Natalia Akhtyrskaja , Ph.D.
Typical inquiry situations and expert ways of their settlement
Crimes are investigated in the specific conditions of time, place, environment, interconnections with other objective activity processes, conduct of persons who found themselves in the sphere of legal proceedings, and under the influence of other factors sometimes unknown for the inspector. As a result, this difficult system of interactions forms the concrete atmosphere where the inspector and investigation participators work and the particular act of inquiry proceeds. In the science of crime detection, it was generally called “inquiry situation”.
The inquiry situation totally forms a dynamic system constantly changed under the influence of objective and subjective factors. The objective factors are reasons independent of the investigation participators, which cause changes in the situation^; the subjective factors are generated by actions and conduct of the investigation participators and other persons involved to some extent into the legal proceedings.
The analysis of detecting and investigating crimes committed by using computers showed that typical reference inquiry situations considerably depended on facts to be established and proved. The following groups of inquiry situations can be distinguished according to this principle.
The first group combines crimes, which subject is a computer. Typical expert objectives are to make both a complex diagnosing of the computer system and separate examination of hardware, software and dataware. As an example, some facts and circumstances should be established: 1) actions connected with the unauthorized access to data and performed in respect to computer information stored in the autonomous computers and their networks^; 2) actions performed in respect to computer information stored in the built-in and integrated computer means (credit cards, portable phones or cash registers).
The subject and object of the crime commitment in the second group is a computer. Expert objectives are to reveal and examine software functions, make a diagnosing of algorithms and the actual program condition. As an example, some facts and circumstances of producing and spreading detrimental programs should be established.
The third group combines inquiry situations where the computer is a subject of committing and/or concealing a crime. Expert objectives are to make diagnosing of software, determine features and conditions of dataware. Characteristic examples of expert examinations are to detect and investigate crimes committed by using computers (swindle, money counterfeit, false business and others).
The fourth group includes inquiry situations where the computer is a source of information meaningful for experts in crime detection. The main expert objectives are to make a diagnosing of computer information, study its original condition and chronology of influencing it. Typical examples are to establish facts and circumstances of crimes where computers were not used to commit them but presented carriers with important information.
The expert examination of software, hardware or dataware should be made to obtain full data on facts to be established and proved.
How can facts and circumstances of the unauthorized access to computer information stored in the personal computers and networks be established?
1. Two officials from one of the depositary companies formed a criminal group to draw the large join-stock company securities from the accounts of physical persons. They illegally penetrated into the company computer network taking stock of shareholders and their shares. The accomplices modified accounts containing the company shares through illegal manipulations (introduction of data on the availability of negative number of shares on the physical person accounts). Then the criminals transferred stolen and fictitious shares to the new accounts in the other depositary establishments and sold them. Examinations of the computer network and database with bookkeeping information on the physical person account shares allowed establishing evidences of unauthorized changes of the share number on stockholder accounts, introduction of negative accounts and so on.
2. The joint-stock company “City telephone network” received some complaints from its Internet clients about increased payments. The preliminary investigation and searching activity showed that Mr. S. had used Internet at the expense of officially registered users. During the domiciliary visit, Mr. S. was withdrawn compact disks and system block from his personal computer. The expert searched evidences of the remote access to the network in the Winchester files. Some of them turned out to be modem-connecting records of the remote network access. These files contained information on connection date, time, phone numbers, rate, received and sent data. The study of revealed information made it possible to prove the participation of Mr. S. in obtaining an access to Internet at the expense of officially registered users. The expert examination of compact disks fixed the availability of programs selecting and breaking users’ names and passwords of Internet access.
The facts and circumstances of the unauthorized access to computer information are established by examining pagers, portable phones (integrated systems) and cash registers, immobilizers or cruise-controllers (built-in systems on the base of microcircuit controllers).
1. Mr. M. purchased some cell phones and modified them with special program microcircuits that allowed obtaining illegal access to computer information of the cell connection company and copying personal and subscriber phone numbers of its legal users. This re-equipment allowed Mr. M. and his accomplice to copy 60 legal users’ phone numbers of the well-known CTC Company. Then Mr. M. often obtained an unauthorized access to this company data, freely spoke over the telephone and gave such an opportunity to the third persons. Some technical devices were withdrawn during the investigation. The objects of expert examination were both cell phones with automatic scan, cell cashboxes (combination of scan, computer and cell phone) and personal computers with expert revealed data on stolen individual numbers, connection layouts of reequipping portable phones, instructions on inputting/outputting users’ individual numbers into/from the electronic notebook of the cell phone. Results of the expert examination were on great importance while brining accusations against the suspected persons.
2. Every day from 5 till 7pm by prior arrangement, Mrs. T. and K., officials from a privately owned enterprise, connected a home-made microcomputer to the special jacks of cash registers. It allowed obtaining an access to data on conducting financial operations through cash registers during the current shift. The expert examination of this homemade device showed that the whole information on previous financial operations including purchase number and shift earnings had been destroyed when connecting the device to the cash register buffer storage. After this manipulation, sale outlets of this privately owned enterprise kept on their work accumulating information on financial operations till 9pm in the buffer storage. After that, understated data on shift earnings were entered in the fiscal memory of devices. The expert examination established the principle of homemade device operation. It consists in that the device microcircuit sends the single chip computer of the cash control unit a command to “clear” the fields of operative memory with all money and operation registers, as well as operative data on the current shift. The expert’s conclusions made it possible to prove the fact of the unauthorized access to law protected fiscal information stored in the cash register.
Model situations with evidences of manufacturing, using and spreading detrimental programs can be as follows: 1. The most typical situation is connected with fixing the availability of detrimental programs on the computer compact disks that cause illegal destruction, blocking, modification or copying of information, interference with the work of electronic computers and so on. These disks are sold on the radio-markets or privately spread. Thus, Mr. P. was arrested in one of the pedestrian subways when selling compact disks “99 Hacker Pro”. During the domiciliary visit, he was withdrawn some compact disks “Super Hacker”, “Internet Free Access”, as well as personal computer with CD-RW. The expert examination of these dicks established the availability of many Trojan-viruses that allow obtaining an unauthorized access to official fields of computer hard disks and copying Winchester sectors, damaging CMOS-memory parameters and so on. The study of possibilities to produce CD-R established the identity of withdrawn CD-RW and the device that helped to manufacture these disks. The investigation and expert practice knows situations of spreading viruses in the electronic networks. Mr. F used his home computer and modem, as well as corresponding software of electronic advertisement board and data exchange with remote users to spread through the city phone network some viruses downloaded from Internet. These files were placed on the advertisement board as unique service utilities, patches for well-known programs. The expert examination of withdrawn computing means allowed establishing facts and circumstances of producing and spreading virus programs. The detailed examination made it possible to restore most files that the criminal tried to damage through physical destruction of the computer hard disk. The technically correct investigation materials including expert examination results allowed proving guilty of Mr. F. and institute criminal proceedings against him.
3. The emulators of electronic keys are regarded now as detrimental programs. Expert examinations are required to fix facts of breaking licensed software passwords. Mr. N. illegally obtained data to produce a program equivalent to HASP code key that is a main element of protecting some author’s computer programs when transforming demonstrators to semi-functional versions. Mr. N. used these data to realize a program including files with activating code. The launch of this program resulted in modifying the activating code of the well-known bookkeeping software. As a result, the program started working in the semi-functional mode without electronic code key of the licensed product. The expert examination revealed acts and circumstances of using detrimental functions of the emulator program. Further, the accusation against the suspect was based on the results of expert examinations.
There are some typical situations connected with detecting and investigating crimes committed by using computer technique. This group of situations includes crimes of some categories, which are not provided directly by the Criminal Code articles but committed and/or concealed by using computer information (swindle, false business, money counterfeit and so on).
By the fact of swindle, the proceedings were instituted against an organized group of criminals who conducted a sideshow at one of the city markets. Three computers were withdrawn and sent to the expert examination. It should be determine if their playing program algorithms are capable of deliberately obtaining definite results and in what way. The experts disassembled the activating code of the playing program and realized its step-by-step activation in the program-debugging medium. The diagnosing signs were different program interruptions organizing the work with specific devices and input/output ports, as well as the use of definite address ranges. On the base of program algorithm analysis and its functioning peculiarities, the expert gave a positive categorical answer: variants of the game end were given at the program launch by using a keyboard and computer mouth. The correct expert examination allowed proving guilty of the criminals.
Model situations of establishing facts and circumstances of crimes where computers are sources of evidentiary information are attention-worthy as well.
1. The personal computer was withdrawn during the investigation in the office suite of Mr. M. by the fact of his murder. The computer-technical expert examination was set to reveal facts and circumstances of this criminal case and establish what information on the activity of Mr. M. and his connections in the period from 00.00.00. to the moment of withdrawal was in the computer. Except the hard disk system applied software it contained such programs as Outlook Express that allowed exchanging mail messages with Internet users and ICQ that made it possible to communicate in the online mode with several Internet users. The experts obtained an access to the Express Outlook received and sent letters, as well as ISQ archive of talks and addresses in the address book. They contained information on contacts of the murdered person in respect to his private business activity, illegal transactions and data of personal character, which finally helped to establish his murderers.
2. At the robbery attack on Mr. S., a private businessperson, one of the criminals was arrested. The electronic note book-organizer was found and withdrawn while examining the incident spot. The arrested person refused to give any evidences. Therefore, the computer-technical expert examination of the organizer was assigned. The address book information was protected with a password. There were three ways of resolving the expert problem occurred in that expert situation. First, the apparatus-program complex of organizer expert examinations should be used. However, the home experts do not have these tool means now. Second, the electric power should be cut off. Nevertheless, there is a great probability of losing all data. Third, the password has to be selected. The last variant was preferred and the password was lastly found. The study of data on the arrested person favored it. The password turned out to be an alphanumeric combination of the book owner’s birth date and initials. The expert examination established his connections (phone numbers, connection channels and so on) and revealed the organized criminal group consisting of 11 persons. Further, it played a significant role in detecting and investigating more than 20 heinous and especially grave crimes committed in the region .
According to the author, the most important thing in investigating computer crimes is to obtain prompt and adequate evidentiary and search information. Such data can be received during various expert examinations. Especially meaningful is the computer-technical examination that favors solving the main search problems: establishing facts of identity between the searched and detected computer equipment^; finding desired computer information on the presented carriers^; obtaining search data on the criminal’s professional characteristics and so on.
1. Material evidences. Edited by V.Y.Koldin. M., NORMA, 2002. – P.642-646.
^macro[showdigestcomments;^uri;Typical inquiry situations and expert ways of their settlement]