theForum is run by the charity Unlock. We do not actively moderate, monitor or edit contributions but we may intervene and take any action as we think necessary. Further details can be found in our terms of use. If you have any concerns over the contents on our site, please either register those concerns using the report-a-post button or email us at forum@unlock.org.uk.


SHPO - devices that can connect to the internet


SHPO - devices that can connect to the internet

Author
Message
J J
J J
Supreme Being
Supreme Being (23K reputation)Supreme Being (23K reputation)Supreme Being (23K reputation)Supreme Being (23K reputation)Supreme Being (23K reputation)Supreme Being (23K reputation)Supreme Being (23K reputation)Supreme Being (23K reputation)Supreme Being (23K reputation)

Group: Forum Members
Posts: 141, Visits: 541
lotsofquer - 28 Aug 20 4:11 PM
jcdmcr - 28 Aug 20 3:40 PM
jcdmcr - 28 Aug 20 3:16 PM
Hi
I've just had a visit from my public protection office, I have file auditing turned on filled my c drive event log store in under an hour!!  I've had a look through and their tool appears to be proprietory and access a number of areas. I'm still going through the log but it appears to do the following
Scan for all executables on your hard drive on all partitions
Scan for all images
Checks for any proxy usage
Scans for all images - to what end i'm not sure. I mean does it copy them or just write the names into a text file?
The program is called: osTriage2.0.0.3.exe and the event log entry is below
There is also a helperapp that runs.


My concern is that if the app does the following
1 - Copies personally identifiable informaiton to an unencrypted drive
2 - is designed to allow someone with little or no experience to run and potentially arrest someone for just ticking a box.

==========================================================
An attempt was made to access an object.

Subject:
Security ID:J***********\*****
Account Name:james
Account Domain:***************
Logon ID:0x2A7F0696

Object:
Object Server:Security
Object Type:File
Object NameBigGrin:\onedrive\OneDrive - **********\private\salvage\recovered\DSC02402.jpg
Handle ID:0x840
Resource Attributes:S:AI

Process Information:
Process ID:0x40e0
Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe

Access Request Information:
Accesses:ReadData (or ListDirectory)

Access Mask:0x1
================================================

It also accesses the recycle bin too

A handle to an object was requested.

Subject:
Security ID:J*******
Account Name:********
Account ******************************
Logon ID:0x2A7F0696

Object:
Object Server:Security
Object Type:File
Object NameBigGrin:\$RECYCLE.BIN\S-1-5-21-81388288-117615736-41980065-1001\$R5TN288.JPG
Handle ID:0x2b4
Resource Attributes:-

Process Information:
Process ID:0x40e0
Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe

Access Request Information:
Transaction ID:{00000000-0000-0000-0000-000000000000}
Accesses:SYNCHRONIZE
ReadData (or ListDirectory)
ReadAttributes

Access Reasons:SYNCHRONIZE:Granted byDSadA;ID;FA;;;BA)
ReadData (or ListDirectory):Granted byDSadA;ID;FA;;;BA)
ReadAttributes:Granted byDSadA;ID;FA;;;BA)

Access Mask:0x100081
Privileges Used for Access Check:-
Restricted SID Count:0

==========================================

This is the process starting
A new process has been created.

Creator Subject:
Security ID:***************
Account ***************
Account Domain:***************
Logon ID:0x2A7F0696

Target Subject:
Security ID:NULL SID
Account Name:-
Account Domain:-
Logon ID:0x0

Process Information:
New Process ID:0x29a0
New Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\Plugins\__tmp\c5865ccc-74af-498f-bba3-6157e3a3b34b\osTriageHelperApp.exe
Token Elevation Type:%%1937
Mandatory Label:Mandatory Label\High Mandatory Level
Creator Process ID:0x40e0
Creator Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe
Process Command Line:

oh as a side note - it appeared to monitor my arp cache and dns servers!!

Monitored or took a copy?

The software isn't proprietary but seems to have been removed from public view (so I guess making it pseudo proprietary). Looks like you have to have law enforcement training to get a copy now. One thing I've just discovered (although not all that surprised) while looking up the software is that Windows logs everything you access and keeps it forever even if you delete a file. If you want to take a look check out Shellbag Analyzer & Cleaner by Goversoft. Given one of the tools on the developer of ostriage website (not goversoft btw - that was another one I found) pulls this information I'd imagine they're taking a copy of it.

I guess if you have nothing to hide the only issue is the privacy intrusion and potentially some explaining to do if you happen to download something with a name that looks dodgy.

I'm not sure - i'm guessing tho they took a copy. Its the latter that bothers me on names of files. Whos to say you access (for example) a news site or any site for that matter where they have given a dodgy name to a file...

Windows only keeps the thumb cache and the search indexer.

I have file auditing set up, so I log every file accessed and keep the logs..... BUT i have nothing that audits USB drives. Besides, the only way i can do it is to switch auditing on the USB drive and thats not easily done.
lotsofquer
lotsofquer
Supreme Being
Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)

Group: Forum Members
Posts: 119, Visits: 3.4K
jcdmcr - 28 Aug 20 4:38 PM
lotsofquer - 28 Aug 20 4:11 PM
jcdmcr - 28 Aug 20 3:40 PM
jcdmcr - 28 Aug 20 3:16 PM
Hi
I've just had a visit from my public protection office, I have file auditing turned on filled my c drive event log store in under an hour!!  I've had a look through and their tool appears to be proprietory and access a number of areas. I'm still going through the log but it appears to do the following
Scan for all executables on your hard drive on all partitions
Scan for all images
Checks for any proxy usage
Scans for all images - to what end i'm not sure. I mean does it copy them or just write the names into a text file?
The program is called: osTriage2.0.0.3.exe and the event log entry is below
There is also a helperapp that runs.


My concern is that if the app does the following
1 - Copies personally identifiable informaiton to an unencrypted drive
2 - is designed to allow someone with little or no experience to run and potentially arrest someone for just ticking a box.

==========================================================
An attempt was made to access an object.

Subject:
Security ID:J***********\*****
Account Name:james
Account Domain:***************
Logon ID:0x2A7F0696

Object:
Object Server:Security
Object Type:File
Object NameBigGrin:\onedrive\OneDrive - **********\private\salvage\recovered\DSC02402.jpg
Handle ID:0x840
Resource Attributes:S:AI

Process Information:
Process ID:0x40e0
Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe

Access Request Information:
Accesses:ReadData (or ListDirectory)

Access Mask:0x1
================================================

It also accesses the recycle bin too

A handle to an object was requested.

Subject:
Security ID:J*******
Account Name:********
Account ******************************
Logon ID:0x2A7F0696

Object:
Object Server:Security
Object Type:File
Object NameBigGrin:\$RECYCLE.BIN\S-1-5-21-81388288-117615736-41980065-1001\$R5TN288.JPG
Handle ID:0x2b4
Resource Attributes:-

Process Information:
Process ID:0x40e0
Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe

Access Request Information:
Transaction ID:{00000000-0000-0000-0000-000000000000}
Accesses:SYNCHRONIZE
ReadData (or ListDirectory)
ReadAttributes

Access Reasons:SYNCHRONIZE:Granted byDSadA;ID;FA;;;BA)
ReadData (or ListDirectory):Granted byDSadA;ID;FA;;;BA)
ReadAttributes:Granted byDSadA;ID;FA;;;BA)

Access Mask:0x100081
Privileges Used for Access Check:-
Restricted SID Count:0

==========================================

This is the process starting
A new process has been created.

Creator Subject:
Security ID:***************
Account ***************
Account Domain:***************
Logon ID:0x2A7F0696

Target Subject:
Security ID:NULL SID
Account Name:-
Account Domain:-
Logon ID:0x0

Process Information:
New Process ID:0x29a0
New Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\Plugins\__tmp\c5865ccc-74af-498f-bba3-6157e3a3b34b\osTriageHelperApp.exe
Token Elevation Type:%%1937
Mandatory Label:Mandatory Label\High Mandatory Level
Creator Process ID:0x40e0
Creator Process Name:\Device\HarddiskVolume12\osTriage2.0.0.3 - SOPO\osTriage2.0.0.3.exe
Process Command Line:

oh as a side note - it appeared to monitor my arp cache and dns servers!!

Monitored or took a copy?

The software isn't proprietary but seems to have been removed from public view (so I guess making it pseudo proprietary). Looks like you have to have law enforcement training to get a copy now. One thing I've just discovered (although not all that surprised) while looking up the software is that Windows logs everything you access and keeps it forever even if you delete a file. If you want to take a look check out Shellbag Analyzer & Cleaner by Goversoft. Given one of the tools on the developer of ostriage website (not goversoft btw - that was another one I found) pulls this information I'd imagine they're taking a copy of it.

I guess if you have nothing to hide the only issue is the privacy intrusion and potentially some explaining to do if you happen to download something with a name that looks dodgy.

I'm not sure - i'm guessing tho they took a copy. Its the latter that bothers me on names of files. Whos to say you access (for example) a news site or any site for that matter where they have given a dodgy name to a file...

Windows only keeps the thumb cache and the search indexer.

I have file auditing set up, so I log every file accessed and keep the logs..... BUT i have nothing that audits USB drives. Besides, the only way i can do it is to switch auditing on the USB drive and thats not easily done.

You can turn off the thumb cache on windows. Not sure about the search indexer.  It keeps more than that - take a look at the software I mentioned above (or go directly in to the registry yourself if you don't trust it). It's all there.  That software also has the option to delete it.

punter99
punter99
Supreme Being
Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)

Group: Forum Members
Posts: 769, Visits: 5.7K
I know that my PPU tried to run lazagne.exe (password stealer) on my device, but windows stopped it.  Although ostriage isn't available for downloading you could try osforensics - free 30 day trial. shows you the kind of thing ostriage can do

https://forums.passmark.com/osforensics-osfmount-osfclone/48008-osforensics-v8-beta-release

lots of fun for techies...

Mark15788
Mark15788
Supreme Being
Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)

Group: Forum Members
Posts: 293, Visits: 4.7K
If your order has no requirement to install that sort of software than surely they can’t? Or does your order include that?
lotsofquer
lotsofquer
Supreme Being
Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)

Group: Forum Members
Posts: 119, Visits: 3.4K
Mark15788 - 28 Aug 20 6:33 PM
If your order has no requirement to install that sort of software than surely they can’t? Or does your order include that?

Likely the order is to do with making devices available (for checking) - it's not actually installing any software but just running the software. The software is taking whatever they specify I would imagine and they analyse it later.  . Given punter99 mentioned that windows stopped it from stealing passwords then I'd imagine that they use anything they can regardless of legality of doing so or any privacy concerns.

If you don't allow them then possibly a breach of the order (for not allowing access to devices) or you could make them do it manually meaning they are there for longer but probably not as thorough as the software.  Obviously I'll make a decision based on the situation at the time (dependant on what orders I end up subject to) but I'd imagine that I wouldn't be too happy about them stealing passwords or using automated software to take everything and anything. I'll likely make them do it manually if thats an option (obviously one they're not going to present to you or deny exists but - and I'm just spitballing here - I would think that unless your order states they can do so then you can refuse provided you make the device available for checking. Whether that means they take it away for to analyse (and probably use the software anyway but deprive you of a laptop for however many months) or not I don't know.

lotsofquer
lotsofquer
Supreme Being
Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)Supreme Being (14K reputation)

Group: Forum Members
Posts: 119, Visits: 3.4K
punter99 - 28 Aug 20 5:01 PM
I know that my PPU tried to run lazagne.exe (password stealer) on my device, but windows stopped it.  Although ostriage isn't available for downloading you could try osforensics - free 30 day trial. shows you the kind of thing ostriage can do

https://forums.passmark.com/osforensics-osfmount-osfclone/48008-osforensics-v8-beta-release

lots of fun for techies...

Ok the amount of information they collect is scary and I actually can't see why a lot of it is required.  Why would they need all of the wifi passwords on your machine for instance????

Mark15788
Mark15788
Supreme Being
Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)

Group: Forum Members
Posts: 293, Visits: 4.7K
Yeah that dies make sense.

I’m only curious as never heard much about this side.

Checks for me have always been literally a two minute browse of my history.

Not sure if the actual sexual offence makes a difference to the checks they tend to do or what they look out for.
xDanx
xDanx
Supreme Being
Supreme Being (40K reputation)Supreme Being (40K reputation)Supreme Being (40K reputation)Supreme Being (40K reputation)Supreme Being (40K reputation)Supreme Being (40K reputation)Supreme Being (40K reputation)Supreme Being (40K reputation)Supreme Being (40K reputation)

Group: Forum Members
Posts: 365, Visits: 11K
One key thing to remember is, they are not your friends.
They will use every tactic possible to bypass your civil rights to collect all the information so they can to use against you.
And they get away with many things because most individuals simply do not know what rights they even have, and police exploit this.

I have said it before in a previous post, but it really does frustrate me reading about people who get sentenced for dishonesty. Yet the whole justice system is entirely based on dishonesty.

Far as I am concerned, if it does not state in the orders that you must have monitoring software installed then you simply are not forced to have it.

Mark15788
Mark15788
Supreme Being
Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)Supreme Being (43K reputation)

Group: Forum Members
Posts: 293, Visits: 4.7K
Mine says something like “if they choose to” I’m nearly at the three year point and never had anything mentioned about it.
punter99
punter99
Supreme Being
Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)Supreme Being (96K reputation)

Group: Forum Members
Posts: 769, Visits: 5.7K
Monitoring software and ostriage are two seperate things. Monitoring software checks your device in real time and feeds things like screenshots back to the PPU, so if you typed in one of their watchwords, it would grab a screenshot of what you were doing at the time. It is very intrusive, because it is running in the background all the time. I offered to let them install it on my device but they said they only have a small number of licences, so they weren't going to bother.

Ostriage is basically taking a snapshot of what is on your device, at the time the PPU visit you. Sometimes they just do a manual check of my browsing history, but other times they insert a USB stick, which runs the ostriage software. As far as privacy is concerned, it probably comes under the very broad definition of checking or inspecting your devices, which is allowed by the SHPO.

It's intended for digital forensic investigators to use, when they arrest somebody and seize their devices. The idea is to let them inspect the device for anything naughty, on the spot, rather than having to take it to a lab.  The main focus is images (obviously), and certain keywords, but it hoovers up lots of other stuff which might be useful for an investigation. How much use it is to the PPU depends on their level of IT knowledge. Mine is only really interested in the images.

But by playing around with tools like osforensics, I was able to see what they see. It can be a real eye opener, to find out just how much data they can extract.

GO


Similar Topics


As a small but national charity, we rely on charitable grants and individual donations to continue running theForum. We do not deliver government services. By being independent, we are able to respond to the needs of the people with convictions. Help us keep theForum going.

Donate Online

Login
Existing Account
Email Address:


Password:


Select a Forum....
























































































































































































theForum


Search