Computer Crime Research Center

hack/hack36.jpg

Computer crime trace: finding and evaluating

Date: December 12, 2005
Source: Computer Crime Research Center


... if the computer has a net software and modem link the former is an evidential fact that using such AS an intruder can obtain unauthorized access in any distant computer.

Hardware and software examination (HSE) is assigned under prosecution and in cases provided by Articles 75 and 76, CCU [10], to conduct the following examination:

· establishing the correspondence of a certain computer system or network with the standard and the examination of the system by the special tests.

· Material evidence examination must involves the following:

- Identifying the source, sort, means of data input, output and processing;

- Detecting if software devices were changed and supplemented;

- Restoring the files if defected or erased;

- Restoring magnetic and other information carriers if defectedї;

- Determining the date of certain software fragments fulfilled;

· Identifying software author and its functions (virus or other), establishing the fact of its interpretation and the limits of compilation enabled.

Under carrying out the chief requirements of HSE some supplementary tasks can be fulfilled:

· Evaluating the value of computer equipment, peripheral devices, software products and examining the contracts on delivery of the cited above objects;

· Establishing if certain individuals are appropriate experts in programming and computer technology;

· Translating the technical-in content documents (under certain conditions).

As examination of computers and information carriers presupposes seizing different documents, the investigation requires criminalistic examination conducted. Dactyloscopic examination allows identifying fingerprints on the documents, computer parts and carriers.

Taking into account that in cybercrime cases search and seizure of real evidence requires special knowledge professionals should carry out the cited above activities implementing respective means and methods. The Criminal Procedure and Criminalistics Department, Humanitarian University “Zaprozhsky State and Municipal Administration» and Ukrainian Information Security Center developed the Technical Task "Development of the working place for the expert in cybercrimes investigation – expert working place (EWP). The development and implementation of EWP is an up-to-date software and hardware means to conduct criminalistic examination and allows to solve the following problems:

Criminalistic examination:

· interpreting computer information in case;

· interpreting complex terminology and documents of technical contents;

· restoring, if possible, files and records erased on information carrier, detecting if information was subject to erasing and modifying;

· identifying if the date and time was changed and if certain records on information carriers and files were installed in computer;

· deciphering, if possible, encrypted information;

· detecting attacks on achieves and documents protected by password access;

· printing necessary information and non-text documents contained in hard disk drive (HDD) and external magnetic carriers;

· determining the developer, the place of production and the means of information technology to produce documents;

· evaluating technical health of computer device and other IS facilities;

· stating the value of computer and peripheral facilities, magnetic carriers and software products;

· assessing the level of appropriate proficiency of respective practitioners in programming and IS security;



Experts who apply WRE can answer the following question:

· What programming facilities are installed in IS? Is it possible to perpetrate the action that the accused is incriminated with?

· What information resources did IS user work with?

· Are the detected files the copies of information in the certain IS?

· Are the detected documents the ones that were created in the certain IS? If so, were the former erased in IS afterwards?

· When (day, month, hour, minute) and on what IS (whose working place?) did an individual (i.e. by whom and whose is the access password) work with the certain information on the IS?

· Does virus cause the information turn? If so, what virus? What effects does the virus have (erasing, copying, modifying, and transferring information and other)?

· Do the files represented (or IS) and programs contain “program marks”? If so, what “program marks”? What effects does the former have (erasing, copying, modifying, and transferring information and others)?

· Are the documents presented on paper carrier the records that afterwards were typed by the concrete IS user in the concrete electronic documents?

· Was the computer information subject to erasing, modifying, and copying?

· What IS operational regulations (security policy) exist in the information system? Were the regulations broken (work at IS at overtime, unauthorized connection of modem and IS and installation of unauthorized software and other)?

· Did the operation regulation violations cause erasing, modifying and copying information?

· What electronic address was subject to unauthorized transmission of the concrete information (including a person, who obtained the information) and what information was transferred?



In conclusion it should be noted that adoption and deployment of new information technologies provoked new categories of crimes, in particular ranging from AS disturbance to unauthorized access to computer information. On account of the mechanism and means of commission and concealment cybercrime is of particular specificity including high latency, many offenders remain unprosecuted and certain crime catogories are of transnational character.

Under relative novelty of problems arisen and rapid public informatization the law enforcement faces complicated problems to combat this new social and law phenomena and in particular the problem of identification and investigation. At present cybercrime is outside the scope of law enforcement control. In the XXІ century it can put national and international security at risk.



1. R. A. Kaluzhnyi, V. D. Gavlovskyi, V. S. Zcymbaluke, M. V. Guzcaluke. Issues as to the concept of reforming information-related legislation of Ukraine // Law, statutory and metrological providing for information protection in Ukraine: Materials of international scientific and practical conference. —К, 2000. —P.17-21.

2. Criminal Code of Ukraine: Official text with amendments dated by February 1996. -Kiev: Ukrainian State Law Information Center, Ministry of Justice, 1996. – 224 pp.

3. Law of Ukraine “On AS information protection “. //Release of Supreme Rada/#31/ 1994–286 pp.

4. Statement for the Record of Louis J. Fresh, Director Federal Bureau of Investigation on Сybercrime Before the Senate Committee on Judiciary Subcommittee for the Technology, Terrorism, and Government Information Washington, D.C.— 28 March 2000.

5. Analytical Review by NCB of Interpole in Ukraine “On anti-cybercrime experience of the law enforcement of the USA”. The Information of the Ministry Interior of Ukraine, April 4, 1997— p.2-4.

6. In Ukraine a first bank robbery through computer has been disclosed. - Facts/#126/July13, 1999/p.2.

7. Constitution of Ukraine, June 28, 1996. — Kiev/1996.

8. Law of Ukraine «On Information» // Verhovna Rada of Ukraine Reports (VRR). — 1992/#48/p.650.

9. Criminal Code of Ukraine: the Draft developed by the Cabinet of Ministers, Ukraine. — Kiev/ 1997 — 138p.

10. Criminal Procedure Code of Ukraine. – Kiev: Jurnicom /1995/ p.639.


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo