Computer Crime Research Center

hack/hack36.jpg

Computer crime trace: finding and evaluating

Date: December 12, 2005
Source: Computer Crime Research Center


... />
software and hardware tools of/for unauthorized access.

Objective element (actus reus) of crimes is characterized by intruding into AS or disseminating hardware and software devices of/for unauthorized access to AS, which can cause defacement or destruction of information or its carriers.

Subjective element (mens rea) is characterized by intent as to the acts committed by the accused. The criminal's mental state as to the results caused defacement and destruction of information or its carriers can be characterized as both a direct or indirect intent and negligence. Under disseminating software and hardware for unauthorized access to AS the intent is only direct as mens rea of such crime identifies the accused's mental state toward the acts committed. Motives and objective can be different and evident that AS has been intruded in order to commit other crimes.

The peculiarities of crimes involving dissemination of software and hardware of/for intruding into AS are that objective element is the criminal actions per se irrespective of damage caused, i.e. defacement or destruction of information or its carriers.

The peculiarity of crimes involving breaking into AS consists in that that besides different acts against AS, the obligatory indications of their objective element are also defacement and destruction, i.e. disturbance of its integrity (destruction, defacement, modification and annihilation) and casual relationship between conduct and result.

Intrusion into AS is considered any evil and intentional acts [2], that influence AS information processing, i.e. the entity of all operations (storage, input, record, transformation, reading, preserving, deletion, registration) under using software and hardware devices including data exchange through transmission channels. When perpetrated an attack against AS causes AS disturbance and defacement of information processing that all, in its turn, inflict defacement and annihilation of information and its carriers.

Annihilation of information is loss of information, i.e. individuals and legal entities having a full or limited right to the information property cannot use AS information. Under annihilation, loss of information should be also considered as it’s blocking, i.e. AS user trying to access the system is denied its service (one of the examples related to such acts is the well-known attack - Distributed Denial-of-Service Attack (DDOS)). AS disturbance can inflict harm on information transmission channels including channels connecting information processing and preserving hardware in AS and separate ASs. As the result information transmitted for processing is erased or defaced.

Information defacement should be understood as changing its content, disrupting its integrity including its partial destruction.

Subject of such crimes can be any individual liable to prosecution and coming of 16 y.o. including an AS insider who is charged with managing and serving AS by AS owner or his representative. A special subject is most often personnel serving AS, users and other insiders, whose professional duties involves information handling and information services. When formed organized groups engage computer experts, managers and other executives in their activities. Members of a criminal group can reside in various places and in different countries.

Discussing the difficulties that law enforcement faces in practice it should be taken into account the peculiarities under investigating cybercrimes including examination at the scene, search and seizure, victims and witnesses interrogation and expert examination. To be admitted probative the facts are to be obtained from sources under observing the rules provided by the criminal procedure code.

Another critical factor is lack of suitably trained staff to prevent and combat cyber crime. As discussed above, cyber offenders are highly qualified practitioners, so- called criminals-intellectuals. Unfortunately, law enforcement officers are not able to execute effective and reliable incident response. The check-up materials and criminal cases (if they were initiated) are not lawfully sufficient. Criminals remain unpunished. Thus it is obligatory to engage computer professionals in cyber crimes investigation. International law enforcement experience corroborates the cited above need.

Here we consider the procedure of collection evidence under investigating cyber crimes.

Examination at the scene. Arriving at the scene of action investigators are to implement measures to ensure computer information and peripheral memory safety. It is necessary:

to prohibit the inside personnel from access to computer equipment;

to prohibit the inside personnel to switch off computer equipment;

in case if the object has been disconnected from the electricity, before the examination it is necessary to switch off all computer equipment in the premises under search;

not to carry out any computer devices manipulation if the final result is unpredictable;

to transport dangerous agents, materials and devices (electromagnetic, explosive, toxic and other) from the premises under examination.

Implementing the cited above obligatory measures one can go to examine the scene of the action and collect real evidence. Under that it should be taken into account the following:

insiders' attempts to do damage to computer equipment in order to erase information if the personnel are involved in a crime;

special unauthorized access security means in a computer system that automatically erase all information if a certain code is input at the fixed time;

other anti-access security means.

Search and seizure of real evidence. Under searching and seizing computers, carriers and information the common problems arise from the hardware specificity. It is of paramount importance to take precautions against offenders' attempts to do away with real evidence. For example, offenders can use special hardware that at the critical moment establishes high magnetic field causing magnetic records destroyed. A well-known case illustrates the problem. In the doorway a hacker established such magnetic field that erased magnetic carriers when brought out. Any offender can create software that makes a computer periodically demand a right password input otherwise in seconds all computer data are annihilated. Sometimes sharp-witted users establish hidden commands that destroy or archive critical information under a password if certain procedure known only by the users is not implemented to start the system.

Taking into consideration the features of real evidence including their search and seizure in cybercrime cases it is necessary first of all to start at seizing and analyzing computer information. As search and analysis of information and software always requires special knowledge an expert should conduct subsequent investigation.

Analysis and seizure of computer information is carried out both in random-access memory (RAM) and HDD - hard magnetic disk drives, mirror disks, diskettes, magnetic bands and others. Remember that the switching off PC (personal computer) or completing work at the certain program and not storing the former it led to all RAM data cleaned and destroyed. The simplest and most effective way to hold data in RAM to outtype the information.

As is well known, information is filed and ordered in catalogues (directories) in HDD. It is necessary to search for "hidden" files and archives that hold important information. Under detecting files encrypted or protected by password the former should be subject to decryption and decoding by the respective experts.

Just as in case of RAM, when detecting information in HDD the former should be outtyped and printed in the form of examination records' enclosures. Extraction of e-mail data from "mailbox" can be conducted in compliance with the rules of post collection.

When extracting, transporting and preserving material evidence including PC and magnetic carriers require particular precision. It is necessary to protect the former from blows, high temperature, moisture and tobacco smoke. All the external disturbances cited above can cause the data, information and equipment's peculiarities lost. Under search and examination an expert should remember about collecting traditional evidence, for example - fingerprints on the keyboard, switches and other. All devices of a concrete computer should be examined. When analyzing the results under assistance of an expert the examination conducted will facilitate to reconstruct the crime and to obtain important evidence.

The optimal procedure of seizing a computer and magnetic information carriers is to register them at the place under examination and to pack the former in order to assemble the equipment successfully, correctly and accurately as it was detected in the scene both in the laboratory and any place for examination. An expert should take into account that certain hardware and software environment is of limited use. It means that, the environment disturbed or lack for the data about it's accurate fixing (including at the place where the former was detected) can influence not only the effective examination under investigation but the court's evaluation of the sufficiency of evidence whether or not a crime is committed. Thus, when searching or examining the sort of the computer software an expert can detect the tasks for which the computer was used. For instance, if the computer has a net software and modem link the...


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo