Computer Crime Problems Research Center

by Natalya Akhtyrskaya


Crimes classification in the sphere of computer technologies as individual and pesthole
(methodological questions of investigation)


The processes of world globalization have captured practically all spheres of human activity: economy, culture, information space, technologies and management. It has allowed to speak about development of an open information society. The network way of interaction between the people in all directions of their activity is peculiar for it. Result of this process is the creation of the virtual companies which employees can be in different places all over the world and make joint business with the help of " virtual office »; occurrence of mass media of new type; development of electronic commerce; occurrence of «individual advertising ». To use advantages of an open information society, it is necessary to be a member of an information network, to have a corresponding infrastructure and modern means of the communications. This factors are a necessary condition of familiarizing of Ukraine to these achievements, however at the same time new information technologies have called to a life the new kind of crimes named by scholars as the crimes of "new generation» (Matusovskij G.A.) - the question is computer crimes.


From the beginning of 1990th law enforcement bodies of the states all over the world began to notice significant distribution of criminal activity. It is necessary to recognize that fact, that alongside with tendencies to globalization, with falling the Warsaw Agreement and association of Europe, the boundary and customs control the development of information technologies branch became the factor of its «criminal distribution». The organized crime, possessing the significant financial opportunities, not only began to use information technologies before law-enforcement departments of the states all over the world, but also used them "more professionally" at the expense of involving experts on information technologies in criminal activity. Especially it is actual for Ukraine. It is obvious, that for qualitative struggle against the organized crime it is necessary to use tools if not better, then corresponding to a level of the tools used in the criminal purposes.


            For today information technologies are used by the organized criminal groups for:


-          Realization of illegal activity in credit and financial sphere (illegal operations with electronic payments, a fake of credit cards, the illegal transactions through a network "Internet", penetration, information setting and change of the data in information systems of credit and financial establishments);

-   Carrying out of illegal transaction and communicative actions of criminal elements by means of commercially accessible information technologies (realization of fast communication and transfer of the information with use of satellite, cellular, facsimile, paging services);

Penetrations, setting information and changes of the data in confidential archives and the state databases (for example, special archivesof the Ministries of Defence, databases of State Committee of the Statistics, a database of law enforcement bodies).


The crimes in the sphere of information technologies are transnational. More than four millions Russians are constant  "Internet" users. And grows not only quantity of new users, but also quantity of the crimes made by the Russian users (on data of Governing Service to safety, they are near 400 in 2000). In the majority of crimes though group of persons on preliminary arrangement or the organized group, criminal intention, as well as structure of a crime also has accomplished them, in many cases are extremely difficultly demonstrable within the framework of developed system of criminal-law rules. Unfortunately, in connection with a huge share of latent criminality in sphere of information technologies and relative novelty of «information crimes» structure the law enforcement bodies until recently did not give the attention to problems of struggle against criminality in this sphere, despite of the tendency to burdening made crimes, but now they have real legal tools for struggle against the organized crime in the sphere of information technologies.


As is known, crimes of the given group cause a significant material damage and possess a high degree of latebt. By the lead researches it is established, that known there are only 10-15 % of the crimes made in the field of information. Besides the tendency to use of information technologies by the organized criminal groups and their distribution at an interstate level was outlined. The world community extremely worried about a status of national information resources protection. It can be the channel of the future information illegal encroachments. Probably, today it is necessary to bring an attention to the question on acceptance of the corresponding international Convention on prosecution of the citizens who have made information crimes, without dependence from national borders as it is done. For example, concerning the persons who have made capture of air courts, applying a universal principle of action of the criminal law in space.


Taking into account, that information conducts to creation of uniform information space, there is a necessity to reconsider some approaches to a technique of investigation of the given kind of a crime. With the help of computers people operate the information in interests of national defense, transfer billions dollars on networks of the financial organizations, carry out medical procedures, operate movement of passenger planes. The user of a computer, having received the control over these systems, can cause huge damage both to systems, and people.


So, some kinds of sabotage are obvious. In January, 1995 someone has disconnected the computers supporting a life more of 12 patients in one hospitals of London. They have been rescued only as a result of heroic efforts of the medical personnel supporting their life manually, while computers have not been switched on again. To others, less obvious it is possible to relate introduction of a virus in a computer of the organization. Nothing the suspecting employee finds a new free-of-charge software package which, in her opinion, can facilitate her job inside which there is a virus. She copies the given program and next day loads her on the working computer at office, the virus at once is distributed to all computers of a local area network, that potentially can lead to  loss of valuable files and programs.


Considering structure of the common theory of criminalistics, it is possible to note, that its contents consists of the system of individual criminalistics theories reflecting separate elements (or makes groups of elements) of a subject of criminalistics and inextricably related among themselves. The specified system, being the closed conceptual system, at the same time represents open system which number is final only at present as development of science assumes occurrence new individual criminalistics theories. Arising individual theories can replace existing, becoming their development, continuation or consequence of integration or differentiation of theoretical knowledge.


Definition of a subject of everyone criminalistics theories is connected to division of the common subject domain of criminalistics. Therefore presence of cognitive receptions of such division is the necessary precondition of occurrence of any individual theory. Characterizing value of individual theoretical constructions it is necessary to note, that they are used for ordering knowledge in this or that area of science, an establishment of connection of various branches of knowledge, development of the common point of view, specification of the produced concepts and principles as a method of the decision of the certain kinds of problems, or as means of creation of conditions for deduction of proofs and a condition of application of the mathematical device.


Individual criminalistics theories can differ depending on as far as the common character carries their subject. They can be « more the common » and « less the common », reflecting accordingly the biger or smaller subject domain, more or less significant group of the phenomena and processes. So, for example, the theory of criminalistics identification possesses the greater degree of generalization, rather than the theory of graphic identification as considers laws and concepts, the common for graphic identification, and, for example, for tracing identification. Not casually in the legal literature it is possible to meet the term « the general theory », expressing higher degree of generalization of the positions sold then in all their individual updatings.


From the point of view of logic, individual criminalistics theory can be imagined as a certain functional system with the certain modes and laws of functioning. Such theory as the component of science, in the logic plan is set of the offers responding the following conditions:


-          Their cognitive role should consist that they fix the basic connections (laws), properties and relations of objects;

-          Each offer should have the logic form of statements, that is it approves something (or denies) concerning any object, a situation, and process;

-     Offers should be deduced by deductive way.


The technique of investigation of crimes is initially formed of the analysis and generalization of elements criminalistics characteristics which represents system of the data on the person of the criminal, ways of preparation, fulfilment and concealment of crimes, a place and time of criminal event, etc. In the field of the computer information the ways of criminal activity can be divided into two big groups. The first group of criminal acts is carried out without use of computer devices as the tool for penetration into information systems or influences on them. It can be:


- Plunders of machine data carriers as the elements of the COMPUTER;

- Use of visual, optical and acoustic means of supervision over the COMPUTER;

- Reading and decoding of various electromagnetic radiations of the COMPUTER and in the providing systems;

- Photographing the information during its processing;

- Manufacturing paper duplicates of entrance and target documents, copying of listings;

- Use of visual, optical and acoustic means of supervision over the persons concerning the information necessary for the malefactor and interception of their conversations;

the introduction into direct contact to the persons concerning the information necessary for the malefactor and reception of necessary data under the invented pretext.


For such actions a local traces picture determined by standard understanding of a place of incident (a place of fulfilment criminal actions and sites of object of a criminal encroachment are close from each other or coincide), traditional receptions on their research are characteristic.


The second group of criminal acts is carried out with use of computer and communication devices as the tool for penetration into information systems or influences on them.


Prominent feature of the given kind of criminal activity is that circumstance, that the place of fulfilment is direct criminal acts and a place where their results are observed and materialized, can be on significant distance from each other. It can be:

- Wrongful access to the computer information - reception of an opportunity to get acquainted and carry out operations with the another's information which is taking place on machine carriers, i.e. the actions directed first of all on infringement of confidentiality of the information;

- Manufacturing and distribution of the nocuous programs interfering integrity, or directed on infringement of confidentiality of the information;

- The actions connected to infringement about use of means, the integrity that have entailed infringement and (or) confidentiality of the information.


The nocuous program is any program specially developed or modified for non-authorized destruction, blocking, updating or copying of the information, infringement of usual job of the COMPUTER.


Actions with nocuous programs include:

- Production of a problem;

- Definition of the environment of realization and the purpose of the program;

- A choice of means and languages of realization of the program;

- A spelling directly the text of the program;

- Debugging the program;

- Start and direct action of the program.


In sphere of the computer information the conditions of fulfilment of crimes are characterized by a number of essential factors. Discrepancy of a place of fulfilment of illegal actions and a place of approach of socially dangerous consequences are typical of it.


Considered crimes are made, as a rule, in specifically intellectual area of professional work. All these crimes are usually made in conditions of various infringements of the established operating procedure from the COMPUTER about which persons will know in a course of their corresponding vocational training. The mechanism of possible infringements of use policies is clear for offenders in the given area information resources and connection with the events which have entailed a criminal result. In this connection it is expedient to speak about necessity of creation of the individual theory and a technique of professional crimes investigation.


The professional criminality is, by A.I.Gurova's definition, set of the crimes made with the purpose of extraction of the basic or additional income by persons for whom it is characteristic the criminal professionalism.


The criminal trade can be considered as a version of the activity supposing presence of certain criminal preparation (specializations and qualifications), necessary for fulfilment and concealment of crimes.


The criminal professionalism is a version of criminal employment, which:

- Is a source of means of existence for the subject;

- Demands necessary knowledge and skills for achievement of a ultimate goal;

- Causes the certain contacts to the antisocial environment;

Determines a steady kind of criminal employment (fulfilment of mainly homogeneous crimes).


Criminal professionalism is a version of the steady and thought over, organizational prepared social parasitism. It enables to prepare, make and cover qualitatively traces of a crime, and as a rule, to leave from the criminal liability, to have the constant material income.


Specialization is defined as a kind of employment within the framework of one trade. Criminal specialization is a presence limited professional skills and the skills directed on qualitative preparation, fulfilment and concealment of the same or one-specific crimes of a mercenary orientation.


Perfection of a criminal trade of the subject, with simultaneous passage of the certain vital way connected to achievement of popularity and authority on the criminal world, it is necessary to define as criminal career. Each criminal-professional basically knows same, as well as he, persons. Successful criminal is proud of his trade and has original criminal thinking. And it does not depend on a general educational level.

Fulfilment of some serial computer crimes gives the basis to draw a conclusion about necessity of such division of criminal activity on individual and pesthole (or system).


On a parameter of universality and scales of distribution computer networks can be divided into three groups:

1. The global computer network the Internet is a worldnet, information and intellectual filling which covers all spheres of human activity.

2. National computer networks, as a rule are created within the limits of one country and fill with the information and the knowledge concerning to a certain field of activity of this country. The most widespread examples of such networks created in many advanced countries of the world, the national networks of science and education, the networks concerning to space activity, a network of special purpose are. In particular, in Europe 23 scientific - educational networks are totaled. They are united in the all-European scientific networks, main from which are GEANT, SINSEE/Scientifik Information Network South East Ewrope/.

3. The corporate computer networks created for group of the companies or the organizations and filled with the data and knowledge, concerning specific sphere of their activity.


Characterizing scales of distribution of a global network the Internet, it is necessary to predict splash in crimes in sphere of information technologies, recognizing that now total of its individual users has exceeded 800 million, and the quantity of so-called hosts - servers (the main servers) - 197 million. It is important to note, that these figures were predicted only for the end of 2003.


Studying and the critical analysis domestic and foreign criminalistics literatures, references from other branches of knowledge, research and generalization of investigatory practice of struggle against series of similar crimes, (including in sphere of information technologies), allow to formulate concept of pesthole crimes. It is a set of deliberate, homogeneous criminal encroachments which analogousness is determined by the system of objective criteria criminal-legal and criminalistics attributes (similarity of territorial - time characteristics, a way of fulfilment and concealment of criminal acts and their traces), allowing to put forward versions about fulfilment of crimes by the same person or the same group of criminals.


In the given definition it is necessary to pay attention to probability of character of a conclusion concerning the crime center of a concrete type. The centers of crimes can be as homogeneous  which will consist only of one kind (sort), and complex (combined) which arise from set of various kinds and sorts of criminal encroachments and similar among themselves on criminal attributes.


Pesthole computer crimes should be divided into groups on the several bases:

- Concerning a patrimonial, specific and group accessory;

- Their operative importance;

- Territorial prevalence;

- Degrees of intensity and dynamics of development.


Such classification enables to approach to a various sort to the centers of crimes differentiated, to allocate among them such which have criminalistics value from the point of view of their application as objects, being guided on which separate techniques of investigation of crimes should be developed in the future. For process of diagnostics of the center of a crime by the most basic and the correct decision of a question concerning criteria that can be used by the inspector or the operative employee is important. We suggest these criteria to name significative attributes.


Significative attributes specify not only presence of concrete structure of a crime and characterize criminal action with criminalistics positions separately, but also represent itself as criteria as criminal - legal and criminalistics plan that allows to put forward and check the version about existence of the center of crimes, that is to unite on the basis of similarity the revealed set of crimes in a single whole, the center as there is an assumption that a source of their occurrence are same people.


From the judicial point of view the given circumstance can find the reflection in association of criminal cases, materials of checks of messages and statements for similar crimes in certain.


Classification significative attributes of computer crimes are expedient for spending on the basis of studying criminalistics characteristics of the given kind of crimes. In this connection it should have the following kind:

- The attributes specifying application of similar or identical ways of fulfilment or concealments of crimes.

-The main source of the information on them is the same traces;

- The attributes specifying uniformity of conditions of fulfilment of crimes;

- The similar attributes concerning to the characteristic of objects and subjects of a criminal encroachment;

- The similar attributes concerning to the person of victims;

- The similar attributes concerning to the person the criminal (professionalism).


In practice of the Odessa Scientific research institute of judicial examinations there is not one case of carrying out of examination on the fact of threat of terrorism act with use of a network the Internet, when from a separate personal computer or a workstation of a local area network the messages of menacing character was transferred.


Investigatory bodies brought an attention to the question, whether the output of a personal computer in the Internet during certain time for a concrete post site was.


The basic difficulties at carrying out of similar researches are that there are inclusions of a computer before its performance on research.


Let's consider one of aspects of carrying out of research on the basis of operational system Windows ' 98 and browser Microsoft Internet Explorer 5.0. intended for an output of a personal computer to Internet.


Browser Microsoft Internet Explorer saves the information on the reference to Web pages in Magazine - special means for storage of chronological sequence of job in the Internet. Thus the period of storage (in days) is defined during adjustment of a browser (Start-up - the Control panel - Properties of an observer - the General - Magazine). In the system registry this value gets parameter DaysToKeep that is taking place in branch HKEY_CURRENT_USER (in a researched case an option value - twenty days).

During job Microsoft Internet Explorer on a hard disk in the catalogue subdirectories (folders) which names are formed of initial and final date of a period of storage are created. In each of folders files index.dat with the structured data containing the links to electronic addresses of pages the Internet, date of the manipulation to them and a name of a computer (a name of a structure) from which the manipulation was carried out are created.


So, by the end of the current week the folders corresponding to each day of week will be generated, and the data for the previous period are generalized in folders for a week if the period of storage of links to Web pages exceeds seven days.


Conducting Magazine by browser Microsoft Internet Explorer is carried out in such a manner that folders with the dates exceeding a period of storage, leave, and instead of them the folders corresponding to the new time period are created. At restoration (if it is still possible) removed data conformity between files is not restored and, hence, the natural kind of Magazine for the corresponding time period also is not restored. The information on the manipulation to sites can be investigated the Internet only by consideration of a binary code of the given files.


Thus, at to switching on of a computer after withdrawal the information interesting the investigation can be lost and restore it will not be possible. In our opinion, in order to prevent the specified situation at withdrawal of computer technics, and also in preinvestigation actions with its application the experts of judicial - expert establishments should take part necessarily.


The primary goals of technical expert appraisal on such affairs are - an establishment of characteristics of means of computer technics, their quality, character and the reasons of available defects; ocurrences of concrete system in the certain computer network; an establishment of technical opportunities for abusing in computer systems and the facts of such abusings; an establishment of the facts of infringement of service regulations of the computer equipment promoting them of circumstances and negative consequences of infringements; the officials, obliged to provide information safety; definition of really carried out and necessary measures on prevention of wrong functioning means of computer technics, the various abusings connected to their application.


Objects of research during the considered examination can be:

- Computers;

- Their separate parts;

- Magnetic carriers of the information;

- Computer programs;

- Circuits of creation of information files;

- Documents reflecting a job of the automated information systems, including primary and target.


Materials of investigation of corresponding criminal case, namely, the report of survey of a place of incident, indications of the persons concerned operation of the computer equipment can be necessary for the expert. Materials of departmental investigation can represent the interest also.


Depending on character of questions, as experts designers of the computer equipment, experts on its operation, protection of the information against criminal encroachments, programmers can be involved.

Expert persons of the necessary structure it is necessary to reveal among employees of scientific research institutes and the design office, designing the computer equipment, at the enterprises on manufacture or service of computer systems, in the educational institutions, preparing corresponding experts, the territorial centers determining politics in the field of information and communication.


It is necessary to recognize necessary entering of additions into a valid Provision about the order of appointment and carrying out of judicial examinations in Ukraine, 08.10.1998 years authorized by the Ministry of Justice, concerning appointment and carrying out of such researches on crimes in sphere of information technologies, in particular, correctly, uniformly to define the name of the examination, a circle of persons, diagnostic in manufacture diagnostic and identification examinations, cases of necessity of appointment and carrying out of repeated and additional examination, the questions subject to the sanction.


At an establishment of a status and functioning of computer technics to experts questions are put:

- Whether there corresponds the given computer of the design documentation (at the analysis of deliveries) and if does not - in what this discrepancy is expressed?

- Whether the given computer is serviceable and if it is not - what defects has and for what reasons they have arisen?

- How it is provided and whether the system of protection of the information from the non-authorized access, used in the given computer system is reliable?

- Whether the given computer is switched on in a computer network, and if yes, in which?

- Whether there correspond development and delivery in operation of the given standart system (GOST)?


Ukraine where the first in continental Europe computer has been created, on parameters of a computerization concedes to Russia at 15-30 time. Global distribution of the main servers on categories of users shows, that the commercial organizations, providers of services and establishments of science and education own more than 90 % of these systems in comparison with any other categories. Among geographical domains of a highest-level quantity of individual Internet users and quantity of the main servers is the greatest in the USA, Japan, the Great Britain, and Germany.


In Ukraine in 2001 construction of National scientifically educational information network of Ukraine is started. She should have significant intellectual filling, contain databases and knowledge on different directions of science and education, electronic libraries, systems of information search, to provide the general remote use of powerful computing resources, a job in a mode of virtual scientific and educational laboratories, and also to carry out multiservice processing the information (graphic, video and the audioinformation).


It is natural that separately taken resources of this network named URAN, do not contain the information, which can represent the state secret. But resources of users of a network can save the various information, including the information of the limited access. Therefore the non-authorized access to the generalized information on all networks or on its segment is undesirable. For this reason the organization of a scientific - educational network as national (an establishment of direct liaison channels between net points, application of the corresponding specialized software and means) is a necessary condition of prevention of the possible non-authorized access to the information. As a whole, during creation of system of national safety in information space of the state the networks similar URAN, should be considered as segments of this system.


In case of need establishments of the facts of abusing in computer system, for examination it is possible to put the following questions:

- Whether there was a technical opportunity with the help of an extraneous computer with certain distance to provide the non-authorized access in the given computer system, and if yes by means of what computer type and by what way it could be realized?

- Whether deviations from normative technology of operation of the given computer system, promoting the non-authorized penetration into system have been allowed, and if yes what they consist of; what circumstances promoted the specified abusing?

- Whether the given computer program is infected with a virus and what is its character?

- Whether probably in the given computer system application of the program around of automatic registration of its use?

- Whether was in the given computer program the place, for the subsequent entering additional commands?

- Whether was the anti-virus program used with the preventive purpose in the given computer system and if yes, whether it promoted maintenance of appropriate protection of the information?

- Whether additions or changes are brought in a database, and if yes, at what stage of the information processing?

- During what time and from what terminal wrongful penetration into the given computer system is carried out?

- Whether changes and additions were brought in the given computer program, and if yes, what and when?


Generalizing numerous directions of application of modern information technologies in Ukraine, it is possible to lead their classification:

- The government and economy;

- Ecology, preservation of the environment, medicine, biology;

- Scientific researches and critical technologies;

- Education;

- Culture;

- Mass media;

Internet - technologies.


Among scientific spheres where network technologies are directly applied, it is possible to allocate the following: information technologies in the field of ecology, preservations of the environment, medicine, and biology. They are connected first of all to methods of a rating of parameters of an environment, methods of the analysis and forecasting of accidents, technologies of a rating of risk of ecologically dangerous manufactures, the analysis of forecasting and decision-making in connection with extreme situations, systems of designing of the ecological equipment, systems of diagnostics and decision-making in medicine and biology, including with application of telemedical technologies. These questions after Chernobyl accident became especially sharp.


For determine the computer equipment service regulations infringements, their consequences and measures of preventive maintenance it is necessary to put the questions:

- Whether any service regulations of the computer equipment are broken in this case, and if yes - which namely; what circumstances promoted their infringement?

- In what negative consequences the infringement of service regulations of the computer equipment has resulted?

- is there  a causal relationship between some harmful consequences and infringement of some service regulations of the computer equipment?

- What official, organizing a job of the given computer system, is obliged to provide information safety?

What measures on strengthening of information protection are expedient for carrying out on the given object?


The major compound criminalistics characteristics of the given kind of a crime are data on specific features of the persons making similar offences. Not possessing the exact data as even pesthole crimes contain a part of latent offences, it is impossible to build system effective and first of all, the address measures directed on counteraction to this kind of crimes. This opinion finds confirmation in daily job of the law enforcement bodies leading the struggle against crimes in sphere of the computer information.


In one of interview of intelligencer, published in the newspaper "Work" it is spoken: "The cases on computer crimes often collapse, as «to reveal the person of the concrete criminal at times is just impossible». Said above gives the basis to assert , that the structure of the criminality focused on realization of wrongful access to the computer information, is not so simple, as it seems at the first sight. For its solution it is necessary:


1. it is expedient to fill up the theory of criminalistics  with a new technique of investigation of computer crimes, having presented it as the module pesthole crimes.

2. To define a degree of utility of development of such technique with a view of definition of decrease in rates of economic criminality.

3. To define a circle of persons, the data participating in investigation has put as specialists and as experts.

4. To make changes to a valid Provision about the order of appointment and carrying out of judicial examinations, having outlined a circle of powers of experts on the given category cases.

 5. At integration of Ukrainian system URAN into trans-European scientific networks to provide the maximal degree of protection from the non-authorized infringement of global information systems job.




1. Pilipchuk A.A. Poblems of struggle against computer crimes // Unification of the legislation of struggle against criminality in conditions of the allied state. Moscow, 2001. p. 251.

 2. Criminalistics. Under edition A.F.Volynskogo Moscow, 1999. p. 588.

 3. Gurov A.I.professional criminality. The past and the modernity. Ì., 1990. p. 40-41.

 4. Alenin JU.P. Theoretical and practical bases of disclosing and investigation pesthole crimes. Kharkov 1997. p. 27.

 5. M.Zgurovsky. Information network technologies in science and education // the Mirror of week. #25 (400).  July, 6 ' 2002. p. 15.


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright © Computer Crime Research Center, 2001-2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907