the search indexer. I have file auditing set up, so I log every file accessed and keep the logs..... BUT i have nothing that audits USB drives. Besides, the only way i can do it is to switch auditing on the USB drive and thats not easily done. You can turn off the thumb cache on windows. Not sure about the search indexer. It keeps more than that - take a look at the software I mentioned above (or go directly in to the registry yourself if you don't trust it). It's all there. That software also has the option to delete it. 66
	Reply
punter99	punter99 Posted 4 Years Ago #28785
Supreme Being Group: Forum Members Posts: 714, Visits: 5.3K	I know that my PPU tried to run lazagne.exe (password stealer) on my device, but windows stopped it. Although ostriage isn't available for downloading you could try osforensics - free 30 day trial. shows you the kind of thing ostriage can do https://forums.passmark.com/osforensics-osfmount-osfclone/48008-osforensics-v8-beta-release lots of fun for techies... 79
	Reply
Mark15788	Mark15788 Posted 4 Years Ago #28786
Supreme Being Group: Forum Members Posts: 293, Visits: 4.7K	If your order has no requirement to install that sort of software than surely they can’t? Or does your order include that? 73
	Reply
lotsofquer	lotsofquer Posted 4 Years Ago #28787
Supreme Being Group: Forum Members Posts: 119, Visits: 3.4K	+x Mark15788 - 28 Aug 20 6:33 PM If your order has no requirement to install that sort of software than surely they can’t? Or does your order include that? Likely the order is to do with making devices available (for checking) - it's not actually installing any software but just running the software. The software is taking whatever they specify I would imagine and they analyse it later. . Given punter99 mentioned that windows stopped it from stealing passwords then I'd imagine that they use anything they can regardless of legality of doing so or any privacy concerns. If you don't allow them then possibly a breach of the order (for not allowing access to devices) or you could make them do it manually meaning they are there for longer but probably not as thorough as the software. Obviously I'll make a decision based on the situation at the time (dependant on what orders I end up subject to) but I'd imagine that I wouldn't be too happy about them stealing passwords or using automated software to take everything and anything. I'll likely make them do it manually if thats an option (obviously one they're not going to present to you or deny exists but - and I'm just spitballing here - I would think that unless your order states they can do so then you can refuse provided you make the device available for checking. Whether that means they take it away for to analyse (and probably use the software anyway but deprive you of a laptop for however many months) or not I don't know. 68
	Reply
lotsofquer	lotsofquer Posted 4 Years Ago #28788
Supreme Being Group: Forum Members Posts: 119, Visits: 3.4K	+x punter99 - 28 Aug 20 5:01 PM I know that my PPU tried to run lazagne.exe (password stealer) on my device, but windows stopped it. Although ostriage isn't available for downloading you could try osforensics - free 30 day trial. shows you the kind of thing ostriage can do https://forums.passmark.com/osforensics-osfmount-osfclone/48008-osforensics-v8-beta-release lots of fun for techies... Ok the amount of information they collect is scary and I actually can't see why a lot of it is required. Why would they need all of the wifi passwords on your machine for instance???? 68
	Reply
Mark15788	Mark15788 Posted 4 Years Ago #28789
Supreme Being Group: Forum Members Posts: 293, Visits: 4.7K	Yeah that dies make sense. I’m only curious as never heard much about this side. Checks for me have always been literally a two minute browse of my history. Not sure if the actual sexual offence makes a difference to the checks they tend to do or what they look out for. 68
	Reply
xDanx	xDanx Posted 4 Years Ago #28790
Supreme Being Group: Forum Members Posts: 355, Visits: 10K	One key thing to remember is, they are not your friends. They will use every tactic possible to bypass your civil rights to collect all the information so they can to use against you. And they get away with many things because most individuals simply do not know what rights they even have, and police exploit this. I have said it before in a previous post, but it really does frustrate me reading about people who get sentenced for dishonesty. Yet the whole justice system is entirely based on dishonesty. Far as I am concerned, if it does not state in the orders that you must have monitoring software installed then you simply are not forced to have it. 74
	Reply
Mark15788	Mark15788 Posted 4 Years Ago #28791
Supreme Being Group: Forum Members Posts: 293, Visits: 4.7K	Mine says something like “if they choose to” I’m nearly at the three year point and never had anything mentioned about it. 71
	Reply
punter99	punter99 Posted 4 Years Ago #28792
Supreme Being Group: Forum Members Posts: 714, Visits: 5.3K	Monitoring software and ostriage are two seperate things. Monitoring software checks your device in real time and feeds things like screenshots back to the PPU, so if you typed in one of their watchwords, it would grab a screenshot of what you were doing at the time. It is very intrusive, because it is running in the background all the time. I offered to let them install it on my device but they said they only have a small number of licences, so they weren't going to bother. Ostriage is basically taking a snapshot of what is on your device, at the time the PPU visit you. Sometimes they just do a manual check of my browsing history, but other times they insert a USB stick, which runs the ostriage software. As far as privacy is concerned, it probably comes under the very broad definition of checking or inspecting your devices, which is allowed by the SHPO. It's intended for digital forensic investigators to use, when they arrest somebody and seize their devices. The idea is to let them inspect the device for anything naughty, on the spot, rather than having to take it to a lab. The main focus is images (obviously), and certain keywords, but it hoovers up lots of other stuff which might be useful for an investigation. How much use it is to the PPU depends on their level of IT knowledge. Mine is only really interested in the images. But by playing around with tools like osforensics, I was able to see what they see. It can be a real eye opener, to find out just how much data they can extract. 65
	Reply

SHPO - devices that can connect to the internet

SHPO - devices that can connect to the internet

Similar Topics

Login

Select a Forum....

theForum

Search

Existing Account
Email Address: Password: Reset Your Password Remember Me