Natalia Ahtirskaya, Ph.D.
Peculiarities of search tactics during investigation of computer crimes
The tactics of inquiry activity (as a complex of more expedient ways of its implementation) is characterized by not only the elements, which determine general order and ways of taking investigatory actions, but also the peculiarities of carrying out them in difficult , unfavorable situations when the concerned persons impede the investigation process.
Under such circumstances the tactics serves as a means of overcoming counteraction since the fulfillment of inquiry targets is practically impossible without active actions and tactics methods, which ensure their offensive character.
The suddenness consisting in such an organization of the inquiry work, which makes the content and character of the investigator’s actions unforeseen for the counteracting side, is one of these means.
The suddenness can be considered, first, as a principle, which defines and reflects the offensive and operative nature of inquiry activities while overcoming the investigation counteraction rendered by concerned persons. In such situations the suddenness has a capacity of the fundamental basis, obligatory rule of activities, since the other approach (refusal to apply active means of overcoming counteraction) would mean the disarmament of inquiry bodies in the face of the counteracting side. Secondly, the suddenness is a tactical scheme of collecting factual data in conformity with concrete circumstances of the investigation. Thirdly, it is expressed by realizing the unexpectedness factor in the conditions of definite investigatory situation. However some statements on the illegality of using the suddenness in the investigatory activity can be met in the juridical literature. It is based on the assertion that the investigation dispute can be solved by mutual agreement. So, I.F.Panteleev thinks that the affirmation concerning the presence of disputes in the inquiry activity “is at variance with the essence and main principles of the criminal trial”. “This idea, - he points out, - favors the emergence of some methods which are not peculiar to the criminal trial and directed at “misinforming”, “confusing”, “surprising”, “embarassing” the interrogated person and “rousing a conflict” among the accomplices .
While performing investigatory actions the suddenness can be achieved by different factors – time, place, character and mode of measures implemented by the investigator. The interrogation of convicted persons showed that in 71% of cases they were surprised by the place and time of carrying out the investigatory action^; in 46,5% of cases the unexpectedness was achieved by the factor itself of realizing the investigatory action, circle of persons drawn in it and character of used evidences.
Time factor. In the temporal aspect taking actions in that moment when the corresponding persons do not suppose and expect it attains the suddenness.
The main ways of realizing it are:
1) a forestalling character of implemented measures^;
2) a delay of carrying out necessary actions^;
3) a repeated realization of investigatory actions.
The choice and opportunities of using these ways are stipulated by the stage of investigation, peculiarities of the concrete investigatory situation.
The forestalling nature of the investigatory actions assumes that they must be taken before the suspected person, who counteracts the investigation, obtains information on the possibility of carrying out them. If the concerned person has such an information, the investigatory action should be implemented at the time excluding the possibility of taking steps which impede the achievement of a result planned by the inspector.
The most favorable situation for using the given way is usually formed on the initial stage of the investigation when the suddenness, as a rule, is connected with the quickness and urgency of inquiry actions, as well as their simultaneous realization (search) in respect of some persons. So, 78,4% of the interrogated inspectors noted that the realization of suddenness depended on stages of the investigation. According to the analysis of criminal cases, searching on the day of instituting proceeding was effective in 82% of cases, then the effectiveness of the given investigatory action dropped abruptly: during three days – till 25%, during ten days – till 15%.
The possibilities of using tactical methods of unexpectedness considerably widen while bringing an action on evidences collected by the inquiry agency in the process of implementing operation-and-search measures. In such cases there forms a situation when an inspector and operating official can learn the available information beforehand and determine time, order and sequence of using it to attain a desired result. Their actions take a purposeful and planned character when the persons concerned in counteracting the investigation do not expect them. It allows to arrest all the suspected persons at the same time and prevent them from coordinating their actions, search simultaneously all the persons who are expected to oppose the investigation.
The inspectors often come across the necessity of examining computers and information contained in them and on separate carriers (floppies, laser disks).
During the investigatory action the computing equipment and computer information can be considered as:
1) an object of traditional crimes (for example: larcenies). More often in such cases the examination of computer hardware and information carriers is a variety of the investigatory inspection of objects and does not have any tactical features^;
2) an instrument of both traditional crimes and those in the field of computer information. In such cases the other computers are “victims of the computer attack” (e.g. as a result of viruses such as “Trojan horse” which allow to take possession of information and use it with a mercenary motive) and so should be examined^;
3) an object with information which bears or can bear a relation to the investigated crime. The fact is that now enterprise and industrial accounting is kept on the computing base^; data reflected in that way can also be an object of offences or of interest to the investigation^;
4) persons, who have computers at their private or official disposal, often use them as a diary, telephone directory or for holding talks through e-mail in Internet. This information is of a great interest to the investigation as well. The tactics of inspecting computers is quite specific for three last varieties of their use in all respects, which are of interest to the investigator.
The realization of the suddenness factor is characterized by the peculiar regularity consisting in that the effectiveness of suddenness is limited by the time, which is needed for a person to reorder his actions and intentions, as well as choice of means and ways of opposing the suddenness. After that the suddenness ceases acting. The inspector’s loss of time leads to the suspected or other concerned person’s gain in it. It gives them an opportunity to analyze the formed situation, choose a new line of conduct and co-ordinate their actions with the accomplices, relatives and other concerned persons.
A.F.Cony wrote in conformity with the given situation : The more sudden is an impression exciting a strong emotion the more it seizes attention and the quicker feelings overshadow the external circumstances… The danger suddenly arisen causes unintentional exaggeration of its sizes and forms" .
On the next sages of investigation the concerned persons have available to definite extent information on actions of the inspection and officials from law enforcement bodies. It allows them to forecast the possible actions on the part of the law enforcement body officers. Therefore the use of tactical methods of providing suddenness (by time) can be achieved, first of all by a delay of implementing and repeatedly performing the investigatory actions.
Many persons take the delay of implementing the inquiry action as the inspector’s inactivity, which is caused by the lack of appropriate information or necessity and opportunity to carry out it. As a result the person settles down, begins conduct himself more freely and loses his sense of watchfulness.
There are two variants of the inspector’s actions at the delay of implementation:
1) a waiting for a definite period in the hope of that the suspected person will fulfil some actions, which will be used to obtain an evidentiary information^;
2) a purposeful forming of the suspected person’s conviction that the inspector does not plan certain investigatory actions.
While reconducting investigatory actions the suddenness is connected with that after their initial realization the suspected person counting on their completeness also calms down, loses his prudence and carries out actions, which allow to collect evidences proving his guilty.
So, according to the interrogation of convicted persons, in 88,2% of cases the repeated search was effective due, to the emergency of objects, which had lain earlier in the other place. The repeated searches conducted in some time can become more effective because the criminals settle down after the first search and persons, who were deposited temporarily certain evidences, try to return them as fast as possible to their direct owners.
The first feature is to draw in an expert in searching. As a rule, the inspector does not have wide experience and knowledge in the field of computers and information technologies. And so, without the specialist’s help he can commit further incorrigible errors while examining the technical equipment, detecting necessary information and/or withdrawing it.
The interrogation of inspectors and experts in the field of computing equipment showed that only 14% of inspectors work at computers as users, 56% know nothing about principles of computer operation. On the other hand 92% of interrogated programmers think that at the modern level of the development of computing machinery it is very difficult to find information “hidden” in the computer without the expert’s assistance.
The participation of experts or persons well-informed about circumstances of the investigated event in the inquiry actions also as a rule is unexpected for those, who oppose the investigation, and favors establishing the thruth since their presence makes it difficult to give false or inexact information, uphold taken position, convinces of the uselessness of any attempts to delude the investigation. It is proved by the interrogation of convicted persons in 17% of cases they were surprised by the circle of persons taking part in the investigatory actions.
At the same time, enlisting an expert, the inspector should make sure of his competence. The fact is that in spite of the wide-spread contrary opinion there is no notion of “expert in computers”. One can say only that there is an expert who knows concrete computer systems. So, for example, an expert in MS DOS operating system does not always know Windows NT, whereas a skilled user of the personal computer cannot handle big computing complexes.
Therefore the necessary knowledge of a specific expert should be proven depending on purposes and targets of the inspection with regard for initial information on the nature of a crime.
Let us also pay attention to that, as it was mentioned before, people experienced in computers should take part in the examination of these objects as witnesses. It is obvious that their participation is required during the given investigatory action to exclude afterwards the possible statements of concerned persons about changes made by the inspector while examining information contained in the computer and on the magnetic carriers.
On his arrival at the place of examination the inspector has to begin with barring all the persons working there from access to the computing equipment. Then he should take measures of revealing and withdrawing finger-prints remained on the drive latches, power supply switches, body sections near the screws fastening the case cover, keyboard and mouse, port connections and network cards, as well as printing device buttons. The criminals usually leave their finger-prints in these places. In addition, unauthorized persons can, penetrate into the premises where computers are installed by breaking and entering, selecting keys, as well as passwords to the electronic locks, which can also keep some finger-prints. While examining cable circuit connections it is necessary to make sure of their integrity as well as that there are no signs of supernumerary connection.
In view of the possibility of committing crimes through telecommunication and local computer networks it is necessary to establish the location of all computers in the network, specific purpose of every computer, availability of the server, place of cable laying , telecommunication devices (modems, fax-modems), their location and connection with the phone communication channels.
It is also necessary to ascertain the availability of special means of protection from unauthorized access to information, take measures of establishing keys(passwords). Let us pay attention to that the suddenness of actions often has a decisive importance since computer information can be quickly destroyed (as well as through network), therefore in the case of combining computers into the system a group search-inspection should be organized simultaneously in all the premises where they are installed.
During the inspection of computing equipment its direct objects can be separate computers which are not a constituent part of local or global networks^; work stations (computers) forming a system^; file-server, i.e. network central computer^; network lines of communication^; connecting cables^; printers^; modems^; scanners and so on.
During the direct inspection of a computer, a system block should be examined to determine which external devices are connected with it at the given moment and which could be linked earlier (the availability of connectors on the rear side of the system block points out it). Further this information will help putting more exact questions to the expert while setting an examination, show a search direction and, probably, facilitate it. So, the availability of a modem means that the computer is linked with the network, i.e. it has an e-mail program and that to work with Internet^; the presence of a scanner and connector to link up it means that computer memory can keep graphic files which contain a scanned image or text^; the availability of the sound card stands for the possibility of processing sound information and storing sound files, the presense of floppy drive points out that it is necessary to look for soft magnetic discs containing some information^; analogously – the availability of compact-disk drive sign ifies the necessity of searching after laser disks^; the presence of electronic key (compact electronic attachment measuring a match-box, which can be mounted on the parallel or consecutive port (computer connector) and protect information.
Further let us pay attention to the peculiarities of search of working and non-working computers.
While searching and inspecting the working computer it is necessary:
- to establish which program is performed at the present moment. The image on the monitor screen should be studied and described minutely in the record. If necessary a photographing and videotape recording of the image on the display screen can be carried out^;
- to stop the program and fix the results of actions in the record, reflect changes happened on the computer screen^;
- to determine if the computer has external devices – information stackers on hard magnetic disks (Winchester), floppies and ZIP devices, virtual disk (temporary one created at the launch of the computer to accelerate its work), as well as reflect the obtained data in the record^;
- to determine if the computer has external devices of the remote access to the system and estimate their condition, the linkage with a local network, availability of modem) after that disconnect the computer and switch off the modem, as well as reflect the results of actions in the record. The electronic key allows using protected program and data only at its presence.
- to save programs and files which were created on the virtual disk (if there are some of them), on the magnetic carrier or computer hard disk as a separate directory^;
- to save all information that is stored on the hard disk, on the portable disk of extremely high capacity of DVD type or even extra hard disk for the further research in the laboratory conditions. All actions on connecting a disk of extremely high capacity of DVD type or supplementary hard disk, saving information are fixed in the record. To study information saved on soft magnetic disks it is also necessary to make copies of them. The exact copy can be obtained with a command from DOS diskcopy. Its accomplishment results in creating an actually identical floppy. Later on it is necessary to work with information copies. The work with information copies allows keeping initial information inviolable that, first,to some extent is a means of protection from forgery and secondly there are some situations when even very experienced users lose information, for example, owing to sudden disconnection of electricity and so while carrying out examination the part of information can be lost unintentionally^; and thirdl y, gives an opportunity to carry out afterwards a repeated or additional examination if necessary^;
- switch off the computer and go on searching.
Before cutting off power supply it requires to complete correctly all programs carrying out at the given moment, as far as possible save all intermediate information (texts, data on condition, content of clipboards and other) in special files, if possible – on separate floppies, otherwise – on the computer hard disk. It requires to indicate names of these files, kind of information saved in each, arrangement of files (floppy name and marking or a logical disk and catalogue on computer Winchester)^; switch off the computer, which was influenced, and if there is a network – turn off all computers in the network. If it is impossible because of the peculiarities of the system operation, all measures should be taken to exclude an access to information of the given computer, as far as possible make copy of it and take steps of fixing all information changes which will happen afterwards.
While examining a non-working computer it is necessary:
- to establish and reflect in the record and scheme applied to it: the location of the computer and its external devices (printer, modem, keyboard, monitor) description of every device (name, serial number)^; integration (the availability and type of drives, network cards, connectors)^; the presence of connection with local computing networks and(or) those of communication^; device condition (intact or with traces of opening)^;
- to describe exactly an order of interconnection of the mentioned devices, if necessary mark connecting cables and ports of their linkage, after that disconnect computer devices^;
- while inspecting the computer it requires to determine with the expert’s assistance if there are some supernumerary devices inside the computer, microcircuits are removed or external power supply source (accumulator) is disconnected^;
- to pack (indicating in the record the place where they were found) magnetic carriers. Both special case for floppies and usual paper or cellophane packets, which prevent operating surfaces of the floppy or magnetic tape from dust (dirtying), can be used for packing^;
- to pack every computer device and connecting cables. To exclude unauthorized person’s access, it is necessary to seal up system block – to seal up with a protective tape a computer switch on button and a jack for electrical cable connection, as well as places of connecting side surfaces with front and rear panels.
If during the inspection and withdrawal of computing equipment there arises the necessity of switching on the computer, it should be launched from the loading floppy prepared beforehand thereby excluding the start of user programs.
The search record must reflect:
- the number and scheme of arrangement of working places, computing equipment and places for storing information machine carriers^;
- the location of the given room in the office, availability of alarm, condition of window openings and doorways (technical condition, damages), locking advices, screening means of protection^;
- the position of switches on blocks and devices of the computers^;
- the places of external device connection (for example: connecting cable between communication ports of the printer and computer system block), screws fastening case cover, surfaces under the system block, monitor and other devices. These places usually have a lot of dust and so there can be left some traces, their character or absence being reflected in the record^;
- the availability and condition of all marks, seals, special signs and stickers (inventory numbers), on the cases and computer devices as well as dirtying, mechanical damages and their localization^;
- the condition of indicating lamps and data displayed on the monitor (if the computer is switched on)^; it is necessary to take into consideration that special static pictures – screen savers which can be protected with a password – are used to prevent screens in most computers from burning out. The type of this saver must be fixed in the record as well^;
- the availability and content of notes concerning the work of computing equipment. They can contain information on procedures of computer system input/output, access passwords and so on^;
- the presence of supernumerary equipment and various advices inside the computers^;
- traces of disturbance in information protecting system and other signs of influence on the electronic equipment (mechanical damages)^;
- the place of detection of every computer information carrier^; character of its package (envelopes, special box-case for storing floppies, foil and others)^; stickers and inscriptions on the package^; type and size (in inches)^; manufacturer and type of the computer, which the detected carrier is intended for^; attributes (condition of means of protection from deletion scratches, cuttings and various damages).
In addition to the record, except for making a plan of arrangement of computers and external devices in the premises and connection of computers in the network it is advisable to fix information on the monitor screen, indicating lamps of all devices in the computer system by means of videofilming and photographing, the results being entered on the records.
Carriers of information connected with the investigated event can be withdrawn during the inspection observing an order set by the Criminal Code. It is necessary to remember that such carriers of machine information as hard magnetic disks (Winchesters), optical disks, floppies and so on should be handled very carefully: do not touch the working surface of disks with hands^; do not expose them to the electromagnetic impact^; do not bend and do not store without proper package^; make no marks with a fountain-pen or hard pencil (it is admissible to make explanatory notes with a soft-tip pen on the sticker)^; do not punch holes in the magnetic carriers or stamp them.
CH, which the inspector did not consider necessary to withdraw during the examination, should be sealed up by gluing up a sheet of paper with signatures of the inspector and witnesses on the connectors of power supply and the case, or the whole system block should be sealed up. It should be done to exclude the possibility of switching on and using the computer for some time which the inspector requires with regard for concrete circumstances of the investigated case, as well as an access to the external part of the system block.
It is advisable to sum up systems of tactical ways used while searching. According to its structure the system of methods is characterized by the availability of corresponding elements. So, within the framework of the tactical way system, which is directed at communicating with the searched person, such tactical combinations are worth to single out:
1) which favors removing obstacles and counteractions of the searched person^;
2) which stimulates the searched person to talk with the inspector^;
3) which favors establishing a psychological contact with the searched person and obtaining from him information sought for.
The tactical combination, which stimulates the searched person to talk with the inspector, covers:
1) wordy reconnaissance^;
2) drawing the searched person in the activity^;
3) putting “neutral questions”^;
4) putting “more precise questions”^;
5) showing definite objects of search.
The tactical method system, which is directed at carrying out search actions, includes:
1) study of a search object^;
2) analysis of situation in the search place^;
3) direction of attention towards professional skills of the searched person^;
4) use of opportunities of standard analogues^;
5) analysis of signs of a search object^;
6) comparison of a search object with various objects in the search place^;
7) analysis of the place/locality^;
8) analysis of detected evidences.
Interrogation of inspectors from Ukraine Office of Public Prosecutor and Ministry of Internal Affaires showed that, in their opinion, tactical ways, which favor the effectiveness of search, include:
- direction of attention towards professional skills of the searched person (62%)^;
- study of a search object (48%)^;
- analysis of revealed evidences (46%)^;
- use of opportunities of standard analogues (38%).
The analysis of the problem of search tactics, while investigating computer crimes, gives some reason to determine the necessity of introducing into Ukraine Criminal Code some amendments which regulate an order of consolidating and withdrawing evidences in the sphere of computer information, professional skill demands made of an expert who takes part in the search, and fix a circle of witnesses, or, taking into account the specific character of a crime, exclude their participation.
1.Panteleev I.F. Erroneous recommendations in theory of criminal trial and criminalistics//Soc.law. – 1977. - ¹ 7, - P.54
2.Cony A.F. Selected works- V.1., 1959. – P.167